The Kerberos key table manager command (Ktab) allows the product administrator to manage the Kerberos service principal names and keys stored in a local Kerberos keytab file. With the IBM Software Development Kit (SDK) or Sun Java Development Kit (JDK) 1.6 or later, you can use the ktab command to merge two Kerberos keytab files.
In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server Version 7.0, this function is now deprecated.
SPNEGO web authentication has taken its place to provide the following enhancements:
$ ktab -help Usage: java com.ibm.security.krb5.internal.tools.Ktab [options] Available options: -l list the keytab name and entries -a <principal_name> [password] add an entry to the keytab -d <principal_name> delete an entry from the keytab -k <keytab_name> specify keytab name and path with FILE: prefix -m <source_keytab_name> <destination_keytab_name> specify merging source keytab file name and destination keytab file name
[root@wssecjibe bin]# ./ktab -m /etc/krb5Host1.keytab /etc/krb5.keytab Merging keytab files: source=krb5Host1.keytab destination=krb5.keytab Done! [root@wssecjibe bin]# ls /etc/krb5.* /etc/krb5Host1.keytab/etc/krb5.keytab /etc/krb5.keytab
[root@wssecjibe bin]# ./ktab -a HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM ot56prod -k /etc/krb5.keytab Done! Service key for principal HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM saved
[root@wssecjibe bin]# ./ktab KVNO Principal ---- --------- 1 HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM [root@wssecjibe bin]# ls /etc/krb5.* /etc/krb5.conf /etc/krb5.keytab