Configuring Kerberos credential caching

IBM® Spectrum Conductor, by default, uses the credential cache at /tmp/krb5cc_uid for Kerberos authentication from the command line. You can overwrite this default value through the KRB5CCNAME and EGOCC_FILE environment variables.

Before you begin

IBM Spectrum Conductor installs with IBM Java JRE 8.0.6.0. While you can customize your instance group configuration to use other Java implementations (such as Oracle or open source AdoptOpenJDK JRE), IBM Java JRE is the recommended configuration.

If you use Java implementations other than IBM Java JRE and strong encryption for Kerberos (typically enabled by default), your JRE must also support strong encryption. Otherwise, you will encounter errors indicating that the KDC does not support the encryption type. To fix this issue, take any one of the following actions: update your JRE, install the Java Cryptography Extension (JCE), or reconfigure Kerberos to not use strong encryption.

About this task

The credential cache file holds Kerberos credentials (for example, tickets, session keys, and other identifying information) in semi-permanent storage. The Kerberos protocol reads credentials from the cache as they are required and stores new credentials in the cache as they are obtained. By default, any user's ticket-granting-ticket (TGT) used on the client side is read from the default Kerberos credential cache (/tmp/krb5cc_uid).

To overwrite this value, you can define environment variables KRB5CCNAME or EGOCC_FILE. If both are defined, KRB5CCNAME takes precedence over EGOCC_FILE.

If ENABLE_PAM_AUTH=Y in sec_ego_gsskrb.conf to enable PAM authentication, a PAM credential cache (instead of a Kerberos credential cache) is generated at the location set by EGOCC_FILE, if it exists. Otherwise, it is saved to the default credential cache (/tmp/secegocc_uid. With PAM authentication, a single authentication client might have two credential caches: a Kerberos credential cache and an EGO credential cache. Credentials are used in the following order of precedence: KRB5CCNAME > /tmp/krb5cc_uid > EGOCC_FILE > /tmp/secegocc_uid.

Note: MIT Kerberos version 1.11 or higher support the default_ccache_name configuration in the krb5.conf file. This configuration is not supported in IBM Spectrum Conductor. To ensure that IBM Spectrum Conductor uses the Kerberos credential properly, configure the KRB5CCNAME environment variable with the value of the default_ccache_name parameter.

Procedure

  • When your instance group uses IBM Java JRE, if the user is logged in to Kerberos at the OS level, the KRB5CCNAME environment variable is set automatically after logon. When your instance group uses other Java implementations, set KRB5CCNAME to the absolute path of the credential cache file.
  • Set the environment variable EGOCC_FILE to the absolute path of the credential cache file.