You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Brian Laskey <br...@gmail.com> on 2014/07/23 23:17:23 UTC

Generating keytab file for Websphere Kerberos configuration

I would like to try to use an existing Apache DS 1.5.7 server that my team
had, and add in the built in Kerberos server support (KDC). After following
a number of tutorials, I think I am somewhat there. I have principals in
Apache DS under an example.com domain.

My goal is to integrate with WebSphere Security Kerberos configuration (WAS
8.5.0.1). As part of the information required by WebSphere you must provide:
- The Kerberos keytab file contains one or more Kerberos service principal
names and keys. This same file is used for both Kerberos authentication and
SPNEGO web authentication

This seems to be a command line utility with the MIT krb5 server that would
do this (ktadd ...). Is there an equivalent approach with Apache DS? I was
unable to find documentation around this.


Thank you,
Brian

Re: Generating keytab file for Websphere Kerberos configuration

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 23/07/2014 23:17, Brian Laskey a écrit :
> I would like to try to use an existing Apache DS 1.5.7 server that my team
> had, and add in the built in Kerberos server support (KDC). After following
> a number of tutorials, I think I am somewhat there. I have principals in
> Apache DS under an example.com domain.

I would seriously suggest you switch to a more recent version. 1.5.7 is
more than 4 years old, and a hell lot of work has been injected in the
server, including a complete rewrote of most of the kerberos code...
>
> My goal is to integrate with WebSphere Security Kerberos configuration (WAS
> 8.5.0.1). As part of the information required by WebSphere you must provide:
> - The Kerberos keytab file contains one or more Kerberos service principal
> names and keys. This same file is used for both Kerberos authentication and
> SPNEGO web authentication
>
> This seems to be a command line utility with the MIT krb5 server that would
> do this (ktadd ...). Is there an equivalent approach with Apache DS? I was
> unable to find documentation around this.

We have a class taht does update a Keytab file, it's not documented.
There is a unit test that show how to use it from a piece of Java code :

http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-codec/src/test/java/org/apache/directory/server/kerberos/shared/keytab/KeytabTest.java?revision=1589929&view=markup

It probbaly deserves some wrapper around it.