Next Step   Next Step

Create a Kerberos service principal name and keytab file

Map Step 1 towards the goal: Setting up Kerberos as the authentication mechanism for WebSphere Application Server

About this task

You can create a Kerberos service principal name and keytab file using Microsoft® Windows®, iSeries®, Linux®, Solaris, Massachusetts Institute of Technology (MIT) and z/OS® operating systems key distribution centers (KDCs).

Kerberos prefers servers and services to have a host-based service ID. The format of this ID is <service name>/<fully qualified hostname>. The default service name is WAS. For Kerberos authentication, the service name can be any strings that are allowed by the KDC. However, for SPNEGO web authentication, the service name must be HTTP. An example of a WebSphere® Application Sever server ID is WAS/myhost.austin.ibm.com.

Each host must have a server ID unique to the hostname. All processes on the same node share the same host-based service ID.

A Kerberos administrator creates a Kerberos service principal name (SPN) for each node in the WebSphere® cell. For example, for a cell with 3 nodes (such as server1.austin.ibm.com, server2.austin.ibm.com and server3.austin.ibm.com), the Kerberos administrator must create the following Kerberos service principals: WAS/server1.austin.ibm.com, WAS/server2.austin.ibm.com and WAS/server3.austin.ibm.com.

The Kerberos keytab file (krb5.keytab) contains all of the SPNs for the node and must be protected. This file can be placed in the config/cells/<cell_name> directory

Read the Creating a Kerberos principal and keytab article for more information.

Supporting information (generally applicable)

What to do next

Create a Kerberos configuration file

Next Step   Next Step


Terms of Use | Feedback

Last updated: Sep 19, 2011 5:14:59 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-base-iseries&topic=tsec_kerb_setup_step1
File name: tsec_kerb_setup_step1.html