Managing keytab files
You can maintain the keytab file using either the character-based interface or System i® Navigator.
As the network administrator, you need to maintain
the keytab file, also called the key table, and its contents on the IBM® i operating system. You can
manage the keytab file and its associated keytab entries by using either the
character-based interface or System
i Navigator.
Managing
keytab files using the character-based interface
- The keytab command can be used
to add, delete, or list a key from a key table. For example, to add a key
for the service principal, krbsvr400, on the host, kdc1.myco.com, in realm
MYCO.COM, use one of the following ways:
- On a Qshell command line, enter keytab add krbsvr400/kdc1.myco.com@MYCO.COM
- On an IBM i control language (CL) command line, enter call qsys/qkrbkeytab parm('add' 'krbsvr400/kdc1.myco.com@MYCO.COM')
You will be prompted for the password that was used when the service was defined to the Kerberos server.
See the keytab usage notes on this Qshell command for specifics on its usage and restrictions.
- On the CL command line, you can also use the Add Kerberos Keytab Entry (ADDKRBKTE), Display Kerberos Keytab Entries (DSPKRBKTE), and Remove Kerberos Keytab Entry (RMVKRBKTE) commands to manage keytab files.
Managing keytab files using System i Navigator
You can use System i Navigator to add keytab entries to the key table. System i Navigator allows you to add keytab entries for the following services:
- IBM i Kerberos authentication
- LDAP
- IBM HTTP Server
- IBM i NetServer
- Network File System Server
To add a keytab entry to the keytab file, follow these steps:
- In System i Navigator, expand .
- Right-click Network Authentication Service and select Manage Keytab. This launches a portion of the Network Authentication Service wizard that enables you to add keytab entries.
- On the Select keytab entries page, select the types of services for which you want to add keytab entries, for example, IBM i Kerberos Authentication. Click Next.
- On the Create IBM i keytab entry page, enter and confirm a password. This password should be the same password that you use when you add the associated service principal to the Kerberos server. If you selected any of the other types of services, such as LDAP, HTTP Server, IBM i NetServer, or Network File System Server in step 3, you will also see pages that enable you to create keytab entries for each of those services.
- On the Summary page, view the list of IBM i services and service principals that will be added as keytab entries to the keytab file.