Configure a Kerberos Configuration File

MIT Kerberos libraries require a configuration file that defines how to communicate with a Kerberos KDC. You must have a Kerberos configuration file for the Policy Server and Web Agent host systems.
sm1252sp1
MIT Kerberos libraries require a configuration file that defines how to communicate with a Kerberos KDC. You must have a Kerberos configuration file for the Policy Server and Web Agent host systems.
These procedures apply to the Policy Server and Web Agent systems.
  1. Configure a Kerberos configuration file for the Policy Server and the Web Agent. Open a text editor and create a file like the sample that follows. The name of the file is: 
    • Windows:
       krb5.ini
    • UNIX:
      krb5.conf
      The following is an example is a krb5.ini file for Windows: 
    [libdefaults]
    default_realm = EXAMPLE.COM
    default_keytab_name = C:\WINDOWS\krbsvc-smps.keytab
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    [realms]
    EXAMPLE.COM = {
    kdc = kdc.example.com:88
    default_domain = example.com
    }
    [domain_realm]
    .example.com = EXAMPLE.COM
  2. Place each file in one of the following default locations:
    • Windows:
       C:\windows\krb5.ini.
    • UNIX:
      /etc/krb5/krb5.conf.
      You can place the file can anywhere as long as you set the value of the KRB5_CONFIG environment variable to the fully qualified path.
  3. For the Kerberos configuration file at the Policy Server, set the 
    default_keytab_name
     parameter to the fully qualified path of the keytab file that you set up when configuring the KDC. This is the keytab file with the relevent Policy Server and Web Agent principal credentials.
    Policy Server Windows example:
    default_keytab_name = C:\windows\krbsvc-smps.keytab
    Policy Server UNIX example:
    default_keytab_name = /opt/CA/siteminder/krbsvc-smps.keytab
    The UNIX keytab merges the service account keytab and the host keytab into a single keytab file.
  4. For the Kerberos configuration file at the Web Agent, set the 
    default_keytab_name
     parameter to the fully qualified path of the keytab file that you set up when configuring the KDC. This is the keytab file with the relevent Web Agent principal credentials.
    Web Agent Windows example:
    default_keytab_name = C:\windows\krbsvc-smwa.keytab
    Web Agent UNIX example:
    default_keytab_name = /opt/CA/siteminder/krbsvc-smwa.keytab
  5. Save each configuration file.
  6. Copy or move each keytab file to the location specified in the Kerberos configuration file in the previous step.
A Kerberos configuration file is now configured on each host system.