Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

 
Updated: August 2014
 
 

How to Create, Use, and Store a New Master Key for the Kerberos Database

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Create a new master key.

    This command adds a new, randomly generated master key. The –s option requests that the new master key be stored in the default keytab.

    # kdb5_util add_mkey -s

Creating new master key for master key principal 'K/M@EXAMPLE.COM'
You will be prompted for a new database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:/** Type strong password **/
Re-enter KDC database master key to verify: xxxxxxxx
  2. Verify that the new master key exists. 
    # kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC, No activate time set
KNVO: 1, Enctype: AES-128 CTS mode with 96-bit SHA-1 HMAC, Active on: Fri Dec 31 18:00:00 CST 2011 *

    The asterisk in this output identifies the currently active master key.

  3. Set a time for the newly created master key to become active. 
    # date
Fri Jul 11 17:57:00 CDT 2014
# kdb5_util use_mkey 2 'now+2days'
# kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC,
Active on: Sun Jul 13 17:57:15 CDT 2014
KNVO: 1, Enctype: AES-128 CTS mode with 96-bit SHA-1 HMAC,
Active on: Fri Dec 31 18:00:00 CST 2011 *

    In this example, the date is set to two days in the future to allow time for the new master key to propagate to all of the KDCs. Adjust the date as appropriate for your environment.

  4. (Optional) After creating a new principal, verify that the new master key is being used. 
    # kadmin.local -q 'getprinc tamiko' |egrep 'Principal|MKey'
Authenticating as principal root/admin@EXAMPLE.COM with password.
Principal: tamiko@EXAMPLE.COM
MKey: vno 2

    In this example, MKey: vno 2 indicates that the principal's secret key is protected by newly created master key, 2.

  5. Re-encrypt the user principal secret keys with the new master key.

    If you add a pattern argument to the end of the command, the principals that match the pattern will be updated. Add the –n option to this command syntax to identify which principals will be updated.

    # kdb5_util update_princ_encryption -f -v
Principals whose keys WOULD BE re-encrypted to master key vno 2:
updating: host/kdc1.example.com@EXAMPLE.COM
skipping:   tamiko@EXAMPLE.COM
updating: kadmin/changepw@EXAMPLE.COM
updating: kadmin/history@EXAMPLE.COM
updating: kdc/admin@EXAMPLE.COM
updating: host/kdc2.example.com@EXAMPLE.COM
6 principals processed: 5 updated, 1 already current
  6. Purge the old master key.

    After a master key is no longer used to protect any principal secret keys, it can be purged from the master key principal. This command will not purge the key if the key is still being used by any principals. Add the –n option to this command to verify that the correct master key will be purged.

    # kdb5_util purge_mkeys -f -v
Purging the follwing master key(s) from K/M@EXAMPLE.COM:
KNVO: 1
1 key(s) purged.
  7. Verify that the old master key has been purged. 
    # kdb5_util list_mkeys
Master keys for Principal: K/M@EXAMPLE.COM
KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC,
Active on: Sun Jul 13 17:57:15 CDT 2014 *
  8. Update the stash file. 
    # kdb5_util stash
Using existing stashed keys to update stash file.
  9. Verify that the stash file has been updated. 
    # klist -kt /var/krb5/.k5.EXAMPLE.COM
Keytab name: FILE:.k5.EXAMPLE.COM
KVNO Timestamp              Principal
---- ---------------- ---------------------------------------------------------
2 05/11/2014 18:03 K/M@EXAMPLE.COM
Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next