Using the ktutil command to manage the Kerberos keytab file

The Kerberos ktutil command enables the Web administrator to manage the Kerberos service principal names and keys stored in a local Kerberos keytab file.

Kerberos service principal (SPN) name and keys listed in the Kerberos keytab file allow services running on the host to authenticate themselves to the KDC. Before SPNEGO TAI can use Kerberos, the WebSphere® Application Server administrator must setup a Kerberos keytab file on the host running WebSphere Application Server.
Important:
  • It is important to protect the keytab files and enable them to be read by authorized product users only.
  • Any updates to the Kerberos keytab file using ktutil command do not affect the Kerberos database. If you change the keys in the Kerberos keytab file, you must also make the corresponding changes to the Kerberos database.
The following example shows how to merge the krbtest.keytab to krb5.keytab files using the ktutil command on an AIX®, UNIX®, Linux®, or z/OS® operating system:
$ ktutil
ktutil: rkt /etc/krb5/krbtest.keytab
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: q



Related concepts
Single sign-on for HTTP requests using SPNEGO
Related tasks
Creating a Kerberos service principal and keytab file that is used by the WebSphere Application Server SPNEGO TAI
Related reference
Single sign-on capability with SPNEGO TAI - checklist
Kerberos: The Network Authentication Protocol
Kerberos configuration file
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 6:03:36 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-base-iseries&topic=rsec_SPNEGO_kerb.dita
File name: rsec_SPNEGO_kerb.html