Log on to your cluster from the egosh command line and run workload as
the Kerberos principal.
Procedure
The following steps outline sample usage for Kerberos authentication. If you enabled Kerberos
authentication for multicluster, use commands from
the smcadmin command line; for example: smcadmin user
logon.
-
Log on to the host as the
Admin user and enter the password of the Kerberos
principal, which is defined in the KERBEROS_ADMIN parameter. For example:
egosh user logon -u Admin -x egoadminKDC
-
Run the commands to view resource groups, system services, and applications:
egosh rg
egosh service list
soamview app
-
Run the symping command to submit workload:
symping -u Admin -x egoadminKDC
-
Test access for Kerberos principals that were added to the EGO database:
- Run symping as a Kerberos principal. For
example:
symping -u userKDC -x passKDC
- Test user access with and without the Kerberos realm in the user name. For example:
soamlogon -u userKDC -x passKDC
soamlogon -u userKDC@EXAMPLE.COM -x passKDC
-
Test access through the kinit tool (the kinit command
is used to create a TGT to replace the egosh user logon command):
- Log on with kinit as the cluster
administrator:
kinit egoadmin@EXAMPLE.COM
IBM® Spectrum Symphony, by default, uses the
credential cache at /tmp/krb5cc_uid. This value can be
overwritten by environment variables KRB5CCNAME or
EGOCC_FILE (see Configuring the credential cache for the command line). When you run
kinit to get the TGT for the user principal, you must ensure that
kinit uses the same credential cache file as IBM Spectrum Symphony. To ensure this, use the
-c option to specify the credential cache location as follows:
- If both KRB5CCNAME and EGOCC_FILE are not defined, use
the credential cache at /tmp/krb5cc_uid.
- If only EGOCC_FILE is set, use the credential cache file defined by this
parameter.
- If only KRB5CCNAME is set, use the credential cache file defined by this
parameter.
- Run egosh commands after logging on with kinit. For
example:
egosh rg