Create the Kerberos configuration file for use with the SPNEGO TAI

Create the Kerberos configuration file for use with the SPNEGO TAI

+
Search Tips | Advanced Search

You use the wsadmin utility to create the Kerberos keytab configuration file for use with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.

Overview

A Kerberos keytab configuration file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk. The krb5.conf file permission must be 644, which means that you can read and write the file; however, members of the group that the file belongs to, and all others can only read the file.
Verify that end-user desktop browsers are configured to support SPNEGO authentication, that the SPNEGO TAI is enabled, that the JVM property is set and, that WAS is configured to enable the operation of the SPNEGO TAI.
Use the wsadmin utility to configure the SPNEGO TAI for WAS:

Procedure

Start WAS.

Run wsadmin....
cd app_server_root/bin
./wsadmin

At the wsadmin prompt...

$AdminTask createKrbConfigFile

You can use the following parameters with this command:

Option Description

<krbPath> Required. Fully qualified file system location of the Kerberos configuration (krb5.ini or krb5.conf) file.
<realm> Required. Kerberos realm name. The value of this attribute is used by the SPNEGO TAI to form the Kerberos service principal name for each of the hosts specified with the property...
com.ibm.ws.security.spnego.SPN<id>.hostName

<kdcHost> Required. Host name of the Kerberos Key Distribution Center (KDC).
<kdcPort> Optional. Port number of the KDC. The default value, if not specified, is 88.
<dns> Required. Provides the default domain name service (DNS) that is used to produce a fully qualified host name.
<keytabPath> Required. Provides the file system location of the Kerberos keytab file.
<encryption> Optional. List of supported encryption types, separated by a space.
The specified value is used for the default_tkt_enctypes and default_tgs_enctypes.
The default encryption types, if not specified, are des-cbc-md5 and rc4-hmac.

Run...
wsadmin>$AdminTask createKrbConfigFile {-krbPath c:\winnt\krb5.ini -realm WSSEC.AUSTIN.IBM.COM -kdcHost host1.austin.ibm.com -dns austin.ibm.com -keytabPath c:\winnt\krb5.keytab}

Results
The Kerberos keytab configuration file is created for use with the SPNEGO TAI.
The default Kerberos krb5.ini file on Windows is /winnt/krb5.ini and on a distributed environment is /etc/krb5. If you specify another location path, then also specify the java.security.krb5.conf JVM property.
For example, if your krb5.conf file is specified at...
/opt/IBM/WAS/profiles/AppServer/etc/krb5.conf

...then specify...
-Djava.security.krb5.conf=/opt/IBM/WAS/profiles/AppServer/etc/krb5.conf

Related tasks

Configure WAS environment to use SPNEGO

Related Reference

Kerberos configuration requirements for SPNEGO TAI

Option	Description
<krbPath>	Required. Fully qualified file system location of the Kerberos configuration (krb5.ini or krb5.conf) file.
<realm>	Required. Kerberos realm name. The value of this attribute is used by the SPNEGO TAI to form the Kerberos service principal name for each of the hosts specified with the property... com.ibm.ws.security.spnego.SPN<id>.hostName
<kdcHost>	Required. Host name of the Kerberos Key Distribution Center (KDC).
<kdcPort>	Optional. Port number of the KDC. The default value, if not specified, is 88.
<dns>	Required. Provides the default domain name service (DNS) that is used to produce a fully qualified host name.
<keytabPath>	Required. Provides the file system location of the Kerberos keytab file.
<encryption>	Optional. List of supported encryption types, separated by a space. The specified value is used for the default_tkt_enctypes and default_tgs_enctypes. The default encryption types, if not specified, are des-cbc-md5 and rc4-hmac.