Contents
A Kerberos Principal represents a unique identity in a Kerberos system
to which Kerberos can assign tickets to access Kerberos-aware services.
Principal names are made up of several components separated by the
/
separator. You can also specify a realm as the last
component of the name by using the @
character. If no realm
is given, the Principal is assumed to belong to the default realm, as
configured in the krb5.conf
file.
Typically, a Principal name comprises three parts: the primary, the instance, and the realm. The format of a typical Kerberos v5 Principal name is:
primary/instance@realm
-
Primary:
If the Principal represents a user in the system, the primary is the username of the user. Alternatively, for a host, the primary is specified as the
host
string. -
Instance:
The instance can be used to further qualify the primary (for example,
user/admin@foo.abc.com
). -
Realm:
This is your Kerberos realm, which is usually a domain name in upper case letters. For example, the
foo.abc.com
machine is in theABC.COM
Kerberos realm.
You can configure Kerberos Principals globally under the External Connections node in the Policy Studio tree. To configure a Kerberos Principal, right-click the Kerberos Principals node, and select the Add a Kerberos Principal option from the context menu. Complete the following fields on the Kerberos Principal dialog:
Name:
Enter a friendly name for the Kerberos Principal. This name will be available for selection from drop-down lists in other Kerberos-related configuration screens in the Policy Studio.
Principal Name:
Enter the name of the Kerberos Principal in this field. The Principal
name consists of a number of components separated using the /
separator. The realm should be specified here if the Principal belongs
to either a non-default realm or if a default realm is not specified.
Principal Type:
Select the type of Principal specified in the field above. The following table lists the available Principal Types.
Note | |
---|---|
The Principal Name Types and their corresponding OIDs are defined in the General Security Services (GSS) API. |
Principal Name Type | Explanation | OID |
---|---|---|
NT_USER_NAME |
The Principal name identifies a named user on the local system | 1.2.840.113554.1.2.1.1 |
KERBEROS_V5_PRINCIPAL_NAME |
The Principal name represents a Kerberos version 5 Principal. | 1.2.840.113554.1.2.2.1 |
NT_EXPORT_NAME |
The Principal name represents an exported canonical byte representation of the name (for example, which can be used when searching for the Principal in an Access Control List (ACL)). | 1.3.6.1.5.6.4 |
NT_HOSTBASED_SERVICE |
The Principal name identifies a service associated with a specific host. | 1.3.6.1.5.6.2 |
You can add new Principal Types by clicking the Add button.
The name entered in the Name field on the Kerberos
Principal Name OID must correspond to one of the constant fields
defined in the org.ietf.jgss.GSSName
Java class. Please
refer to the Javadocs for the
GSSName
class for other allowable name types. Similarly, the corresponding OID for
this name type must be entered in the OID field of the dialog.
Please consult the GSSName Javadoc
here
for more information.
Important | |
---|---|
OIDs and Principal Type Names should only be changed to reflect changes in the underlying GSS API. Because of this, you should only choose to Edit existing Principal Types under strict supervision from theOracle support team. |