Creating a Kerberos principal and keytab file

Create a Kerberos principal and keytab files for each encryption type you use.

1. Log on as the Kerberos administrator (Admin) and create a principal in the KDC.
   The following example shows MIT Kerberos with admin/cluster1@EXAMPLE.COM as the Kerberos administrator principal:

   bash-3.00$ kadmin -p admin@EXAMPLE.COM
   kadmin: add_principal vemkd/cluster1@EXAMPLE.COM
   Enter password for principal "vemkd/cluster1@EXAMPLE.COM": password
   Re-enter password for principal "vemkd/cluster1@EXAMPLE.COM": password

   If you do not create a VEMKD principal, the default value of vemkd/clustername@Kerberos_realm is used.
2. Obtain the key of the principal by running the subcommand getprinc principal_name.
3. Create the keytab files, using the ktutil command:
   1. Create a keytab file for each encryption type you use by using the add_entry command.

      For example, run ktuitl: add_entry -password -p principal_name -k number -e encryption_type for each encryption type.

      The following is an example of creating five keytab files with their proper encryption types:

      [root@test5~]#ktutil
      
      ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e des3-cbc-sha1-kd 
      Password for vemkd/cluster1@ibm.com: 
      
      ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e arcfour-hmac-md5 
      Password for vemkd/cluster1@ibm.com: 
      
      ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e des-hmac-sha1 
      Password for vemkd/cluster1@ibm.com: 
      
      ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e des-cbc-md5 
      Password for vemkd/cluster1@ibm.com: 
      
      ktutil: add_entry -password -p vemkd/cluster1@ibm.com -k 1 -e des-cbc-md4 
      Password for vemkd/cluster1@ibm.com:

   2. Once you have created the entries for the principal, write to a keytab file.
      For example, to write to the vemkd.keytab file, run:

      ktuitl: wkt /path_to_keytab_file/vemkd.keytab 

      The key of the principal is written to the /tmp/vemkd.keytab file. Replicate this file securely on all EGO master-candidate hosts. The owner of the file must be EGO CLUSTERADMIN and the permissions must be 600 on the file.

      Keytab files are a potential point of security break-ins in a Kerberos environment, thus security of these files is fundamental to the security of the system. Once replicated to all master-candidate hosts, provide the path of the keytab file as the value of the KEYTAB parameter in the Kerberos sec_ego_kerberos.conf plug-in configuration file.