Content Platform Engine, Version 5.2.1            

Creating a Kerberos keytab using ktab

The ktpass utility can be used to create a Kerberos keytab.

About this task

On WebSphere systems, this step needs to be done after setting up the Kerberos kbr5.ini or kbr5.conf file and must also be re-done after changing enctypes in that file. This is needed because the WebSphere Ktab utility uses the krb5.ini file to determine which enctype (encryption type) is used. If the kbr5.ini file does not have the proper enctype or has not yet been created, then the keytab entry will likely be incorrect.

Procedure

To create a Kerberos keytab using ktab:

  1. Enter the command for your environment:
    Option Description
    Windows-based WebLogic application servers %JAVA_HOME%\bin\ktab –a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM
    Windows-based WebSphere application servers %JAVA_HOME%\bin\java com.ibm.security.krb5.internal.tools.Ktab –a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM
    UNIX-based WebLogic application servers ${JAVA_HOME}/bin/ktab –a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM
    UNIX-based WebSphere application servers ${JAVA_HOME}/bin/java com.ibm.security.krb5.internal.tools.Ktab –a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM
  2. Enter the password when prompted.

    The user name is case-sensitive and must be exactly the same case in the ktab command line as the user name defined in Windows Active Directory. For instance, if the user account was created with the name FNCEWS_myname@MYDOM.EXAMPLE.COM, then there might be mysterious, hard-to-identify problems later if FNCEWS_MyName were used on the ktab command. The domain name entered here in the ktab command must similarly be upper case to avoid those mysterious problems.

    Notice the underscore ("_") between FNCEWS and the system name. In the above example, FNCEWS_mycemp01 is the identity account name, not the SPN, which has a slash "/" delimiter instead (as in FNCEWS/mycemp01). If you mistakenly enter the SPN, simply run ktab again using the account name. You can clean up these mistakes by deleting bad entries using the same command line as above, but substituting -d (delete) for the -a switch.

    The ktab utility is part of the JDK distribution and this will create a file named krb5.keytab in the logged on account's home directory. This home directory would be something like:
    Windows
    c:\Documents and Settings\administrator.MYDOM\
    Unix
    /home/username

    Because the keytab contains sensitive information (encrypted passwords), you would probably not want to use the default keytab as documented earlier. Instead, you could put restrictive file system permissions on the keytab so that only a minimum number of accounts can read it. To change the location of the keytabs, specify an extra option, -k path/mykeytab, on the ktab command line (substituting the real path and keytab file name for path and mykeytab).

    The following are examples of -k usage for WebSphere application servers on Windows:

    %JAVA_HOME%\bin\java com.ibm.security.krb5.internal.tools.Ktab -k c:/mypath/mykeytab -a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM

    or its equivalent:

    %JAVA_HOME%\bin\java com.ibm.security.krb5.internal.tools.Ktab -k FILE:c:/mypath/mykeytab -a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM

    The following is an example of -k usage for WebLogic application servers on Windows.
    Note: Ktab generated keytab entries will sometimes get Specified version of the key is not available errors. This happens because later versions of the JVM now compare the key version number (kvno) of the keytab entry against. that found in the Active Directory for the identity user's password and produce this error if the not found in the keytab. To work around this, use the ktpass with the -kvno 0 option, which disables this check, or (on Java 7 or later) use the -n 0 option with ktab.
    %JAVA_HOME%\bin\ktab -k c:/mypath/mykeytab -a FNCEWS_mycemp01@MYDOM.EXAMPLE.COM


Last updated: October 2015
p8psn050.htm

© Copyright IBM Corporation 2015.