| Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Add Kerberos Ticket (ADDKRBTKT) command is used to obtain and cache Kerberos ticket-granting tickets. This command is similar to the kinit tool that is commonly found in other implementations of the Kerberos protocol, such as the SEAM and MIT Reference implementations.
Restrictions:
The Network Authentication Service Commands and APIs support job environments for most EBCDIC CCSIDs. CCSID 290 and 5026 are not supported because of the variance of lower-case letters a to z.
| Top |
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| PRINCIPAL | Principal | Element list | Required, Positional 1 |
| Element 1: Name | Character value | ||
| Element 2: Realm | Character value, *DFT | ||
| PASSWORD | Password | Character value | Optional, Positional 2 |
| KEYTABFILE | Keytab file | Path name, *DFT | Optional |
| CCF | Credentials cache file | Path name, *DFT | Optional |
| ALWFWD | Allow forwarding | *NO, *YES | Optional |
| ALWPRX | Allow proxy | *NO, *YES | Optional |
| Top |
Specifies the principal name of a user or service principal on a host name in a Kerberos network. The principal and key pairs in the keytab file allow services running on the host to be authenticated by a Key Distribution Center (KDC). All the principals are added to the Kerberos server which maintains a database of all users and services within a Kerberos realm.
This is a required parameter.
Element 1: Name
Specifies the principal name or service principal on a specified host name.
The Kerberos principal has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).
Special characters allowed:
/ - delimit name components.
Element 2: Realm
Specifies the realm in which the Kerberos user is registered and in which initial authentication took place.
The name has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).
Special characters allowed:
@ - start realm.
| Top |
Specifies the password that allows the principal to authenticate in the Key Distribution Center (KDC).
This is a required parameter if the keytab file name is not defined.
| Top |
Specifies the Kerberos keytab file where the group of principals and its keys are stored.
| Top |
Specifies the credentials cache file that this command will use. This cache is used to store each of the new tickets, the session key and other information in the corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED message.
| Top |
Specifies whether the Kerberos ticket will be forwardable.
The FORWARDABLE flag in a ticket is normally only interpreted by the ticket-granting service. It can be ignored by the application server.
The FORWARDABLE flag has an interpretation similar to that of the PROXIABLE flag, except ticket-granting tickets may also be issued with different network addresses.
This flag allows for authentication forwarding without requiring the user to enter a password again. If the flag is not set, then authentication forwarding is not permitted, but the same end result can still be achieved if the user engages in the authentication server exchange with the requested network addresses and supplies a password.
| Top |
Specifies whether the Kerberos ticket will be a proxiable ticket.
The PROXIABLE flag in a ticket is normally only interpreted by the service-granting service. It can be ignored by application servers. When this parameter is set to *YES, the ticket-granting server can issue a new ticket (but not a ticket-granting ticket) with a different network address based on this ticket.
| Top |
Example 1: Adding a Forwardable Ticket
ADDKRBTKT PRINCIPAL('krbsrv400/guada.lajara.com')
PASSWORD('my1pwd') ALWFWD(*YES)
This command adds a forwardable ticket using the 'krbsrv400/guada.lajara.com' principal and the default realm.
Example 2: Adding a Proxiable Ticket
ADDKRBTKT PRINCIPAL('krbsrv400/guada.lajara.com')
PASSWORD('my1pwd') ALWPRX(*YES)
This command adds a proxiable ticket using the :'krbsrv400/guada.lajara.com' principal and the default realm.
Example 3: Adding a Ticket for Non-default Realm
ADDKRBTKT PRINCIPAL('krbsrv400/guada.lajara.com'
'MEX.ICO.COM')
PASSWORD('my1pwd') ALWFWD(*YES)
This command adds a forwardable ticket using the principal with user name 'krbsrv400/guada.lajara.com' and realm 'MEX.ICO.COM'.
| Top |
*ESCAPE Messages
| Top |