A fundamental step for implementing SPNEGO web or Kerberos Authentication in WebSphere Application Server (WAS) is to create a keytab file containing the Service Principal Names (SPNs) of the applications for which Kerberos authentication will be used.
First of all you have to obtain the single keytab file for the Service Principal Name corresponding to each of the applications that will use Kerberos authentication.
WebSphere Application Server uses only a keytab file for SPNEGO web or Kerberos authentication. So you will have to merge the keytab files of different applications in a single keytab file.
Make a copy of the keytab file containing a Service Principal Name for an application (f.i. app1).
cp -p app1_test.keytab test.keytab
For adding Muliple Service Principal Names to the same keytab file the command ktab – that you can find in your WAS installation – can be used.
The path of the command is the following:
The available options are shown giving a ktab -?
Usage: java com.ibm.security.krb5.internal.tools.Ktab [options]
-l list the keytab name and entries
-a <principal_name> [password] add an entry to the keytab
-d <principal_name> delete an entry from the keytab
-k <keytab_name> specify keytab name and path with FILE: prefix
-m <keytab_source> <keytab_destination> specify merging source keytab file name and destination keytab file name
Using the option -m you can merge multiple keytab files adding in this way multiple SPNs to the same keytab file ( in the following example test.keytab – that was the keytab file containing the SPN of app1).
If for instance you have to put the SPNs of three applications in the keytab file used in WAS configuration then you will run the following commands:
/WAS_installation_directory/AppServer/java/jre/bin/ktab -m app2_test.keytab test.keytab
Merging keytab files: source=app2_test.keytab destination=test.keytab
/WAS_installation_directory/AppServer/java/jre/bin/ktab -m app3_test.keytab test.keytab
Merging keytab files: source=app3_test.keytab destination=test.keytab
where app2_test.keytab and app3_test.keytab are the keytab files of applications app2 and app3.
To see that the adding was successful you can launch the klist command:
/WAS_installation_directory/AppServer/java/jre/bin/klist -k test.keytab
Key table: test.keytab
Number of entries: 3