Integrate keytab generation with Java
04-04-2017 07:50 AM
I have a java program which uses keytabs that I generate using AD commands and ktpass.
I have to now integrate with Centrify and use its agent to generate keytabs rather than using AD and ktpass commands directly, for enhanced security. Assuming Centrify is installed on all host machines, is there a Centrify Java API that I have to use to internally generate keytabs or do I need to use commands such as adkeytab outside of my Java program?
I am new to Centrify so have not been able to understand this part as yet.
Solved! Go to Solution.
04-04-2017 08:08 AM
Just for clarification, how frequently do you generate a Keytab?
Note: Typically this is done infrequently.
Since a Kerberos key table file is the same (regardless of how it was created) you technically can generate them anywhere and use them anywhere.
As a courtesy, Centrify provides a tool called adkeytab. This tool provides much more flexibility than traditional tools like ktpass in Microsoft Kerberos environments. There is no Centrify Java API needed. Just point your program to the keytab and Kerberos does the rest.
Since you're new to this here's a link to a PDF that explains everything you need to know about adkeytab: http://community.centrify.com/centrify/attachments/centrify/bd_1/768/1/Understanding%20adkeytab.pdf
It's very important to understand the adkeytab operations and the AD permissions required in the user principal that the keytab will be based on:
Here are a few examples of common operations:
Resetting a Machine account password:
Resetting the system keytab with user and verbose output.
$ dzdo adkeytab -r -u frank -V
This comes in handy if the system loses it's trust relationship with AD.
Adding the oracle SPN to a system called engcen6 with user frank with verbose output
$ sudo adkeytab --addspn --principal oracle/engcen6 --user frank -verbose
$ sudo adkeytab --delspn --principal oracle/engcen6 --user dwirth --verbose
This comes in handy in scenarios like Hadoop or clustering.
Adopting an AD service account for automatic AD joins:
Adopted the existing account " ad-joiner" with CN " AD Joiner Service Account" using frank's ID and created the keytab called ad-joiner.keytab in the local folder with verbose output.
Note: the last parameter is the "cn" (container name) - this may differ from the account name (samaccountname)
$ dzdo /usr/sbin/adkeytab --adopt --user frank --samname ad-joiner --keytab ad-joiner.keytab -V "AD Joiner Service Account"
This comes in handy to create a keytab used for DevOps
This post contains all the adkeytab exit codes too for your reference.
04-04-2017 08:48 PM
Thank you so much for your inputs. I generate keytabs very rarely.
I have a follow up question:
To add more context, we have been using this command outside of java process as an example:
ktpass -out some.keytab -mapuser some_user@ABC.COM -pass <password> -princ someprinc/princ.abc.com@ABC.COM -crypto all
The contention is that this requires a domain based service account. So, we have been instructed to integrate with Centrify.
Is there a way to integrate with Centrify and generate those? This is the most confusing part which I am unable to understand. So, does this mean that there is some Java API that I must use to generate keytabs from within my Java process?
04-05-2017 05:59 AM
adkeytab will be the tool you'll be using instead of ktpass.
There is no Java API. adkeytab is installed on all UNIX, Linux or Mac systems running Centrify's adclient.
For example, the command you have below would be something like
adkeytab --adopt --samname some_user --principal someprinc/princ.abc.com@ABC.COM
The difference in the process is that AD is your Kerberos infrastructure and you may have separation of duties (this is not a contention issue, but a security control implemented as a process), therefore you need to coordinate with your security team to have an AD user account created that you can adopt (see the above matrix), alternatively, you also want to make sure the password is randomized and unknown by anyone. To summarize:
- You need to request an AD account and delegated rights to the account.
Inputs: the delegated rights that you need based on the operations on the matrix
- Provided that you have the proper rights delegated, then you will run the adkeytab command with the proper switches.
Alternatively, your AD counterpart can provide his/her credential to perform the operation.
If this the adkeytab command will be run from inside your java application, then you need delegated access.
Finally, please contact your Centrify technical lead if you need additional guidance around this topic.