System properties
Typically, system properties are set:
- in start-up scripts;
- by specification in a command line (for example, using the -D flag); or
- by Java code specifically designed to set system properties.
Appendix: Using the JKTools
Single Sign-on for Java includes several tools which enable you to create, manipulate and display Kerberos credential caches and keytab files. This section describes how to use JKtools:
- jkinit to authenticate and request a network credential
- jklist to display a credential cache or keytab contents
- jktutil to create, manipulate, and display keytabs.
Related Topics
Tool details
The tools are Java-based and will therefore run on UNIX, Linux, and z/OS as well as Microsoft Windows platforms.
The tools are compatible with files created by MIT Kerberos, Heimdal and Authentication Services.
Each tool has help embedded so that invoking the tool with the -help parameter displays summary information about the parameters the tool supports.
Scripts for running the tools on different operating systems — Windows (*.bat files) and UNIX or Linux (*.sh files) — are provided in the bin/ directory of your Single Sign-on for Java distribution.
jkinit
The jkinit tool is used to request and store a credential from a Microsoft Active Directory. This is located on the Domain Controller responsible for the requested domain (or realm). After a successful authentication a credential is returned which is then stored in a credential cache. The credential can then be used in later operations.
Usage
jkinit {option} [principal [password]]
The principal for whom the ticket is issued may be specified either on the command line (in the form “name@realm”), or it may be derived from the default principal of an existing credential cache.
Authentication information must be present with the principal. This information may be in the form of a password, or as a key contained in a keytab.
The password may be specified explicitly on the command line.
A keytab may be specified using the '-k' option (see below).
If a password is not specified on the command line, and a keytab is not specified using the '-k' option, the user is prompted to enter a password.
Once the credential for the principal has been obtained, it is written to a credential cache. The credential cache file may be specified explicitly via the '-c' option (see below), or jkinit may locate the default credential cache.
If no principal has been specified on the command line, the credential cache must already exist, and must contain a default principal. If a principal has been specified on the command line, the credential cache (however specified) is created if necessary. In either case, the credential obtained from the key distribution center is added to the credential cache.
Options
The following option is supported:
|
Option |
Description |
|
-c <cache_file> |
Specifies the name of the credentials cache file. If the cache does not exist, it is created. |
If this option is not specified, the default credential cache is loaded, as follows:
For UNIX-based systems, the default credential cache locations are:
- The location specified by the $KRB5CCNAME environment variable, if present; or
- The location ${user.home}/krb5cc_${user.name}
where:
${user.home} represents the user's UNIX home directory, and ${user.name} represents the user's login name on the UNIX system
OR
- The location /tmp/krb5cc_${uid},
where:
${uid} represents the user's UNIX ID.
For Windows-based systems, the default credential cache locations are:
- The Local Security Authority; or
- The location ${user.home}/krb5cc_${user.name},
where:
${user.home} represents the user's Windows home directory, and ${user.name} represents the user's login name on Windows.
Option
Description
-f
Specifies a forwardable ticket. Otherwise, default is not forwardable.
-p
Specifies a proxiable ticket. Default is not proxiable.
-l <lifetime>
Specifies lifetime (in hours) of the ticket. Otherwise, the ticket has the default lifetime as specified by the key distribution center.
-R
Specifies a renewable ticket. Default is not renewable.
-A
Specifies an addressless ticket. Otherwise, the ticket is valid for all local addresses.
-k
Specifies use of a keytab rather than a password.
If a keytab location is not specified via the -t option below, a default keytab is loaded, as follows:
For Windows-based systems, the default keytab location is
${user.home}\krb5.keytab
For UNIX-based systems, the default keytab locations are:
- ${user.home}/krb5.keytab
- /etc/krb5.keytab
where:
${user.home} is the user's home directory.
Option
Description
-t <keytab_file>
Specifies the location of the keytab file, as opposed to the default keytab. Must be used with the -k option.
-S <service_name>
Specifies an alternative service name. Otherwise, the default service name is krbtgt/${REALM}, where ${REALM} is the realm of the principal.
-K <host name>
Specifies the host name of the key distribution center (KDC). If not specified, the KDC is determined dynamically from the realm of the principal.
-V, -verbose
Specifies verbose output. This enables display of the operations performed, name of files used, and the data in the credential returned.
-debug
Specifies debug output. Displays the verbose output as outlined above, and further information that may be useful in debugging and locating errors.
-help
Shows a list of options, and exits the application.