Service Key Table

The /opt/krb5/v5srvtab file is the service key table file that contains service principal names with their corresponding secret keys. You must store this file on the system that hosts the service or application, which requires an extracted key. Secured application servers use the keys in this file to decrypt data packets, which the security server encrypts, using a copy of the same key.

Maintaining Secret Keys in the Key Table File

Secret keys for service principals are randomly generated keys stored in the service key table on the host of the service principal. Periodically, you must change the secret keys for many service principals and delete the old keys. This requires generating a new random key, extracting the new key to the service key table file on the host of the service, and deleting the older keys. HP recommends that you perform these processes at least once a month. This reduces the risk of compromising the security of the keys.

Extracting a Key to the Service Key Table File

Only a principal whose account has the required administrative permissions can extract the keys. To extract a key to the service key table file on the host of the service, the principal must log on to the host system where the service resides and use the Administrator or the command-line administrator.

To extract a key to the service key table file using the Administrator, complete the following steps:

Select the principal for which you want to extract the key.
Click Edit. The Principal Information window displays.
Select the Edit>Extract To Service Key Table option. The Extract to Service Key Table Window displays.

For more information on extracting a key to the service key table file, see “Extracting Service Keys”.

To extract the principal <principal_name> to a local service key table file, SrvTab, type kadmin at the HP-UX prompt and specify the ext command, the principal name, and the service key table file name.

Following is a sample output for the ext command:

command: ext
Name of Principal (host/fqdn@REALM): <Principal Name>
Service Key Table File Name (/opt/krb5/v5srvtab): <SrvTab>
Principal modified
Key extracted

Creating a New Service Key Table File

Each secured daemon requires a service principal account. You must extract the key of the principal to the service key table file. When you create a new service key table file, you must consider the number of daemons that reside on the system.

When you are creating a new service key table file, consider the following:

Ensure that a single key table file is readable only by one user account. Do not set the read-write-execute permissions to a group or world.
For a host/principal, you must use the default key table name, /opt/krb5/v5srvtab, and this must be owned by the root user.
If some secured daemons on a single system run under the same UNIX® account, you can store more than one key in a given key table file.
If secured daemons on one system run as more than one UNIX account, you must create one key table file for each UNIX account used by one of the secured daemons on the local system. To do this, use the ktutil command.
For more information on the ktutil command, type man 1 ktutil at the HP-UX prompt.

Deleting Older Keys from the Service Key Table File

To remove principal entries from the service key table file, use the ktutil command. For more information on the ktutil command, type man 1 ktutil at the HP-UX prompt.

Service Key Table

Technical documentation

» Table of Contents

» Glossary

» Index

Maintaining Secret Keys in the Key Table File

Extracting a Key to the Service Key Table File

Creating a New Service Key Table File

Deleting Older Keys from the Service Key Table File