Out of support This documentation supports the 8.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Generating a keytab for the service principal

Note

Anyone with read permissions to a keytab file can use all of the keys it contains. Permissions must be restricted and monitored on the keytab files that you create.

After the accounts for the service principals are created, a keytab file must be generated. This file contains sensitive information used by the BMC Atrium Single Sign-On servers when working with the Key Distribution Center (KDC) and Active Directory. For Kerberos, the ktadd command is used to add the sensitive information to the keytab file.

To generate a keytab file for the service principal

  1. Run the ktpass command.
  2. Copy the generated keytab file to the BMC Atrium Single Sign-On server host.

ktpass command syntax

ktpass /out <file> /princ HTTP/<host>@<DOMAIN> /pass <password> /ptype KRB5_NT_PRINCIPAL /Target <DOMAIN> /kvno 0

In this case:

  • file is the name of the keytab file that you generate.
  • password is the password for the principal account.
  • host is the fully qualified name of the host including the internet domain.
  • DOMAIN is the Active Directory domain name.

ktpass command example

ktpass /out ssohost.keytab /pass mysecret /princ HTTP/ssohost.bmc.com@SAMPLE.BMC.COM /ptype KRB5_NT_PRINCIPAL /Target SAMPLE.BMC.COM /kvno 0

ktpass output example

C:\Documents and Settings\qaadmin>ktpass /out ssohost.keytab /pass mysecret /
princ HTTP/ssohost.bmc.com@SAMPLE.BMC.COM /ptype KRB5_NT_PRINCIPAL /Target
SAMPLE.BMC.COM
NOTE: creating a keytab but not mapping principal to any user.
     For the account to work within a Windows domain, the
     principal must be mapped to an account, either at the
     domain level (with /mapuser) or locally (using ksetup)
     If you intend to map HTTP/ssohost.bmc.com@SAMPLE.BMC.COM
     to an account through other means or don't need to map the
     user, this message can safely be ignored.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to keytab:
Keytab version: 0x502
keysize 75 HTTP/ssohost.bmc.com@SAMPLE.BMC.COM ptype 1 (KRB5_NT_PRINCIPAL)
vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0x612b7a16efa19ea8d1653256d953e702)

Where to go from here

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*