Typically, system properties are set:
Single Sign-on for Java includes several tools which enable you to create, manipulate and display Kerberos credential caches and keytab files. This section describes how to use JKtools:
The tools are Java-based and will therefore run on UNIX, Linux, and z/OS as well as Microsoft Windows platforms.
The tools are compatible with files created by MIT Kerberos, Heimdal and Authentication Services.
Each tool has help embedded so that invoking the tool with the -help parameter displays summary information about the parameters the tool supports.
Scripts for running the tools on different operating systems — Windows (*.bat files) and UNIX or Linux (*.sh files) — are provided in the bin/ directory of your Single Sign-on for Java distribution.
The jkinit tool is used to request and store a credential from a Microsoft Active Directory. This is located on the Domain Controller responsible for the requested domain (or realm). After a successful authentication a credential is returned which is then stored in a credential cache. The credential can then be used in later operations.
jkinit {option} [principal [password]]
The principal for whom the ticket is issued may be specified either on the command line (in the form “name@realm”), or it may be derived from the default principal of an existing credential cache.
Authentication information must be present with the principal. This information may be in the form of a password, or as a key contained in a keytab.
The password may be specified explicitly on the command line.
A keytab may be specified using the '-k' option (see below).
If a password is not specified on the command line, and a keytab is not specified using the '-k' option, the user is prompted to enter a password.
Once the credential for the principal has been obtained, it is written to a credential cache. The credential cache file may be specified explicitly via the '-c' option (see below), or jkinit may locate the default credential cache.
If no principal has been specified on the command line, the credential cache must already exist, and must contain a default principal. If a principal has been specified on the command line, the credential cache (however specified) is created if necessary. In either case, the credential obtained from the key distribution center is added to the credential cache.
The following option is supported:
Option |
Description |
-c <cache_file> |
Specifies the name of the credentials cache file. If the cache does not exist, it is created. |
If this option is not specified, the default credential cache is loaded, as follows:
For UNIX-based systems, the default credential cache locations are:
where:
${user.home} represents the user's UNIX home directory, and ${user.name} represents the user's login name on the UNIX system
OR
where:
${uid} represents the user's UNIX ID.
For Windows-based systems, the default credential cache locations are:
where:
${user.home} represents the user's Windows home directory, and ${user.name} represents the user's login name on Windows.
Option |
Description |
-f |
Specifies a forwardable ticket. Otherwise, default is not forwardable. |
-p |
Specifies a proxiable ticket. Default is not proxiable. |
-l <lifetime> |
Specifies lifetime (in hours) of the ticket. Otherwise, the ticket has the default lifetime as specified by the key distribution center. |
-R |
Specifies a renewable ticket. Default is not renewable. |
-A |
Specifies an addressless ticket. Otherwise, the ticket is valid for all local addresses. |
-k |
Specifies use of a keytab rather than a password. |
If a keytab location is not specified via the -t
option below, a default keytab is loaded, as follows:
For Windows-based systems, the default keytab location is
${user.home}\krb5.keytab
For UNIX-based systems, the default keytab locations are:
where:
${user.home} is the user's home directory.
Option |
Description |
-t <keytab_file> |
Specifies the location of the keytab file, as opposed to the default keytab. Must be used with the -k option. |
-S <service_name> |
Specifies an alternative service name. Otherwise, the default service name is krbtgt/${REALM}, where ${REALM} is the realm of the principal. |
-K <host name> |
Specifies the host name of the key distribution center (KDC). If not specified, the KDC is determined dynamically from the realm of the principal. |
-V, -verbose |
Specifies verbose output. This enables display of the operations performed, name of files used, and the data in the credential returned. |
-debug |
Specifies debug output. Displays the verbose output as outlined above, and further information that may be useful in debugging and locating errors. |
-help |
Shows a list of options, and exits the application. |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center