Creating a keytab for java clientsThis guide will show you how to create and use a keytab file in your client applications. Summary Keytab files are not required. There are alternatives to using keytab files. One alternative is to simply provide a username and password instead of the path to a keytab file. If your java client needs to communicate with an HTTP server that requires Kerberos/SPNEGO authentication and you prefer that your java client use a keytab file instead of a username/password, this guide will illustrate how this is possible by showing you how to create the HelloKeytab.java program as well as the keytab file that the program will use. This guide does NOT show you how to create a keytab file for use by your app server (i.e. Tomcat, JBoss). The SPNEGO Http Servlet Filter does NOT require your app server to use a keytab file. However, if you prefer to use a keytab file over providing a username/password in the web.xml, take a look at the Creating a Keytab for Application Servers example. Before Getting Started Be sure that you have read and successfully performed ALL of the steps in the pre-flight documentation before proceeding any further. It is imperative that you perform all steps in the pre-flight since we will be using files that we created from that guide. If you don't already have a working app server that authenticates requests via Kerberos/SPNEGO, take a look at the installing Tomcat or installing JBoss example. Compiling HelloKeytab.java Download the HelloKeytab.java code
and place it under the Download the latest
spnego.jar
and place it under the Before compiling HelloKeytab.java, be sure to change the hard-coded URL address of the app server. Also, notice that the constructor for the Compiling HelloKeytab.java requires that you use JDK 1.6 or higher and that the spnego.jar file is on your classpath. Open a command prompt and Creating the login.conf file Create a login.conf file with the following contents and place it under the
Note that you must change For example, if you want to use a Windows NT (Domain) Account named Also, the LoginModule name Finally, place the krb5.conf file you created during pre-flight
under the Creating the keytab file Before creating the keytab file, we'll want to be sure we have the right username and password for the account. We can do this by attempting to login into a workstation with that account or use FireFox instead of IE to visit a protected page on our app server. By default, FireFox will prompt for a username and password. Type-in the username and password of the account you want to use to confirm that all is working as expected. Open a command prompt and Be sure to replace the username and password provided above with the username
and password that you want to use. Also, the location and path to the
Finally, list the contents of the keytab file by typing
Seeing multiple entries is ok since each entry represents an encryption algorithm that you defined in your krb5.conf file. Testing the keytab file We can now test our keytab file by running the HelloKeytab.java
program we modified earlier by typing the command If all is well, you should get an output similar to the following: Troubleshooting HelloKeytab.java If the test was not successful, take a look at the Troubleshooting HelloKeytab.java page.
Links:
Troubleshooting:
Examples:
Licensing:
© 2009 Darwin V. Felix. All rights reserved.
|