0

Team,

I am trying to implement SSO for a WAS7 based web application using Kerberos & SPNEGO. I am almost done with the configuration. I have few doubts on Kerberos.

When I execute the command klist, following is the output.

Ticket cache: FILE:/tmp/krb5cc_38698

Default principal: pocsso1@POC.MAIL.COM

Valid starting Expires Service principal

01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM@POC.MAIL.COM 

  renew until 08/09/2014 16:15

My Question is "what expires and renew indicates here.?"

and "if it expires what is the process of renewing it.?"

Please put a comment if much information is required.

Chilukuri
  • 27
  • 2
  • 8
  • Good answer about 'expires' and 'renew': http://stackoverflow.com/a/15457265/1206341 – greenmarker Sep 04 '14 at 10:59
  • In JDK7 we can't renew tickets: http://stackoverflow.com/a/25655304/1206341. – greenmarker Sep 04 '14 at 11:00
  • Using ticket from cache can be tricky, because you'll need a process, that will periodically regenerate this ticket. Instead of that it's better to use keytab or principal+password. – greenmarker Sep 04 '14 at 11:03
  • My doubt is "When implementing Single Sign On using Kerberos and SPNEGO, what would be the impact of klist command.?" – Chilukuri Sep 04 '14 at 16:05
  • From the Web SSO point of view, you dont care about klist. Browser and OS is responsible for getting and renewing tickets. – Gas Sep 04 '14 at 21:05
  • @Chilukuri klist only lists already created tickets. To create needed TGT ticket you may use command kinit. – greenmarker Sep 05 '14 at 06:14
  • @Gas Maybe Chilukuri is building SSO with delegation? Server needs TGT for delegation, i.e. webpage logs into webserver using Kerberos, and then webserver logs into database using Kerberos to perform an operation for this user, as this user. This way database administrator knows who did what (or who's responsible, if something bad happened). Tracking the guilty person is more difficult when webserver connects to db as "webserver" for all the users. – greenmarker Sep 05 '14 at 06:19
  • When web server only receives TGS tickets, then just as @Gas wrote, web server only needs keytab or pair principal+password to open TGS ticket using JGSS. – greenmarker Sep 05 '14 at 06:27

0 Answers0