WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

             Personalize the table of contents and search results

Using the ktab command to manage the Kerberos keytab file

The Kerberos key table manager command (Ktab) allows the Web administrator to manage the Kerberos service principal names and keys stored in a local Kerberos keytab file.

Kerberos service principal (SPN) name and keys listed in the Kerberos keytab file allow services running on the host to authenticate themselves to the KDC. Before SPNEGO TAI can use Kerberos, the WebSphere Application Server administrator must setup a Kerberos keytab file on the host running WebSphere Application Server.
Important:
  • It is important to protect the keytab files, making them readable only by authorized WebSphere users.
  • Any updates to the Kerberos keytab file using ktab do not affect the Kerberos database. If you change the keys in the Kerberos keytab file, you must also make the corresponding changes to the Kerberos database.
Below is an example of how Ktab is used on a Linux operating system to add new principal names to the Kerberos keytab file.
[root@wssecjibe bin]# ./ktab -a	
HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM ot56prod -k /etc/krb5.keytab
Done!
Service key for principal HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM saved


Below is an example of how ktab is used on a Linux operating system to list the Kerberos keytab file content.
[root@wssecjibe bin]# ./ktab

        KVNO    Principal
        ----    ---------

        1       HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM

[root@wssecjibe bin]# ls /etc/krb5.*
/etc/krb5.conf 
/etc/krb5.keytab
[AIX HP-UX Linux Solaris Windows] Tip: You can run the ktab command from the install_root/java/jre/bin directory. You can use the native Kerberos implementation ktutil command to manage the Kerberos keytab file.
[z/OS] Tip: You can run the ktab command from the install_root/java/J5.0/bin or install_root/java64/J5.0_64/bin directory.



Related concepts
Single sign-on for HTTP requests using SPNEGO
Related tasks
Creating a Kerberos service principal and keytab file that is used by the WebSphere Application Server SPNEGO TAI
Related reference
Single sign-on capability with SPNEGO TAI - checklist
Kerberos: The Network Authentication Protocol
Kerberos configuration file
Ktab - Kerberos Key Table Manager
Reference topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/rsec_SPNEGO_kerb.html