Linux, UNIX, z/OS, and IBM i client configuration for Kerberos/SPNEGO SSO in ELM

ELM client software that is running on an operating system other than Microsoft Windows can use Kerberos authentication to connect to a Microsoft Active Directory.

UNIX kinit utility

UNIX systems include a kinit utility that users can run to authenticate against an Active Directory domain. Before users run the utility, they must complete the following prerequisite tasks:
After users run the kinit utility, they can use browsers and Jazz clients.
Notes:
  • While UNIX users might run the IBM JRE kinit utility to authenticate ELM clients, doing so is unnecessary and would require a second login. The UNIX kinit utility is still needed to authenticate applications that are not based on Java technology.
  • z/OS operating system icon Because the kinit utility on z/OS uses EBCDIC character encoding instead of ASCII, z/OS users must run the IBM JRE kinit utility to authenticate ELM Eclipse clients.

UNIX kinit cache file

On UNIX systems, the default location and name for the kinit cache file is /tmp/krb5cc_uid, where uid is the numeric user ID. To use a different cache file, the KRB5CCNAME environment variable can be set to a different location.

Specify the encryption algorithms that the server requires

Users must specify the encryption algorithms that the server requires. For example, if the server requires Advanced Encryption Standard 256-bit (AES-256) encryption, the client krb5.conf or krb5.ini file must include this encryption algorithm.