Creating a Kerberos principal and keytab file
Create a Kerberos principal and keytab files for each encryption type you use.
Procedure
- Log on as the Kerberos administrator (Admin) and create a principal in the KDC. The following example shows MIT Kerberos with admin/cluster1@EXAMPLE.COM as the Kerberos administrator principal:
If you do not create a VEMKD principal, the default value of vemkd/clustername@Kerberos_realm is used.bash-3.00$ kadmin -p admin@EXAMPLE.COM kadmin: add_principal vemkd/cluster1@EXAMPLE.COM Enter password for principal "vemkd/cluster1@EXAMPLE.COM": password Re-enter password for principal "vemkd/cluster1@EXAMPLE.COM": password
- Obtain the key of the principal by running the subcommand getprinc principal_name.
- Create the keytab files, using the ktutil command:
- Create a keytab file for each encryption type you use
by using the add_entry command.
For example, run ktuitl: add_entry -password -p principal_name -k number -e encryption_type for each encryption type.
The following is an example of creating five keytab files with their proper encryption types:[root@test5~]#ktutil ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e des3-cbc-sha1-kd Password for vemkd/cluster1@ibm.com: ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e arcfour-hmac-md5 Password for vemkd/cluster1@ibm.com: ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e des-hmac-sha1 Password for vemkd/cluster1@ibm.com: ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e des-cbc-md5 Password for vemkd/cluster1@ibm.com: ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e des-cbc-md4 Password for vemkd/cluster1@ibm.com:
- Once you have created the entries for the principal, write to a keytab file. For example, to write to the vemkd.keytab file, run:
ktuitl: wkt /path_to_keytab_file/vemkd.keytab
The key of the principal is written to the /tmp/vemkd.keytab file. Replicate this file securely on all EGO master-candidate hosts. The owner of the file must be EGO CLUSTERADMIN and the permissions must be 600 on the file.
Keytab files are a potential point of security break-ins in a Kerberos environment, thus security of these files is fundamental to the security of the system. Once replicated to all master-candidate hosts, provide the path of the keytab file as the value of the KEYTAB parameter in the Kerberos sec_ego_kerberos.conf plug-in configuration file.
- Create a keytab file for each encryption type you use
by using the add_entry command.