The
following code is an example of the createKrbConfigFile command:
$AdminTask createKrbConfigFile {-krbPath c:/winnt/krb5.ini
-realm WSSEC.AUSTIN.IBM.COM
-kdcHost host1.austin.ibm.com
-dns austin.ibm.com|raleigh.ibm.com
-keytabPath c:/winnt/krb5.keytab}
Use this example to create the
c:/winnt/krb5.ini file:
[libdefaults]
default_realm = WSSEC.AUSTIN.IBM.COM
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
WSSEC.AUSTIN.IBM.COM = {
kdc = host1.austin.ibm.com:88
default_domain = austin.ibm.com
}
[domain_realm]
.austin.ibm.com = WSSEC.AUSTIN.IBM.COM
.raleigh.ibm.com = WSSEC.AUSTIN.IBM.COM
In the [libdefaults] section,
you can specify a TCP or UDP protocol preference. By default, the Java Kerberos configuration uses
the UDP protocol. However, the Java Kerberos
supports a TCP or a UDP protocol configuration using the
udp_preference_limit parameter.
If you need to use the TCP protocol, specify the
udp_preference_limit parameter
with a 1 value to always use the TCP protocol. For example:
udp_preference_limit =1
If
you do not specify this parameter, the Java Kerberos
library uses the TCP protocol only if the Kerberos ticket request
using the UDP protocol fails and the KDC returns the KRB_ERR_RESPONSE_TOO_BIG
error code.
Avoid trouble: When the application server receives
a client request, the Kerberos configuration on the server might return
a Connection reset, IOException, or Broken pipe exception if you use
the TCP protocol and the KDC returns a bad packet. The application
server makes three attempts to capture the correct Kerberos packet.
If a correct Kerberos packet is returned as a result of one of the
three attempts, the client request is successfully processed and you
can ignore the exceptions. If the application server cannot obtain
the correct Kerberos packet after three attempts, the client request
fails. At this point, review the KDC, network, and application server
configurations to determine the issue.
gotcha