WebSphere Application Server & Liberty

How to add multiple Service Principal Names (SPNs) to the same keytab file for SPNEGO web or Kerberos authentication in WebSphere Application Server 

21 days ago

Author: Patrizia Motta

Skill Level: Intermediate

A fundamental step for implementing SPNEGO web or Kerberos Authentication in WebSphere Application Server (WAS) is to create a keytab file containing the Service Principal Names (SPNs) of the applications for which Kerberos authentication will be used.

Ingredients

  • keytab file of each application that will use SPNEGO web or Kerberos authentication.
  • WAS ktab tool
  • WAS klist tool

Step-by-step

  1. Obtain the keytab file for each application that will use SPNEGO web or Kerberos Authentication in WAS.

    First of all you have to obtain the single keytab file for the Service Principal Name corresponding to each of the applications that will use Kerberos authentication.

    WebSphere Application Server uses only a keytab file for SPNEGO web or Kerberos authentication. So you will have to merge the keytab files of different applications in a single keytab file.

  2. Copy the keytab file containing the Service Principal Name for an application

    Make a copy of the keytab file containing a Service Principal Name for an application (f.i. app1).

    cp -p app1_test.keytab test.keytab

  3. Merge the keytab files of different applications in one keytab file

    For adding Muliple Service Principal Names to the same keytab file  the command ktab – that you can find in your WAS installation – can be used.

    The path of the command is the following:

    /WAS_installation_directory/AppServer/java/jre/bin/ktab

    The available options are shown giving a ktab -?

     

    Usage: java com.ibm.security.krb5.internal.tools.Ktab [options]

    Available options:

    -l list the keytab name and entries

    -a <principal_name> [password] add an entry to the keytab

    -d <principal_name> delete an entry from the keytab

    -k <keytab_name> specify keytab name and path with FILE: prefix

    -m <keytab_source> <keytab_destination> specify merging source keytab file name and destination keytab file name

     

    Using the option -m you can merge multiple keytab files adding in this way multiple SPNs to the same keytab file ( in the following example test.keytab – that was the keytab file containing the SPN of app1).

    If for instance you have to put the SPNs of three applications in the keytab file used in WAS configuration then you will run the following commands:

    /WAS_installation_directory/AppServer/java/jre/bin/ktab -m app2_test.keytab test.keytab

    src=app2_test.keytab

    name=test.keytab

    Merging keytab files: source=app2_test.keytab destination=test.keytab

    Done!

     

    /WAS_installation_directory/AppServer/java/jre/bin/ktab -m app3_test.keytab test.keytab

    src=app3_test.keytab

    name=test.keytab

    Merging keytab files: source=app3_test.keytab destination=test.keytab

    Done!

     

    where app2_test.keytab and app3_test.keytab are the keytab files of applications app2 and app3.

  4. Verify that the adding of multiple SPNs to the keytab file was successful

    To see that the adding was successful you can launch the klist command:

    /WAS_installation_directory/AppServer/java/jre/bin/klist -k test.keytab

     

    Key table: test.keytab

    Number of entries: 3

     

    [1] principal: HTTP/app1_hostname@realm

    KVNO: 1

     

    [2] principal: HTTP/app2_hostname@realm

    KVNO: 1

     

    [3] principal: HTTP/app3_hostname@realm

    KVNO: 1


#WebSphereApplicationServer
#kerberos

Statistics

0 Favorited
6 Views
0 Files
0 Shares
0 Downloads