Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

System properties

Typically, system properties are set:

  • in start-up scripts;
  • by specification in a command line (for example, using the -D flag); or
  • by Java code specifically designed to set system properties.
Table 11: System properties





The password of the Kerberos service principal. Single Sign-on for Java creates an in-memory keytab using this password.

NOTE: This property is required if idm.keytab or idm.password parameters are not set.



A colon-separated list of one or more DNS servers that Single Sign-on for Java should use to look up DNS SRV records for Active Directory domain controllers. Specify each DNS server as either a hostname or as an IPv4 address.

Normally Single Sign-on for Java automatically discovers DNS servers by querying the JVM and/or the operating system. However, in some circumstances, Single Sign-on for Java’s auto-discovery logic comes up empty-handed, so the list of DNS servers must be specified explicitly.

Appendix: Using the JKTools

Single Sign-on for Java includes several tools which enable you to create, manipulate and display Kerberos credential caches and keytab files. This section describes how to use JKtools:

  • jkinit to authenticate and request a network credential
  • jklist to display a credential cache or keytab contents
  • jktutil to create, manipulate, and display keytabs.
Related Topics

Tool details

The tools are Java-based and will therefore run on UNIX, Linux, and z/OS as well as Microsoft Windows platforms.

The tools are compatible with files created by MIT Kerberos, Heimdal and Authentication Services.

Each tool has help embedded so that invoking the tool with the -help parameter displays summary information about the parameters the tool supports.

Scripts for running the tools on different operating systems — Windows (*.bat files) and UNIX or Linux (*.sh files) — are provided in the bin/ directory of your Single Sign-on for Java distribution.


The jkinit tool is used to request and store a credential from a Microsoft Active Directory. This is located on the Domain Controller responsible for the requested domain (or realm). After a successful authentication a credential is returned which is then stored in a credential cache. The credential can then be used in later operations.


jkinit {option} [principal [password]]

The principal for whom the ticket is issued may be specified either on the command line (in the form “name@realm”), or it may be derived from the default principal of an existing credential cache.

Authentication information must be present with the principal. This information may be in the form of a password, or as a key contained in a keytab.

The password may be specified explicitly on the command line.

A keytab may be specified using the '-k' option (see below).

If a password is not specified on the command line, and a keytab is not specified using the '-k' option, the user is prompted to enter a password.

Once the credential for the principal has been obtained, it is written to a credential cache. The credential cache file may be specified explicitly via the '-c' option (see below), or jkinit may locate the default credential cache.

If no principal has been specified on the command line, the credential cache must already exist, and must contain a default principal. If a principal has been specified on the command line, the credential cache (however specified) is created if necessary. In either case, the credential obtained from the key distribution center is added to the credential cache.


The following option is supported:

Table 12: Options: jkinit



-c <cache_file>

Specifies the name of the credentials cache file. If the cache does not exist, it is created.

If this option is not specified, the default credential cache is loaded, as follows:

For UNIX-based systems, the default credential cache locations are:

  1. The location specified by the $KRB5CCNAME environment variable, if present; or
  2. The location ${user.home}/krb5cc_${}


    ${user.home} represents the user's UNIX home directory, and ${} represents the user's login name on the UNIX system


  3. The location /tmp/krb5cc_${uid},


    ${uid} represents the user's UNIX ID.

For Windows-based systems, the default credential cache locations are:

  1. The Local Security Authority; or
  2. The location ${user.home}/krb5cc_${},


    ${user.home} represents the user's Windows home directory, and ${} represents the user's login name on Windows.




    Specifies a forwardable ticket. Otherwise, default is not forwardable.


    Specifies a proxiable ticket. Default is not proxiable.

    -l <lifetime>

    Specifies lifetime (in hours) of the ticket. Otherwise, the ticket has the default lifetime as specified by the key distribution center.


    Specifies a renewable ticket. Default is not renewable.


    Specifies an addressless ticket. Otherwise, the ticket is valid for all local addresses.


    Specifies use of a keytab rather than a password.

If a keytab location is not specified via the -t option below, a default keytab is loaded, as follows:

For Windows-based systems, the default keytab location is


For UNIX-based systems, the default keytab locations are:

  1. ${user.home}/krb5.keytab
  2. /etc/krb5.keytab


    ${user.home} is the user's home directory.



    -t <keytab_file>

    Specifies the location of the keytab file, as opposed to the default keytab. Must be used with the -k option.

    -S <service_name>

    Specifies an alternative service name. Otherwise, the default service name is krbtgt/${REALM}, where ${REALM} is the realm of the principal.

    -K <host name>

    Specifies the host name of the key distribution center (KDC). If not specified, the KDC is determined dynamically from the realm of the principal.

    -V, -verbose

    Specifies verbose output. This enables display of the operations performed, name of files used, and the data in the credential returned.


    Specifies debug output. Displays the verbose output as outlined above, and further information that may be useful in debugging and locating errors.


    Shows a list of options, and exits the application.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating