Show TOC Entering content frame

Procedure documentation Importing Kerberos Configuration Files to the J2EE Engine

Use

The Kerberos keytab and configuration file are used by the J2EE Engine in the process of Kerberos authentication. Therefore, you must make these files accessible to all J2EE Engine instances that use Kerberos authentication.

Prerequisites

You have created the Kerberos keytab on the Kerberos KDC. For more information, see Kerberos Key Distribution Center Configuration.

Procedure

...

       1.      Choose an appropriate location for the keytab file in the file system of the J2EE Engine host. If you have a J2EE Engine cluster instance with cluster nodes on different host machines you can copy the files to a mounted directory folder.

Caution

Make sure that the operating system (OS) user that is used to run the J2EE engine has access permissions for the location you choose. The default ID for this user is <SAPSID>adm, where SAPSID is the system ID of the J2EE Engine. For additional security, restrict access to the keytab file at operating system level as much as possible. For example, for Windows systems, you can limit access rights for the target location to the user group SAP_<SAPSID>_localadmin.

       2.      Copy the keytab file from the Kerberos KDC to the target location that you have chosen.

Note

We recommend that you use a secure transport channel for transferring the keytab file from the KDC to the J2EE Engine.

       3.      Create a file called krb5.conf with a text editor of your choice. The krb5.conf file must have the following general structure:

[domain_realm]

   <DNS_domain_pattern> = <Kerberos_Realm_in_upper_case>

 

[libdefaults]

   default_keytab_name = <keytab_filename_with_full_path>

   default_realm = <Kerberos_Realm_in_upper_case>

   dns_lookup_kdc = true

   default_tgs_enctypes=des-cbc-md5;des-cbc-crc

   default_tkt_enctypes=des-cbc-md5;des-cbc-crc

 

[logging]

 

[realms]

   <Kerberos_Realm_in_upper_case> = {

      admin_server = <KDC_ip_or_host_name>

      kdc = <KDC_ip_or_host_name>

   }

Note

The syntax and the parameter options in this file are standard based. For the general syntax and all available options for a Kerberos configuration file, see the Kerberos V5 Administrator’s Guide, available from MIT’s web site at web.mit.edu.

Result

·        The keytab and krb5.conf file exist in the target file system location you have chosen.

·        The OS users that are used to run the J2EE Engines that use Kerberos authentication have OS level permissions to access these files.

 

 

Leaving content frame