Review the CyberSafe Kerberos implementation in SAP jConnect.
The Java reference implementation does not support Triple Data Encryption Standard (3DES) keys.
CyberSafe Kerberos does not use a krb5.conf configuration file. Alternately, CyberSafe locates KDC address mapping and realm information in the krb.conf and krb.realms files, respectively. See CyberSafe documentation for more information.
If you are using the standard Java GSSManager implementation, you must still create a krb5.conf file for use by Java. The CyberSafe krb.conf file is formatted differently from the krb5.conf file. Create a krb5.conf file as specified in the Java SE documentation or in the MIT documentation. You do not need a krb5.conf file if using the CyberSafe GSSManager.
For examples of the krb5.conf file, see white paper on setting up Kerberos, the URL is referenced in the SAP jConnect for JDBC Release Bulletin.
A client uses krb5.conf file with a CyberSafe or MIT KDC. For example:
# Please note that customers must alter the
# default_realm, [realms] and [doamin_realm]
# information to reflect their Kerberos environment.
# Customers should *not* attempt to use this file as is.
#
[libdefaults]
default_realm = ASE
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
kdc_req_checksum_type = 2
ccache_type = 2
[realms]
ASE = {
kdc = kdchost
admin_server = kdchost
}
[domain_realm]
.sybase.com = ASE
sybase.com = ASE
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated
# no more often than the period, and less often if the
# KDC is not used frequently.
period = 1d
# how many versions of kdc.log to keep around
# (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}