Using multiple keytabs with Krb5LoginModule
Weijun Wang
weijun.wang at oracle.com
Mon Mar 18 19:00:23 PDT 2013
JDK6 does not support two keytabs loaded at the same time. It was
designed that way. You can merge the two to one and java will pick keys
by service names. Of course, if your two keytab files contains keys for
the same service and they are different, this won't work.
JDK7 should support it. Just point to different keytab files in
different entries of your JAAS config file. Something like
server {
com.sun.security.auth.module.Krb5LoginModule required
principal="server/host"
useKeyTab=true
keyTab=server.keytab
storeKey=true;
};
backend {
com.sun.security.auth.module.Krb5LoginModule required
principal="backend/host"
useKeyTab=true
keyTab=backend.keytab
storeKey=true;
};
Thanks
Max
On 3/18/13 2:58 PM, Vipul Mehta wrote:
> I want to use multiple keytabs within the same kerberos server so
> instead of using a JAAS configuration file i wrote my own login
> configuration. But it seems that Krb5LoginModule instances share the
> same keytab file location. To use a different keytab we need to set
> refereshKrb5config to true in login configuration class which will
> refresh the configuration for all the Krb5LoginModule instances. Why
> Java 6 doesn't allow multiple keytab instances ? There is some change in
> the approach how java 7 handles keytabs ( i am not able to get it ) but
> it looks like the problem exists in Java 7 as well.
>
> --
> Regards,
> Vipul
More information about the security-dev
mailing list