Previous Topic: Set Up Keytab Authentication Using the CA IAM CS Host Principal if Keytab File Does Not ExistNext Topic: Set Up Keytab Authentication Using a Custom Keytab and CA IAM CS Host Principal

Connector GuidesConnectors GuideConnecting to EndpointsKerberos ConnectorKerberos Installation and DeploymentKeytab and Cross-realm Paths SetupHow to Set Up the CA IAM CS Host to be a Member of the Target RealmSet Up Keytab Authentication Using the CA IAM CS Host Principal if Keytab File Exists

Set Up Keytab Authentication Using the CA IAM CS Host Principal if Keytab File Exists

To set up keytab authentication using the host principal if the keytab file exists, you need to add keytab entries for the CA IAM CS host principal to the default /etc/krb5/krb5.keytab file.

To specify keytab authentication using the CA IAM CS host principal if keytab file exists

  1. Enter the following commands in ktutil: 
    ktutil: read_kt temp_keytab 

    ktutil: read_kt /etc/krb5/krb5.keytab

    Kerberos reads both keytabs.

  2. Enter the following command in ktutil: 
    ktutil: write_kt /etc/krb5/krb5.keytab

    Note: Make sure that the entries for the host principal are the same, and are the latest key version number.

    Kerberos writes the entries to the default keytab file and the temporary keytab file is merged into the default keytab.

  3. In the KDC, modify the kadm5.acl file using a text editor.

    The connector adds the necessary privileges to the host principal.

    Note: Use * to specify all privileges.

  4. In the Provisioning Manager, on the Endpoint Property sheet, click the Properties tab.

    The Properties tab is displayed.

  5. Select the Keytab option.
  6. Leave the Keytab and Principal fields blank.
  7. Click Apply.

    The Kerberos Connector uses the CA IAM CS host principal for keytab authentication.