Previous Topic: Set Up Keytab Authentication Using the CA IAM CS Host Principal if Keytab File ExistsNext Topic: Set Up Keytab Authentication Using the Default Keytab and a Principal Other than the CA IAM CS Host Principal

Connector GuidesConnectors GuideConnecting to EndpointsKerberos ConnectorKerberos Installation and DeploymentKeytab and Cross-realm Paths SetupHow to Set Up the CA IAM CS Host to be a Member of the Target RealmSet Up Keytab Authentication Using a Custom Keytab and CA IAM CS Host Principal

Set Up Keytab Authentication Using a Custom Keytab and CA IAM CS Host Principal

To set up keytab authentication using a custom keytab file rather than the default keytab file and the CA IAM CS host principal, you can add keytab entries for the CA IAM CS host principal to you custom keytab file.

To set up keytab authentication using a custom keytab and the CA IAM CS host principal

  1. If the keytab file you want to use does not exist, use the following command to add entries to your custom keytab file. 
    kadmin: ktadd -k keytab jcs-host-principal

    Note: This creates a new randomized password for the host principal, therefore any entries for the host principal in any existing keytab file are no longer valid.

  2. If the keytab file exists, do the following:
    1. Enter the following command in kadmin to add entries into a temporary keytab: 
      kadmin: ktadd -k temp_keytab jcs-host-principal

      Note: This creates a new randomized password for the host principal, thus any entries for the host principal in any existing keytab file are no longer valid.

    2. Enter the following command in ktutil to read both keytabs: 
      ktutil: read_kt temp_keytab
    3. Enter the following command in ktutil to write it to the keytab file you want to use: 
      ktutil: write_kt keytab

      The temporary keytab file is merged into the keytab file you want to use.

    Note: Make sure that the entries for the host principal are the same, and are the latest key version number.

  3. In the KDC, modify kadm5.acl using a text editor to add necessary privileges to the host principal.

    Note: Use * to specify all privileges.

  4. In the Provisioning Manager, on the Endpoint Property sheet, click the Properties tab.
  5. Specify the keytab file you want to use, but leave the Principal field blank.
  6. Click Apply.

    The Kerberos Connector uses the keytab you specified for authentication.