+

Search Tips   |   Advanced Search

Create a Kerberos service principal name and keytab file

This task is necessary to process SPNEGO web or Kerberos authentication requests to WebSphere Application Server. We can create a Kerberos service principal name and keytab file using Microsoft Windows, IBM i, Linux, Solaris, Massachusetts Institute of Technology (MIT) and z/OS operating systems key distribution centers (KDCs).


Create a Kerberos service principal name and keytab file using Microsoft Windows KDC:

This task is performed on the active directory domain controller machine. Complete the following steps to ensure that the Windows 2003 Server running the active directory domain controller is configured properly to the associated key distribution center (KDC).

  1. Create a user account in the Microsoft Active Directory for the WAS.

    Click Start->Programs->Administrative Tools->Active Directory Users and Computers.

    Use the name for WebSphere Application Server. For example, if the application server you are running on the WAS machine is called myappserver.austin.ibm.com, create a new user in an active directory called myappserver.

    Make sure that we do not have the computer name myappserver under Computers and Domain Controllers. If we already have a computer named myappserver, then create a different user account name.

    • Click Start -> Programs -> Administrative Tools -> Active Directory Users and Computers->Computers.

    • Click Programs -> Administrative Tools -> Active Directory Users and Computers->Domain Controllers.

  2. Use the setspn command to map the Kerberos service principal name, <service name>/<fully qualified host name>, to a Microsoft user account.

    The service name for SPNEGO web authentication must be HTTP. However, the service name for Kerberos authentication can be any strings allowed by the KDC.

    An example of the setspn command usage for SPNEGO web authentication is as follows:

    C:\Support Tools>
    setspn -A HTTP/myappserver.austin.ibm.com myappserver

    The host name must be a fully-qualified host name.

    Important: Make sure that we do not have the same service principle names (SPNs) mapping to more than one Microsoft user account. If we map the same SPN to more than one user account, the web browser client can send an NT LAN manager (NTLM) token instead of a SPNEGO token to WebSphere Application Server.

  3. Create the Kerberos keytab file and make it available to WebSphere Application Server. Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab file (krb5.keytab) for the SPN.

    A Kerberos keytab file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk.

    Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab file for the service principal name (SPN). Use the latest version of the ktpass tool that matches the Windows server level that you are using. For example, use the Windows 2003 version of the tool for a Windows 2003 server.

    To determine the appropriate parameter values for the ktpass tool, run the ktpass -? command from the command line. This command lists whether the ktpass tool, which corresponds to the particular operating system, uses the -crypto RC4-HMAC or -crypto RC4-HMAC-NT parameter value. To avoid warning messages from the toolkit, specify the -ptype KRB5_NT_PRINCIPAL parameter value.

    The Windows 2003 server version of the ktpass tool supports the encryption type, RC4-HMAC, and single data encryption standard (DES). For more information about the ktpass tool, see Windows 2003 Technical Reference - Ktpass overview.

    The following code shows the functions that are available when you enter ktpass -? command on the command line. This information might be different depending on the version of the toolkit that you are using.

      C:\Support Tools>ktpass -? Command line options: ---------------------most useful args [- /] out : Keytab to produce [- /] princ : Principal name (user@REALM) [- /] pass : password to use use "*" to prompt for password. [- +] rndPass : ... or use +rndPass to generate a random password [- /] minPass : minimum length for random password (def:15) [- /] maxPass : maximum length for random password (def:256) ---------------------less useful stuff [- /] mapuser : map princ (above) to this user account (default: don't) [- /] mapOp : how to set the mapping attribute (default: add it) [- /] mapOp : is one of: [- /] mapOp : add : add value (default) [- /] mapOp : set : set value [- +] DesOnly : Set account for des-only encryption (default:don't) [- /] in : Keytab to read/digest ---------------------options for key generation [- /] crypto : Cryptosystem to use [- /] crypto : is one of: [- /] crypto : DES-CBC-CRC : for compatibility [- /] crypto : DES-CBC-MD5 : for compatibliity [- /] crypto : RC4-HMAC-NT : default 128-bit encryption [- /] ptype : principal type in question [- /] ptype : is one of: [- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended [- /] ptype : KRB5_NT_SRV_INST : user service instance [- /] ptype : KRB5_NT_SRV_HST : host service instance [- /] kvno : Override Key Version Number Default: query DC for kvno. Use /kvno 1 for Win2K compat. [- +] Answer : +Answer answers YES to prompts. -Answer answers NO. [- /] Target : Which DC to use. Default:detect ---------------------options for trust attributes (Windows Server 2003 Sp1 Only [- /] MitRealmName : MIT Realm which we want to enable RC4 trust on. [- /] TrustEncryp : Trust Encryption to use; DES is default [- /] TrustEncryp : is one of: [- /] TrustEncryp : RC4 : RC4 Realm Trusts (default) [- /] TrustEncryp : DES : go back to DES

    Important: Do not use the -pass switch on the ktpass command to reset a password for a Microsoft Windows server account. See Windows 2003 Technical Reference - Ktpass overview for more information.

    Depending on the encryption type, you use the ktpass tool in one of the following ways to create the Kerberos keytab file. The following section shows the different types of encryption used by the ktpass tool. It is important that you run the ktpass -? command to determine which -crypto parameter value is expected by the particular toolkit in our Microsoft Windows environment.

    • Single DES encryption type:

      From a command prompt, run the ktpass command:

      ktpass -out c:\temp\myappserver.keytab
      -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
      -mapUser myappserv  -mapOp set  -pass was1edu
      -crypto DES-CBC-MD5  -pType KRB5_NT_PRINCIPAL
      +DesOnly

      for a single DES encryption type.

      This table describes how to use ktpass for a single DES encryption type.

      Option Explanation
      -out c:\temp\myappserver.keytab The key is written to this output file.
      -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
      -mapUser The key is mapped to the user, myappserver.
      -mapOp This option sets the mapping.
      -pass was1edu This option is the password for the user ID.
      -crypto DES-CBC-MD5 This option uses the single DES encryption type.
      -pType KRB5_NT_PRINCIPAL This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
      +DesOnly This option generates only DES encryptions.

    • RC4-HMAC encryption type:

      Important: RC4-HMAC encryption is only supported when using a Windows 2003 Server as KDC. From a command prompt, run the ktpass command.

      ktpass -out c:\temp\myappserver.keytab  -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM  -mapUser myappserver
      -mapOp set  pass was1edu  -crypto RC4-HMAC
      -pType KRB5_NT_PRINCIPAL

      Option Explanation
      -out c:\temp\myappserver.keytab The key is written to this output file.
      -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
      -mapUser The key is mapped to the user, myappserver.
      -mapOp This option sets the mapping.
      -pass was1edu This option is the password for the user ID.
      -crypto RC4-HMAC This option chooses the RC4-HMAC encryption type.
      -pType KRB5_NT_PRINCIPAL This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.

    • For the RC4-HMAC-NT encryption type

      From a command prompt, run the ktpass command.

      ktpass -out c:\temp\myappserver.keytab  -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM  -mapUser myappserver  -mapOp set  -pass was1edu  -crypto RC4-HMAC-NT
      -pType KRB5_NT_PRINCIPAL

      Option Explanation
      -out c:\temp\myappserver.keytab The key is written to this output file.
      -princ HTTP/myappserver.austin.ibm.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
      -mapUser The key is mapped to the user, myappserver.
      -mapOp This option sets the mapping.
      -pass was1edu This option is the password for the user ID.
      -crypto RC4-HMAC-NT This option chooses the RC4-HMAC-NT encryption type.
      -pType KRB5_NT_PRINCIPAL This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
      The Kerberos keytab file is created for use with SPNEGO.


Create a Kerberos service principal name and keytab file using iSeries , Linux, Solaris and MIT KDCs:

See the Kerberos implementation documents for the kadmin, kadmin.local addprinc and ktadd commands for more detailed information.

This task is performed on a Linux, Solaris or MIT KDC machine.

  1. Create a Kerberos service principal for Kerberos authentication, for example:

      WAS/testmach.austin.ibm.com kadmin.local: addprinc WAS/testmach.austin.ibm.com

  2. Add the newly-created Kerberos service principal, WAS/testmach.austin.ibm.com to a default krb5.keytab file, for example:

      kadmin.local: ktadd WAS/testmach.austin.ibm.com


Create a Kerberos service principal name and keytab file using z/OS KDC:

Before Simple and Protected GSS-API Negotiation (SPNEGO) web authentication and Kerberos authentication can be used, the WAS administrator must first create a Kerberos keytab file on the host running WebSphere Application Server.

To create an SPN, do the following:

  1. The Kerberos ID (KERBNAME) must be of the form service/fully qualified system name.

  2. The following example creates the Kerberos SPN for SPNEGO Web, HTTP/host1.pok.ibm.com:

      ALTUSER ASCR1 KERB(KERBNAME(HTTP/host1.pok.ibm.com))

    Avoid trouble: You should ensure that the list of supported encryption types specified on the ALTUSER command is consistent with what is specified in the krb5.conf kerberos configuration file. For example, if the krb5.conf configuration file specifies that only aes256-cts-hmac-sha1-96 is supported, then the ENCRYPT operand should have all encryption types set as not supported, except for AES256.gotcha

  3. Generate the Kerberos key for this user. To generate this key, a password must be associated with this ID. Do not use this ID to log on to the system. Enter the following two lines whenever a new Kerberos key is required.

    The WebSphere or KDC administrator must know this password to create an entry in the keytab file.

    ALTUSER ASCR1 PASSWORD(was1krb) NOEXPIRED
    ALTUSER ASCR1 NOPASSWORD

  4. Verify that this user has a valid Kerberos segment and a key, for example:
    LISTUSER ASCR1 KERB NORACF
     USER=ASCR1                              KERB INFORMATION                        ----------------                        KERBNAME= HTTP/host1.pok.ibm.com          KEY VERSION= 001                        KEY ENCRYPTION TYPE= DES NODES3 NODESD

    To create a Kerberos keytab (krb5.keytab) file, use the Java Kerberos ktab command, <$WAS_HOME>/java/bin/ktab, by doing the following:

  5. From a command line, type the ktab help command to obtain the proper usage for this command. For example:
    (host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(189):>ktab -help
    Usage: java com.ibm.security.krb5.internal.tools.Ktab [options]
    Available options:
            -l     list the keytab name and entries         -a <principal_name> [password]  add an entry to the keytab
            -d <principal_name>      delete an entry from the keytab
            -k <keytab_name>  specify keytab name and path with FILE: prefix         -m <source_keytab_name> <destination_keytab_name>     specify merging source keytab file name and destination keytab file name    

  6. From a command line, use the ktab command to add the SPN to a default keytab file, for example:
    (host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(201):>ktab -a
    HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM ot56prod
    Done!
    Service key for principal HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM saved

  7. Verify that the correct SPN is in the default keytab file, for example:
    (host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(202):>ktab
    1 entries in keytab, name: /etc/skrb/krb5.keytab
            KVNO    Principal
            ----    ---------
            1       HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM

Make the keytab file available to WebSphere Application Server. Copy the krb5.keytab file from the KDC to the WAS machine at the location specified in the Kerberos configuration file (krb5.ini or krb5.conf). For example:

ftp> bin
ftp> put c:\temp\KRB5_NT_SEV_HST\krb5.keytab

A Kerberos keytab configuration file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only by authorized users.

Use the validateKrbConfig command to validate the krb5.conf and krb5.keytab files, for example:

The Kerberos keytab file is shared by Kerberos and SPNEGO web authentication. It is loaded once and cannot be refreshed.

This is not true, however, if we have the JDK 1.6 with SR3 installed.

If we need to merge your keytab files, IBM recommends that you use the Java ktab command with the -m option.


Results

You have created a Kerberos service principal name and keytab file on the KDC that WAS uses to process SPNEGO and or Kerberos authentication requests.


Related concepts

  • Kerberos (KRB5) authentication mechanism support for security


    Related tasks

  • Create a single sign-on for HTTP requests using SPNEGO Web authentication
  • Configure Kerberos as the authentication mechanism using the administrative console
  • Mapping of a client Kerberos principal name to the WebSphere user registry ID

    (zos) Mapping a Kerberos principal to a System Authorization Facility (SAF) identity on z/OS

  • Set up Kerberos as the authentication mechanism for WebSphere Application Server

  • Kerberos authentication settings
    Ktab - Kerberos Key Table Manager
    Kerberos: The Network Authentication Protocol