Linux, UNIX, z/OS, and IBM i client configuration for Kerberos/SPNEGO SSO in ELM
ELM client software that is running on an operating system other than Microsoft Windows can use Kerberos authentication to connect to a Microsoft Active Directory.
UNIX kinit utility
UNIX systems include
a kinit utility that users can run to authenticate
against an Active Directory domain. Before users run the utility,
they must complete the following prerequisite tasks:
- Point the client system to the Domain Name System (DNS) in Active Directory. Typically, this setting is configured in the /etc/resolve.conf file.
- Configure the krb5.ini or krb5.conf file. For more information, see Configuring the krb5 file for encryption in Kerberos/SPNEGO SSO in ELM.
After users run the kinit utility,
they can use browsers and Jazz clients.
Notes:
- While UNIX users might run the IBM JRE kinit utility to authenticate ELM clients, doing so is unnecessary and would require a second login. The UNIX kinit utility is still needed to authenticate applications that are not based on Java technology.
- Because the kinit utility on z/OS uses EBCDIC character encoding instead of ASCII, z/OS users must run the IBM JRE kinit utility to authenticate ELM Eclipse clients.
UNIX kinit cache file
On UNIX systems, the default location and name for the kinit cache file is /tmp/krb5cc_uid, where uid is the numeric user ID. To use a different cache file, the KRB5CCNAME environment variable can be set to a different location.
Specify the encryption algorithms that the server requires
Users must specify the encryption algorithms that the server requires. For example, if the server requires Advanced Encryption Standard 256-bit (AES-256) encryption, the client krb5.conf or krb5.ini file must include this encryption algorithm.