Operating Systems: AIX, HP-UX, Linux, Solaris, Windows
Use the ktab command to manage the Kerberos keytab file
The Kerberos key table manager command (Ktab) allows the Web administrator to manage the Kerberos service principal names and keys stored in a local Kerberos keytab file. Kerberos service principal (SPN) name and keys listed in the Kerberos keytab file allow services running on the host to authenticate themselves to the KDC. Before SPNEGO TAI can use Kerberos, the WebSphere Application Server administrator must setup a Kerberos keytab file on the host running WebSphere Application Server. Important:
Below is an example of how Ktab is used on a Linux operating system to add new principal names to the Kerberos keytab file.
- It is important to protect the keytab files, making them readable only by authorized WebSphere users.
- Any updates to the Kerberos keytab file using ktab do not affect the Kerberos database. If you change the keys in the Kerberos keytab file, also make the corresponding changes to the Kerberos database.
[root@wssecjibe bin]# ./ktab -a HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM ot56prod -k /etc/krb5.keytab Done! Service key for principal HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM savedBelow is an example of how ktab is used on a Linux operating system to list the Kerberos keytab file content.[root@wssecjibe bin]# ./ktab KVNO Principal ---- --------- 1 HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM [root@wssecjibe bin]# ls /etc/krb5.* /etc/krb5.conf /etc/krb5.keytabYou can run the ktab command from the install_root/java/jre/bin directory. You can use the native Kerberos implementation ktutil command to manage the Kerberos keytab file.
Related concepts
Single sign-on for HTTP requests using SPNEGO
Related tasks
Related reference
Single sign-on capability with SPNEGO TAI - checklist
Kerberos: The Network Authentication Protocol
Ktab - Kerberos Key Table Manager