vastool is a command line program that allows you to configure various components of Authentication Services, access information stored in Active Directory, and perform a variety of tasks such as the creation of user accounts and keytabs.
vastool is located at /opt/quest/bin/vastool. In order to run vastool, you must specify vastool options, a command to run, and the options for that specific command.
While vastool supports a wide variety of commands, the following are of most use when installing Single Sign-on for Java with Authentication Services or adjusting its configuration:
One of the simplest ways to configure Single Sign-on for Java to run on a Authentication Services enabled host is to set up your configuration so that Single Sign-on for Java can authenticate using the HOST principal installed when you join a Authentication Services-enabled machine to the Active Directory domain.
To configure Single Sign-on for Java to run on a Authentication Services enabled host
When you configure Single Sign-on for Java, set:
idm.keytab to the path of the Authentication Services HOST keytab -- for example: /etc/opt/quest/vas/host.keytab
idm.principalAtRealm to HOST/appservhost1.example.com@EXAMPLE.COM
It is also possible to use vastool to add an account for Single Sign-on for Java rather than using the HOST principal. The major benefit of this approach is that it allows you to run the application server as an unprivileged user.
To use vastool to add an account for Single Sign-on for Java
vastool -u <Adminuser> service create HTTP/appservhost1.example.com
<Adminuser> is a domain user with sufficient permissions to create accounts.
This generates output similar to the following:
Successfully created service
and generates the keytab:
so it is readable by the process running the application server.
chown appserverowner /etc/opt/quest/vas/HTTP.keytab
If you want to allow operations via Single Sign-on for Java to use delegated credentials on behalf of clients, you will need to enable delegation operations for all relevant service accounts in Active Directory.
Note: Delegation operations require that: