Create a Kerberos service principal name and krb5.keytab
We create a Kerberos service principal name and krb5.keytab using key distribution centers (KDCs) from....
Create a Kerberos service principal name and krb5.keytab using Microsoft Windows KDC
Log on to the Active Directory domain controller machine.
- Create a user account in Active Directory for WebSphere Application Server.
Start | Programs | Administrative Tools | Active Directory Users and Computers
For example, if the application server we are running on the WAS machine is called...
myappserver.mydomain.com
...create a new user in Active Directory called myappserver.
Verify we do not have the computer name myappserver under Computers and Domain Controllers. If we do, create a different user account name.
Start -> Programs -> Administrative Tools -> Active Directory Users and Computers -> Computers -> Programs -> Administrative Tools -> Active Directory Users and Computers -> Domain Controllers
- Map the Kerberos service principal name to a Microsoft user account.
cd C:\Support Tools
setspn -A HTTP/myappserver.mydomain.com myappserverThe service name for SPNEGO web authentication must be HTTP. However, the service name for Kerberos authentication can be any strings allowed by the KDC. The host name must be a fully-qualified host name.
Verify we do not have the same service principle names (SPNs) mapping to more than one Microsoft user account. If we map the same SPN to more than one user account, the web browser client can send an NT LAN manager (NTLM) token instead of a SPNEGO token to WebSphere.
- Create the Kerberos keytab file (krb5.keytab) and make it available to WebSphere.
A Kerberos krb5.keytab contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos krb5.keytabs by storing them on the local disk.
Use the ktpass tool from the Windows Server toolkit to create the Kerberos krb5.keytab for the SPN.
Use the latest version of the ktpass tool.
To determine the appropriate parameter values for the ktpass tool, run ktpass -?. This command lists whether the ktpass tool, which corresponds to the particular operating system, uses the value...
-crypto RC4-HMAC
...or...
-crypto RC4-HMAC-NT
To avoid warning messages from the toolkit, specify...
-ptype KRB5_NT_PRINCIPAL
The Windows 2003 server version of the ktpass tool supports the encryption type, RC4-HMAC, and single data encryption standard (DES).
The following code shows the functions available when you enter ktpass -? command on the command line. This information might be different depending on the version of the toolkit that we are using.
C:\Program Files\Support Tools> ktpass -? Command line options: ---------------------most useful args [- /] out : Keytab to produce [- /] princ : Principal name (user@REALM) [- /] pass : password to use use "*" to prompt for password. [- +] rndPass : ... or use +rndPass to generate a random password [- /] minPass : minimum length for random password (def:15) [- /] maxPass : maximum length for random password (def:256) ---------------------less useful stuff [- /] mapuser : map princ to this user account (default: don't) [- /] mapOp : how to set the mapping attribute (default: add it) [- /] mapOp : is one of: [- /] mapOp : add : add value (default) [- /] mapOp : set : set value [- +] DesOnly : Set account for des-only encryption (default:don't) [- /] in : Keytab to read/digest ---------------------options for key generation [- /] crypto : Cryptosystem to use [- /] crypto : is one of: [- /] crypto : DES-CBC-CRC : for compatibility [- /] crypto : DES-CBC-MD5 : for compatibliity [- /] crypto : RC4-HMAC-NT : default 128-bit encryption [- /] ptype : principal type in question [- /] ptype : is one of: [- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended [- /] ptype : KRB5_NT_SRV_INST : user service instance [- /] ptype : KRB5_NT_SRV_HST : host service instance [- /] kvno : Override Key Version Number Default: query DC for kvno. Use /kvno 1 for Win2K compat. [- +] Answer : +Answer answers YES to prompts. -Answer answers NO. [- /] Target : Which DC to use. Default:detect ---------------------options for trust attributes (Windows Server 2003 Sp1 Only [- /] MitRealmName : MIT Realm which we want to enable RC4 trust on. [- /] TrustEncryp : Trust Encryption to use; DES is default [- /] TrustEncryp : is one of: [- /] TrustEncryp : RC4 : RC4 Realm Trusts (default) [- /] TrustEncryp : DES : go back to DESDo not use the -pass switch on the ktpass command to reset a password for a Microsoft Windows server account. See Windows 2003 Technical Reference - Ktpass overview for more information.
Depending on the encryption type, we use the ktpass tool in one of the following ways to create the Kerberos krb5.keytab. The following section shows the different types of encryption used by the ktpass tool. Run the ktpass -? command to determine which -crypto parameter value is expected by the particular toolkit in your icrosoft Windows environment.
- Single DES encryption type:
ktpass -out c:\temp\myappserver.keytab -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM -mapUser myappserv -mapOp set -pass was1edu -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly
Option Explanation -out c:\temp\myappserver.keytab The key is written to this output file. -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase. -mapUser The key is mapped to the user, myappserver. -mapOp Set the mapping. -pass was1edu Password for the user ID. -crypto DES-CBC-MD5 This option uses the single DES encryption type. -pType KRB5_NT_PRINCIPAL Specify the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages. +DesOnly Generates only DES encryptions. - RC4-HMAC encryption type:
ktpass -out c:\temp\myappserver.keytab -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM -mapUser myappserver -mapOp set -pass was1edu -crypto RC4-HMAC -pType KRB5_NT_PRINCIPALRC4-HMAC encryption is only supported when using a Windows 2003 Server as KDC.
Option Explanation -out c:\temp\myappserver.keytab The key is written to this output file. -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase. -mapUser The key is mapped to the user, myappserver. -mapOp Set the mapping. -pass was1edu Password for the user ID. -crypto RC4-HMAC RC4-HMAC encryption type. -pType KRB5_NT_PRINCIPAL KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages. - For the RC4-HMAC-NT encryption type
ktpass -out c:\temp\myappserver.keytab -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM -mapUser myappserver -mapOp set -pass was1edu -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
The Kerberos krb5.keytab is created for use with SPNEGO.
Option Explanation -out c:\temp\myappserver.keytab The key is written to this output file. -princ HTTP/myappserver.mydomain.com@WSSEC.AUSTIN.IBM.COM The concatenation of the user logon name, and the realm must be in uppercase. -mapUser The key is mapped to the user, myappserver. -mapOp Set the mapping. -pass was1edu Password for the user ID. -crypto RC4-HMAC-NT This option chooses the RC4-HMAC-NT encryption type. -pType KRB5_NT_PRINCIPAL Specify the KRB5_NT_PRINCIPAL principal value. Specify this option to avoid toolkit warning messages.
Create a Kerberos service principal name and krb5.keytab using iSeries, Linux, Solaris and MIT KDCs
See your Kerberos implementation documents for the kadmin, kadmin.local addprinc and ktadd commands for more detailed information.
- Log on to a Linux, Solaris or MIT KDC machine.
- Create a Kerberos service principal for Kerberos authentication, for example:
WAS/testmach.mydomain.com
kadmin.local: addprinc WAS/testmach.mydomain.com- Add the newly-created Kerberos service principal, WAS/testmach.mydomain.com to a default krb5.keytab, for example:
kadmin.local: ktadd WAS/testmach.mydomain.com
Related
Kerberos (KRB5) authentication support Create a single sign-on for HTTP requests using SPNEGO Web authentication Configure Kerberos as the authentication mechanism Map a client Kerberos principal name to the WebSphere user registry ID Set up Kerberos as the authentication mechanism for WAS Kerberos authentication settings ktab Kerberos: The Network Authentication Protocol How does Kerberos work?:1