Using the krb5.conf file
Recommendation
You should delete the krb5.conf file unless you need to explicitly configure the settings specified in this topic.
When some configuration options (like timeout) are not implemented in the Kerberos Editor, you may create a krb5.conf file. The krb5.conf file comprises Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms.
The topic lists the location details of the krb5.conf file and settings that you may configure using the krb5.conf file.
Location of krb5.conf file
You may look for the krb5.conf file in the following locations. If the file is not available, you may create the krb5.conf file in <AtriumSSO_Installation_Directory>\jre\lib\security.
If the system property
java.security.krb5.conf
is set, its value is assumed to specify the path and file name.If that system property value is not set, then the configuration file is looked for in the directory
<java-home>\lib\security
(Windows)<java-home>/lib/security
(Solaris and Linux)
Here <java-home> refers to the directory where the JRE was installed. For Windows installation of BMC Atrium Single Sign-On with built-in Java, the directory in which the configuration file is to be looked for is
<AtriumSSO_Installation_Directory>\jre\lib\security
If the file is still not found, then an attempt is made to locate it as follows:
/etc/krb5/krb5.conf
(Solaris)c:\winnt\krb5.ini
(Windows)/etc/krb5.conf
(Linux)
- If the file is still not found, and the configuration information being searched for is not the default realm and KDC, then implementation-specific defaults are used. If, on the other hand, the configuration information being searched for is the default realm and KDC because they were not specified in system properties, and the
krb5.conf
file is not found either, then an exception is thrown.
Encryption types
You can set any tag in the configuration files which requires a list of encryption types to some combination of the following strings.
Note
Encryption types marked as weak are available for compatibility but not recommended for use.
String | Encryption type |
---|---|
des-cbc-crc | DES cbc mode with CRC-32 (weak) |
des-cbc-md4 | DES cbc mode with RSA-MD4 (weak) |
des-cbc-md5 | DES cbc mode with RSA-MD5 (weak) |
des-cbc-raw | DES cbc mode raw (weak) |
des3-cbc-raw | Triple DES cbc mode raw (weak) |
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd | Triple DES cbc mode with HMAC/sha1 |
des-hmac-sha1 | DES with HMAC/sha1 (weak) |
aes256-cts-hmac-sha1-96 aes256-cts AES-256 | CTS mode with 96-bit SHA-1 HMAC |
aes128-cts-hmac-sha1-96 aes128-cts AES-128 | CTS mode with 96-bit SHA-1 HMAC |
arcfour-hmac rc4-hmac arcfour-hmac-md5 | RC4 with HMAC/MD5 |
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp | Exportable RC4 with HMAC/MD5 (weak) |
camellia256-cts-cmac camellia256-cts | Camellia-256 CTS mode with CMAC |
camellia128-cts-cmac camellia128-cts | Camellia-128 CTS mode with CMAC |
des | The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) |
des3 | The triple DES family: des3-cbc-sha1 |
aes | The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 |
rc4 | The RC4 family: arcfour-hmac |
camellia | The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac |
You can use the DEFAULT string to refer to the default set of types for the variable in question. You can remove the types or families from the current list by prefixing them with a hyphen(-). You can use the plus (+) sign to indicate that the types or families are used and it has the same meaning as listing just the type or family. For example, DEFAULT -des would be the default set of encryption types with DES types removed, and des3 DEFAULT would be the default set of encryption types with triple DES types moved to the front.
While aes128-cts and aes256-cts are supported for all Kerberos operations, they are not supported by very old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). Services running versions of krb5 without AES support must not be given AES keys in the KDC database.
Salt types
Kerberos keys for users are usually derived from passwords. To ensure that the user who picks the same password do not have the same key, Kerberos 5 incorporates more information into the key using a salt. The supported salt types are as follows:
String | Salt type |
---|---|
normal | default for Kerberos Version 5 |
v4 | the only type used by Kerberos Version 4 (no salt) |
norealm | same as the default, without using realm information |
onlyrealm | uses only realm information as the salt |
afs3 | AFS version 3, only used for compatibility with Kerberos 4 in AFS |
special | generate a random salt |
Wrong realms specified
Ensure that in your krb5.conf file names of realms are spelled correctly and correspond to the existent realms in your environment. Until you have the correct names, your Kerberos applications might try to connect to the wrong realm and you may have to debug the issues.
Reducing timeout
If the primary KDC is unavailable at any moment for authentication, BMC Atrium Single Sign-On tries to use another KDC, if configured. During such a transition, the default timeout is 90 seconds for three attempts (3*30). You may perform the following steps to reduce the timeout for each of the attempts.
- In the directory <AtriumSSO_Installation_Directory>\jre\lib\security, create a file named 'krb5.conf' and enter the following lines in the file:
[libdefaults]
kdc_timeout = 5000
The KDC timeout value is in milliseconds.
- Restart BMC Atrium Single Sign-On.
Comments
Log in or register to comment.