The Kerberos key table manager command (Ktab) allows the
Web administrator to manage the Kerberos service principal names and
keys stored in a local Kerberos keytab file.
Kerberos service principal (SPN) name and keys listed
in the Kerberos keytab file allow services running on the host to
authenticate themselves to the KDC. Before SPNEGO TAI can use Kerberos,
the WebSphere Application Server administrator must setup a Kerberos
keytab file on the host running WebSphere Application Server.
Important:
- It is important to protect the keytab files, making them readable
only by authorized WebSphere users.
- Any updates to the Kerberos keytab file using ktab do not affect
the Kerberos database. If you change the keys in the Kerberos keytab
file, you must also make the corresponding changes to the Kerberos
database.
Below is an example of how Ktab is used on a Linux
operating system to add new principal names to the Kerberos keytab
file.
[root@wssecjibe bin]# ./ktab -a
HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM ot56prod -k /etc/krb5.keytab
Done!
Service key for principal HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM saved
Below is an example of how ktab is used on a Linux
operating system to list the Kerberos keytab file content.
[root@wssecjibe bin]# ./ktab
KVNO Principal
---- ---------
1 HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
[root@wssecjibe bin]# ls /etc/krb5.*
/etc/krb5.conf
/etc/krb5.keytab
Tip: You can run the ktab
command from the
install_root/java/jre/bin directory.
You can use the native Kerberos implementation ktutil command to manage
the Kerberos keytab file.
Tip: You
can run the ktab command from the
install_root/java/J5.0/bin or
install_root/java64/J5.0_64/bin directory.