Configure a Kerberos Configuration File

MIT Kerberos libraries require a configuration file that defines how to communicate with a Kerberos KDC. You must have a Kerberos configuration file for the Policy Server and Web Agent host systems.
casso1283
MIT Kerberos libraries require a configuration file that defines how to communicate with a Kerberos KDC. You must have a Kerberos configuration file for the Policy Server and Web Agent host systems.
These procedures apply to the Policy Server and Web Agent systems.
  1. Configure a Kerberos configuration file for the Policy Server and the Web Agent. Open a text editor and create a file like the sample that follows. The name of the file is:
    • Windows:
      krb5.ini
    • UNIX:
      krb5.conf
      The following is an example is a krb5.ini file for Windows:
    [libdefaults]
    default_realm = EXAMPLE.COM
    default_keytab_name = C:\WINDOWS\krbsvc-smps.keytab
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    default_ccache_name = c:\Windows\Temp\krbcache
    forwardable = true
    [realms]
    EXAMPLE.COM = {
    default_domain = example.com
    }
    [domain_realm]
    .example.com = EXAMPLE.COM
    Note
    : Add the
    forwardable = true
    parameter in the Web Agent configuration file only if you want to enable constrained delegation.
  2. Place each file in one of the following default locations:
    • Windows:
      C:\windows\krb5.ini.
    • UNIX:
      /etc/krb5/krb5.conf.
      You can place the file anywhere as long as you set the value of the KRB5_CONFIG environment variable to the fully qualified path.
  3. For the Kerberos configuration file at the Policy Server, set the
    default_keytab_name
    parameter to the fully qualified path of the keytab file that you set up when configuring the KDC. This is the keytab file with the relevent Policy Server and Web Agent principal credentials.
    Policy Server Windows example:
    default_keytab_name = C:\windows\krbsvc-smps.keytab
    Policy Server UNIX example:
    default_keytab_name = /opt/CA/siteminder/krbsvc-smps.keytab
    The UNIX keytab merges the service account keytab and the host keytab into a single keytab file.
    Then, copy the
    krbsvc-smps.keytab
    file into the
    C:\windows
    or
    /opt/CA/siteminder/
    location, and rename the filename to
    krb5clientkt
    .
    Windows
    :
    C:\windows\krb5clientkt
    UNIX
    :
    /opt/CA/siteminder/krb5clientkt
  4. For the Kerberos configuration file at the Web Agent, set the
    default_keytab_name
    parameter to the fully qualified path of the keytab file that you set up when configuring the KDC. This is the keytab file with the relevent Web Agent principal credentials.
    Web Agent Windows example:
    default_keytab_name = C:\windows\krbsvc-smwa.keytab
    Web Agent UNIX example:
    default_keytab_name = /opt/CA/siteminder/krbsvc-smwa.keytab
    Then, copy the
    krbsvc-smwa.keytab
    file into the
    C:\windows
    or
    /opt/CA/siteminder/
    location, and rename the filename to
    krb5clientkt
    .
    Windows
    :
    C:\windows\krb5clientkt
    UNIX
    :
    /opt/CA/siteminder/krb5clientkt
  5. Save each configuration file.
  6. Copy or move each keytab file to the location specified in the Kerberos configuration file in the previous step.
A Kerberos configuration file is now configured on each host system.