Previous Topic: Set Up Keytab Authentication Using the Default Keytab and a Principal Other than the CA IAM CS Host PrincipalNext Topic: Set Up Principal and Password Authentication

Connector GuidesConnectors GuideConnecting to EndpointsKerberos ConnectorKerberos Installation and DeploymentKeytab and Cross-realm Paths SetupHow to Set Up the CA IAM CS Host to be a Member of the Target RealmSet Up Keytab Authentication Using a Custom Keytab and a Principal Other than the CA IAM CS Host Principal

Set Up Keytab Authentication Using a Custom Keytab and a Principal Other than the CA IAM CS Host Principal

To specify keytab authentication using a keytab file other than the default keytab and a principal other than the CA IAM CS host principal, you can add entries for the desired principal to the desired keytab file.

To set up keytab authentication using a custom keytab and a principal other than the CA IAM CS host principal

  1. If the principal has a random password and the keytab file you want to use does not exist, use the following command to add entries: 
    kadmin: ktadd -k keytab principal

    Note: This creates a new randomized password for the target principal, therefore any entries for the target principal in any existing keytab file are no longer valid.

  2. If the principal has a random password and the keytab file exists, do the following:
    1. Enter the following command in ktutil to add entries into a temporary keytab: 
      kadmin: ktadd -k temp_keytab principal

      Note: This creates a new randomized password for the desired principal, thus any entries for the desired principal in any existing keytab file are no longer valid.

    2. Enter the following commands in ktutil to read both keytabs: 
      ktutil: read_kt keytab 

      ktutil: read_kt temp_keytab
    3. Enter the following command in ktutil to write the entries to the keytab file you want to use. 
      ktutil: write_kt keytab

      The temporary keytab file is merged into the target keytab file you want to use.

    Note: Make sure that the entries for the desired principal are the same, and are the latest key version number.

  3. If the principal has a specific password, do the following:
    1. Enter the following command in ktutil: 
      ktutil: read_kt /etc/krb5/krb5.keytab
    2. Enter the following command in ktutil: 
      ktutil: addent -password -p principal -k kvno -e enctype
    3. Repeat Step b for all enctypes.

      ktutil adds the entries to the keytab file you want to use.

    Note: Ensure you add all keys for the principal, and that all resulting entries for the principal are the same and latest key version number.

  4. Enter the following command in ktutil to verify that the list contains all required keys: 
    ktutil: list
  5. Enter the following command in ktutil to write the entries to the keytab file: 
    ktutil: write_kt /etc/krb5/krb5.keytab
  6. In the KDC, modify kadm5.acl using a text editor to add necessary privileges to the target principal.

    Note: Use * to specify all privileges.

  7. In the Provisioning Manager, on the Endpoint Property sheet, click the Properties tab.
  8. Specify the principal and keytab you want to use.
  9. Click Apply.

    The Kerberos Connector uses the keytab you specified for authentication.