Monday, January 16, 2012

WebSphere Application Server and Kerberos - Stuff I did not know ....

Number #1223

It is *NOT* necessary to use BOTH the setspn and ktpass commands when hooking the Service Principal Name (SPN) and the service account together, in order to generate the Kerberos keytab: -

You may notice in the WebSphere documentation the usage of the setspn command before ktpass is issued. When you use ktpass with the –mapUser flag, the SPN is set automatically, so you don't actually need to issue the setspn command beforehand in this case. The examples in the later sections of this document show how setspn is used, but you don't need to worry about it right now. You may also note the documentation referring to the –mapOp flag as well. Again, you don't need to worry about that in this example and it will be discussed later on.
In other words, here's an SPN I created earlier: -


and here's the service account: -

ibm.connections

and here's the password: -

passw0rd

so here's a SINGLE command to create the SPN and generate the keytab: -

ktpass -princ  HTTP/www.connections.ibm.com@IBM.COM -out c:\temp\keytab.txt -mapuser ibm.connections -mapOp set -pass passw0rd -ptype KRB5_NT_PRINCIPAL

and here's the command to list the SPNs for the ibm.connections service account: -

setspn -l ibm.connections

If I wanted to delete the SPNs, I'd do this: -

setspn -l ibm.connections

If I then wanted to add a second SPN: -


to the same service account, I'd do this: -

ktpass -princ  HTTP/www.portal.ibm.com@IBM.COM -out c:\temp\keytab.txt -mapuser ibm.connections -mapOp add -pass passw0rd -ptype KRB5_NT_PRINCIPAL

In other words, I'd use -mapOp add rather than -mapOp set as this is a second SPN.

Neat-o

No comments:

Post a Comment