Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.
A fundamental step for implementing SPNEGO web or Kerberos Authentication in WebSphere Application Server (WAS) is to create a keytab file containing the Service Principal Names (SPNs) of the applications for which Kerberos authentication will be used.
First of all you have to obtain the single keytab file for the Service Principal Name corresponding to each of the applications that will use Kerberos authentication.
WebSphere Application Server uses only a keytab file for SPNEGO web or Kerberos authentication. So you will have to merge the keytab files of different applications in a single keytab file.
Make a copy of the keytab file containing a Service Principal Name for an application (f.i. app1).
cp -p app1_test.keytab test.keytab
For adding Muliple Service Principal Names to the same keytab file the command ktab – that you can find in your WAS installation – can be used.
The path of the command is the following:
/WAS_installation_directory/AppServer/java/jre/bin/ktab
The available options are shown giving a ktab -?
Usage: java com.ibm.security.krb5.internal.tools.Ktab [options]
Available options:
-l list the keytab name and entries
-a <principal_name> [password] add an entry to the keytab
-d <principal_name> delete an entry from the keytab
-k <keytab_name> specify keytab name and path with FILE: prefix
-m <keytab_source> <keytab_destination> specify merging source keytab file name and destination keytab file name
Using the option -m you can merge multiple keytab files adding in this way multiple SPNs to the same keytab file ( in the following example test.keytab – that was the keytab file containing the SPN of app1).
If for instance you have to put the SPNs of three applications in the keytab file used in WAS configuration then you will run the following commands:
/WAS_installation_directory/AppServer/java/jre/bin/ktab -m app2_test.keytab test.keytab
src=app2_test.keytab
name=test.keytab
Merging keytab files: source=app2_test.keytab destination=test.keytab
Done!
/WAS_installation_directory/AppServer/java/jre/bin/ktab -m app3_test.keytab test.keytab
src=app3_test.keytab
Merging keytab files: source=app3_test.keytab destination=test.keytab
where app2_test.keytab and app3_test.keytab are the keytab files of applications app2 and app3.
To see that the adding was successful you can launch the klist command:
/WAS_installation_directory/AppServer/java/jre/bin/klist -k test.keytab
Key table: test.keytab
Number of entries: 3
KVNO: 1
Hi Divya,
That's some good information you shared there.
I have a customer requesting to add two MS ADs and want to use both for SPNEGO.
I can merge keytabs, but how can i merge kerb configuration file (i tried manually adding the entries, but no use). Is there any standard procedure to follow? And which DNS should i use for ABC.com and DEF.com while creating the kerb config files.
My application is running on ABC.com.
Waiting for your reply 😇.
Regards,
Siraj Shaik.