Skip to content

IBM InfoSphere WAS: Create a Kerberos Configuration File

October 7, 2015

This post list the necessary step to create a kerberos configuration file on IBM AIX 7.1

Environment

  • AIX 7.1
  • Active Directory Schema version 47 (Windows Server 2008 R2).
  • IBM WebSphere Application Server Network Deployment v8.5
  • The installation root directory is /IBM

Prerequisites

  1. The Active Directory account for the AIX server has been created.
  2. The keytab file has been generated from the Active Directory.
  3. The keytab file has been transferred to the AIX machine.
  4. Kerberos client has been installed on the AIX machine.

Steps

  1. Create the /etc/krb5 directory
    sudo mkdir /etc/krb5
    
  2. Create the Kerberos Configuration File for WebSphere Application Server
    cd /IBM/WebSphere/AppServer/bin
    
  3. Invoking wsadmin with Jython
    sudo ./wsadmin.sh -lang jython
    
  4. When prompted, enter the user name and password of a WAS users with administrives privileges.
  5. Execute the Admintask.createKrbConfigFile command in iteractive move.
    wsadmin>AdminTask.createKrbConfigFile('[-interactive]')
    
    Create Kerberos configuration file
    This command creates a Kerberos configuration file (krb5.ini or krb5.conf).
    
  6. Enter the location where the configuration file will be created.
    *Filesystem location of the Kerberos configuration file (krbPath): /etc/krb5/krb5.conf
    
  7. Enter the kerberos realm name; in this case the name of the AD domain.
    *Kerberos realm name in Kerberos configuration file (realm): Mycompany.com
    
  8. Enter the hostname of the kerberos KDC, in this case the name of the AD domain controller.
    *Host name of the Kerberos Key Distribution Center (kdcHost): DC.Mycompany.com
    
  9. Enter the port number of where the LDAP is listening on the AD domain controller.
    Port number of the Kerberos Key Distribution Center (kdcPort): 389
    
  10. Enter the DNS suffix and any alternative DNS suffixes for your realm.
    *A list of the Domain Name Service, seperated by a pipe character (austin.ibm.com|raleigh.ibm.com) (dns): Mycompany.com|intranet.Mycompany.com
    
  11. Enter the DNS suffix and any alternative DNS suffixes for your realm.
    *Filesystem location of the keytab file (keytabPath): /datastage/keytab/ohdwetlmsdev03.keytab
    
  12. Enter the encryption type to be used. In the example the default MS Windows Encryption type is used.
    Encryption type (encryption): des-cbc-crc
    
  13. Confirm the creation of the Kerberos Configuration file.
    Create Kerberos configuration file
    
    F (Finish)
    C (Cancel)
    
    Select [F, C]: [F] F
    WASX7278I: Generated command line: AdminTask.createKrbConfigFile('[-krbPath /etc/krb5/krb5.conf -realm myCompany.com -kdcHost DC.Mycompany.com -kdcPort 389 -dns Mycompany.com|intranet.Mycompany.com -keytabPath /IBM/keytab/myserver.keytab -encryption des-cbc-crc]')
    '/etc/krb5/krb5.conf has been created.'
    
  14. Exit wsadmin.
    wsadmin>exit
    

The new created Kerberos configuration file will look like this:

    [libdefaults]
        default_realm = Mycompany.com
        default_keytab_name = FILE:/IBM/keytab/myserver.keytab
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc
        forwardable  = true
        renewable  = true
        noaddresses = true
        clockskew  = 300
    [realms]
        Mycompany.com = {
            kdc = DC.Mycompany.com:389
            default_domain = Mycompany.com
        }
    [domain_realm]
        .mycompany.com = Mycompany.com
        .intranet.mycompany.com = Mycompany.com

References

IBM Knowledge Center (2015, Sep 4). SpnegoTAICommands group for the AdminTask object (deprecated). Retrieved from http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rxml_atspnego.html

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: