Importing Kerberos Keys (CLI)

Language:

Use the following procedure to import Kerberos keys that were created on the KDC. The keys are then stored in the appliance keytab. This task does not require login credentials on the KDC. Descriptions of each property are located in Kerberos Service Properties and Kerberos Properties and Logs.

Before You Begin

Ensure that you have enabled the Kerberos service, set the realm, and identified the KDC(s) as described in Creating a Kerberos Realm (CLI).

Go to configuration services kerberos importkeytab and enter show to view the properties.

hostname:configuration services kerberos importkeytab (uncommitted)> show
Properties:
                          url = (unset)
                         user = (unset)
                     password = (unset)

Enter set url= and the URL of the Kerberos keytab file.

hostname:configuration services kerberos importkeytab (uncommitted)> set url=http://akbuild1/shares/export/123456/demo.keytab
                          url = http://akbuild1/shares/export/123456/demo.keytab

Enter set user= and the user name for URL access.

hostname:configuration services kerberos importkeytab (uncommitted)> set user=myusername
                         user = myusername

Enter set password= and the password for URL access, and then enter commit.

hostname:configuration services kerberos importkeytab (uncommitted)> set password=letmein
                     password = *******
hostname:configuration services kerberos importkeytab (uncommitted)> commit
Transferred 718 of 718 (100%) . . . done
Imported 8 keys.

Enter show to view the realms and KDCs.

hostname:configuration services kerberos> show
Properties:
                     <status> = online
            allow_weak_crypto = true
Realms:
REALM          KDC
TEST.NET       kdc1.us.oracle.com

To view the principals for a realm, select a realm and enter show.

hostname:configuration services kerberos> select TEST.NET
hostname:configuration services kerberos TEST.NET> show
Properties:
                kdcs = kdc1.us.oracle.com
Keytab entries:
NAME            KEYS  PRINCIPAL
principal-000   4     host/hostname.us.oracle.com@TEST.NET
principal-001   4     nfs/hostname.us.oracle.com@TEST.NET

To view the keys for a principal, select a principal and enter show.

hostname:configuration services kerberos TEST.NET> select principal-001
hostname:configuration services kerberos principal-001> show
Properties:
                 name = nfs/hostname.us.oracle.com@TEST.NET
Keys:
KEY       KVNO   ENCTYPENO   ENCTYPE
key-000   28     18          AES-256 CTS mode with 96-bit SHA-1 HMAC
key-001   28     17          AES-128 CTS mode with 96-bit SHA-1 HMAC
key-002   28     16          Triple DES cbc mode with HMAC/sha1
key-003   28     23          ArcFour with HMAC/md5
key-004   28     24          Exportable ArcFour with HMAC/md5
key-005   28     3           DES cbc mode with RSA-MD5
key-006   28     1           DES cbc mode with CRC-32

Legend for column headings:

KEY = Key name
KVNO = Key version number
ENCTYPENO = Encryption type number
ENCTYPE = Encryption type

To view the properties of a key, select a key and enter show.

hostname:configuration services kerberos principal-001> select key-003
hostname:configuration services kerberos principal-001 key-003> show
Properties:
               principal = nfs/hostname.us.oracle.com@TEST.NET
                    kvno = 28
                 enctype = ArcFour with HMAC/md5
               enctypeno = 23