Configuring SSO when Running as Non-Root/System

When the server service/daemon is running as an arbitrary user (not root on UNIX and not System on Windows), you need to register the service/daemon account. You need the SPN that you created earlier.

1. Create the directory <STATISTICSSERVER>\config\sso.
2. Copy the file krb5.conf from the client SSO directory to the server SSO directory you created in step 1.
3. Use the following command to create the file krb5.keytab in the server SSO directory:

   <STATISTICSSERVER>\jre\bin\ktab -a <spn>@<realm> -k krb5.keytab

   For example:

   "..\jre\bin\ktab.exe" -a statisticsserver/jdoemachine.ibm.com:3023@ibm.com 
        -k krb5.keytab

This will prompt you for a password. The password you enter must be the password of the service account. So if the service account is jdoe, for example, you must enter the password for the user jdoe.

The service account itself is not mentioned in the keytab, but earlier you registered the SPN to that account using setspn. This means that the password for the service principal and the password for the service account are one and the same.

For each new server instance you create, you must register the SPN for that instance (using setspn) and create a keytab file. The keytab file should be copied to the config_<group_name>/sso subdirectory in the server installation directory.. The default instance does not need a keytab file.

To verify that an instance is included in the keytab:

ktab.exe -l -e -k krb5.keytab

You may see multiple entries for each principal with different encryption types, but this is normal.