Using the ktab command to manage the Kerberos keytab file
The Kerberos key table manager command (Ktab) allows the product administrator to manage the Kerberos service principal names and keys stored in a local Kerberos keytab file. With the IBM Software Development Kit (SDK) or Sun Java Development Kit (JDK) 1.6 or later, you can use the ktab command to merge two Kerberos keytab files.
Kerberos service principal (SPN) name and keys listed in the Kerberos keytab file allow services
running on the host to validate the incoming Kerberos or SPNEGO token request. Prior to configuring
Kerberos or SPNEGO web authentication, the WebSphere® Application Server
administrator must setup a Kerberos keytab file on the host that is running WebSphere Application Server.
Deprecated feature:
In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server Version 7.0, this function is now deprecated.
SPNEGO web authentication has taken its place to provide the following enhancements:
- Configure and enable SPNEGO Web Authentication and filters on the WebSphere Application Server side by using the administrative console.
- Provide dynamic reload of SPNEGO without having to stop and restart the WebSphere Application Server.
- Provide fallback to an application login method if the SPNEGO web authentication fails.
Important:
- It is important to protect the keytab files and make them readable only by authorized product users.
- Any updates to the Kerberos keytab file using Ktab do not affect the Kerberos database. If you change the keys in the Kerberos keytab file, you must also make the corresponding changes to the Kerberos database.
The syntax of Ktab is illustrated later in this section by using Ktab with the
-help
operand.$ ktab -help
Usage: java com.ibm.security.krb5.internal.tools.Ktab [options]
Available options:
-l list the keytab name and entries
-a <principal_name> [password] add an entry to the keytab
-d <principal_name> delete an entry from the keytab
-k <keytab_name> specify keytab name and path with FILE: prefix
-m <source_keytab_name> <destination_keytab_name> specify merging source keytab file name and destination keytab file name
Following is an example of how Ktab is used to merge the krb5Host1.keytab file to the krb5.keytab
file:
[root@wssecjibe bin]# ./ktab -m /etc/krb5Host1.keytab /etc/krb5.keytab
Merging keytab files: source=krb5Host1.keytab destination=krb5.keytab
Done!
[root@wssecjibe bin]# ls /etc/krb5.*
/etc/krb5Host1.keytab/etc/krb5.keytab
/etc/krb5.keytab
Following is an example of how Ktab is used on a LINUX platform to add new principal names to the
Kerberos keytab file, where ot56prod is the password for the Kerberos principal
name:
[root@wssecjibe bin]# ./ktab -a
HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM ot56prod -k /etc/krb5.keytab
Done!
Service key for principal HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM saved
Following is an example of how Ktab is used on a Windows platform to list
Kerberos keytab file
content.
[root@wssecjibe bin]# ./ktab
KVNO Principal
---- ---------
1 HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
[root@wssecjibe bin]# ls /etc/krb5.*
/etc/krb5.conf
/etc/krb5.keytab
Tip: You can run the ktab command from the
install_root/java/J5.0/bin or
install_root/java64/J5.0_64/bin directory.