Create a Kerberos service principal name and keytab file

Create a Kerberos service principal name and keytab file

We create a Kerberos service principal name and keytab file using key distribution centers (KDCs) from....

Microsoft Windows
IBM i, Linux, Solaris, and MIT
z/OS

Create a Kerberos service principal name and keytab file using Microsoft Windows KDC

This task is performed on the Active Directory domain controller machine.
Create a user account in Active Directory for WebSphere Application Server.

Start | Programs | Administrative Tools | Active Directory Users and Computers

For example, if the application server we are running on the WAS machine is called...
myappserver.mydomain.com

...create a new user in Active Directory called myappserver.

Make sure that we do not have the computer name myappserver under Computers and Domain Controllers. If we already have a computer named myappserver, then create a different user account name.
Start -> Programs -> Administrative Tools -> Active Directory Users and Computers -> Computers -> Programs -> Administrative Tools -> Active Directory Users and Computers -> Domain Controllers

Map the Kerberos service principal name to a Microsoft user account.
cd C:\Support Tools
setspn -A HTTP/myappserver.mydomain.com myappserver

The service name for SPNEGO web authentication must be HTTP. However, the service name for Kerberos authentication can be any strings allowed by the KDC. The host name must be a fully-qualified host name.
Make sure that we do not have the same service principle names (SPNs) mapping to more than one Microsoft user account. If we map the same SPN to more than one user account, the web browser client can send an NT LAN manager (NTLM) token instead of a SPNEGO token to WAS.
Create the Kerberos keytab file (krb5.keytab) and make it available to WAS.
A Kerberos keytab file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk.
Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab file for the SPN.
Use the latest version of the ktpass tool that matches the Windows server level that we are using. For example, use the Windows 2003 version of the tool for a Windows 2003 server.

To determine the appropriate parameter values for the ktpass tool, run the ktpass -? command from the command line. This command lists whether the ktpass tool, which corresponds to the particular operating system, uses the value...
-crypto RC4-HMAC

...or...
-crypto RC4-HMAC-NT

To avoid warning messages from the toolkit, specify...
-ptype KRB5_NT_PRINCIPAL

The Windows 2003 server version of the ktpass tool supports the encryption type, RC4-HMAC, and single data encryption standard (DES).
The following code shows the functions available when you enter ktpass -? command on the command line. This information might be different depending on the version of the toolkit that we are using.
C:\Program Files\Support Tools> ktpass -?                                  
Command line options:                                                     
                                                                          
---------------------most useful args                                     
[- /]          out : Keytab to produce                                    
[- /]        princ : Principal name (user@REALM)                          
[- /]         pass : password to use                                      
                     use "*" to prompt for password.                      
[- +]      rndPass : ... or use +rndPass to generate a random password    
[- /]      minPass : minimum length for random password (def:15)          
[- /]      maxPass : maximum length for random password (def:256)         
---------------------less useful stuff                                    
[- /]      mapuser : map princ to this user account (default:     
don't)                                                                    
[- /]        mapOp : how to set the mapping attribute (default: add it)   
[- /]        mapOp :  is one of:                                          
[- /]        mapOp :        add : add value (default)                     
[- /]        mapOp :        set : set value                               
[- +]      DesOnly : Set account for des-only encryption (default:don't)  
[- /]           in : Keytab to read/digest                                
---------------------options for key generation                           
[- /]       crypto : Cryptosystem to use                                  
[- /]       crypto :  is one of:                                          
[- /]       crypto : DES-CBC-CRC : for compatibility                      
[- /]       crypto : DES-CBC-MD5 : for compatibliity                      
[- /]       crypto : RC4-HMAC-NT : default 128-bit encryption             
[- /]        ptype : principal type in question                           
[- /]        ptype :  is one of:                                          
[- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended  
[- /]        ptype : KRB5_NT_SRV_INST : user service instance             
[- /]        ptype : KRB5_NT_SRV_HST : host service instance              
[- /]         kvno : Override Key Version Number                          
                     Default: query DC for kvno.  Use /kvno 1 for Win2K   
compat.                                                                   
[- +]       Answer : +Answer answers YES to prompts.  -Answer answers     
NO.                                                                       
[- /]       Target : Which DC to use.  Default:detect                     
---------------------options for trust attributes (Windows Server 2003    
Sp1 Only                                                                  
[- /] MitRealmName : MIT Realm which we want to enable RC4 trust on.      
[- /]  TrustEncryp : Trust Encryption to use; DES is default              
[- /]  TrustEncryp :  is one of:                                          
[- /]  TrustEncryp :        RC4 : RC4 Realm Trusts (default)              
[- /]  TrustEncryp :        DES : go back to DES
Do not use the -pass switch on the ktpass command to reset a password for a Microsoft Windows server account. See Windows 2003 Technical Reference - Ktpass overview for more information.
Depending on the encryption type, we use the ktpass tool in one of the following ways to create the Kerberos keytab file. The following section shows the different types of encryption used by the ktpass tool. Run the ktpass -? command to determine which -crypto parameter value is expected by the particular toolkit in your icrosoft Windows environment.
Single DES encryption type:
ktpass -out c:\temp\myappserver.keytab
       -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM
       -mapUser myappserv 
       -mapOp set 
       -pass was1edu
       -crypto DES-CBC-MD5 
       -pType KRB5_NT_PRINCIPAL
       +DesOnly
Option Explanation
-out c:\temp\myappserver.keytab The key is written to this output file.
-princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, myappserver.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto DES-CBC-MD5 This option uses the single DES encryption type.
-pType KRB5_NT_PRINCIPAL This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
+DesOnly This option generates only DES encryptions.
RC4-HMAC encryption type:
ktpass -out c:\temp\myappserver.keytab 
       -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM 
       -mapUser myappserver
       -mapOp set 
       -pass was1edu 
       -crypto RC4-HMAC
       -pType KRB5_NT_PRINCIPAL
RC4-HMAC encryption is only supported when using a Windows 2003 Server as KDC.

Option Explanation
-out c:\temp\myappserver.keytab The key is written to this output file.
-princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, myappserver.
-mapOp This option sets the mapping.
-pass was1edu Password for the user ID.
-crypto RC4-HMAC RC4-HMAC encryption type.
-pType KRB5_NT_PRINCIPAL KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
For the RC4-HMAC-NT encryption type
ktpass -out c:\temp\myappserver.keytab 
       -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM 
       -mapUser myappserver 
       -mapOp set 
       -pass was1edu 
       -crypto RC4-HMAC-NT
       -pType KRB5_NT_PRINCIPAL
Option Explanation
-out c:\temp\myappserver.keytab The key is written to this output file.
-princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser The key is mapped to the user, myappserver.
-mapOp This option sets the mapping.
-pass was1edu This option is the password for the user ID.
-crypto RC4-HMAC-NT This option chooses the RC4-HMAC-NT encryption type.
-pType KRB5_NT_PRINCIPAL This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
The Kerberos keytab file is created for use with SPNEGO.
Create a Kerberos service principal name and keytab file using iSeries, Linux, Solaris and MIT KDCs

See your Kerberos implementation documents for the kadmin, kadmin.local addprinc and ktadd commands for more detailed information.

This task is performed on a Linux, Solaris or MIT KDC machine.

Create a Kerberos service principal for Kerberos authentication, for example:
WAS/testmach.mydomain.com
kadmin.local: addprinc WAS/testmach.mydomain.com

Add the newly-created Kerberos service principal, WAS/testmach.mydomain.com to a default krb5.keytab file, for example:
kadmin.local: ktadd WAS/testmach.mydomain.com

Create a Kerberos service principal name and keytab file using z/OS KDC

Before Simple and Protected GSS-API Negotiation (SPNEGO) web authentication and Kerberos authentication can be used, the WAS administrator must first create a Kerberos keytab file on the host running WAS.

To create an SPN, do the following:
The Kerberos ID (KERBNAME) must be of the form...
<service>/<fully qualified system name>

The following example creates the Kerberos SPN for SPNEGO Web, HTTP/host1.pok.ibm.com:
ALTUSER ASCR1 KERB(KERBNAME(HTTP/host1.pok.ibm.com))

We should ensure that the list of supported encryption types specified on the ALTUSER command is consistent with what is specified in the krb5.conf kerberos configuration file. For example, if the krb5.conf configuration file specifies that only aes256-cts-hmac-sha1-96 is supported, then the ENCRYPT operand should have all encryption types set as not supported, except for AES256.
Generate the Kerberos key for this user. To generate this key, a password must be associated with this ID. Do not use this ID to log onto the system. Enter the following two lines whenever a new Kerberos key is required.
The WebSphere or KDC administrator must know this password to create an entry in the keytab file.
ALTUSER ASCR1 PASSWORD(was1krb) NOEXPIRED
ALTUSER ASCR1 NOPASSWORD
Verify that this user has a valid Kerberos segment and a key, for example:
LISTUSER ASCR1 KERB NORACF
 USER=ASCR1                            
 KERB INFORMATION                      
 ----------------                      
 KERBNAME= HTTP/host1.pok.ibm.com        
 KEY VERSION= 001                      
 KEY ENCRYPTION TYPE= DES NODES3 NODESD
To create a Kerberos keytab (krb5.keytab) file, use the Java Kerberos ktab command...
<$WAS_HOME>/java/bin/ktab

...by doing the following...
Type the ktab -help command to obtain the proper usage for this command. For example:
(host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(189):>ktab -help
Usage: java com.ibm.security.krb5.internal.tools.Ktab [options]
Available options:
        -l					list the keytab name and entries
        -a <principal_name> [password] 	add an entry to the keytab
        -d <principal_name>      	delete an entry from the keytab
        -k <keytab_name>			specify keytab name and path with FILE: prefix
        -m <source_keytab_name> <destination_keytab_name>      
           specify merging source keytab file name and destination keytab file name
   
Use the ktab command to add the SPN to a default keytab file, for example:
(host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(201):>ktab -a
HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM ot56prod
Done!
Service key for principal HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM saved
Verify that the correct SPN is in the default keytab file, for example:
(host1)CTC03:/PYRSA1/usr/lpp/zWebSphere/V7R1/java/J5.0/bin(202):>ktab
1 entries in keytab, name: /etc/skrb/krb5.keytab
        KVNO    Principal
        ----    ---------
        1       HTTP/host1.pok.ibm.com@LSREALM.POK.IBM.COM
Make the keytab file available to WAS. Copy the krb5.keytab file from the KDC to the WAS machine at the location specified in the Kerberos configuration file (krb5.ini or krb5.conf). For example:
ftp> bin
ftp> put c:\temp\KRB5_NT_SEV_HST\krb5.keytab
A Kerberos keytab configuration file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only by authorized users.
Use the validateKrbConfig command to validate the krb5.conf and krb5.keytab files, for example:
wsadmin>$AdminTask help validateKrbConfig

The Kerberos keytab file is shared by Kerberos and SPNEGO web authentication. It is loaded once and cannot be refreshed.
This is not true, however, if we have the JDK 1.6 with SR3 installed.

If we need to merge your keytab files, it is recommended that we use the Java ktab command with the -m option.
We have created a Kerberos service principal name and keytab file on the KDC that WAS uses to process SPNEGO and or Kerberos authentication requests.

Related

Kerberos (KRB5) authentication mechanism support for security
Create a single sign-on for HTTP requests using SPNEGO Web authentication
Configure Kerberos as the authentication mechanism
Mapping of a client Kerberos principal name to the WebSphere user registry ID
(ZOS) Mapping a Kerberos principal to a System Authorization Facility (SAF) identity on z/OS
Set up Kerberos as the authentication mechanism for WAS
Kerberos authentication settings
http://docs.oracle.com/javase/7/docs/technotes/tools/windows/ktab.html
http://web.mit.edu/kerberos/www/index.html
How does Kerberos work?:1

Option	Explanation
-out c:\temp\myappserver.keytab	The key is written to this output file.
-princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM	The concatenation of the user logon name, and the realm must be in uppercase.
-mapUser	The key is mapped to the user, myappserver.
-mapOp	This option sets the mapping.
-pass was1edu	This option is the password for the user ID.
-crypto DES-CBC-MD5	This option uses the single DES encryption type.
-pType KRB5_NT_PRINCIPAL	This option specifies the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
+DesOnly	This option generates only DES encryptions.