Listing Kerberos SNC keys in NAM Probe configuration

Before keys are used by the NAM Probe, the NAM Probe needs to be made aware of their presence by listing the keys in the configuration file referred to as keylist .

This functionality is governed by the following configuration properties in the rtm.config configuration file:

server.key.dir

The directory in which to store encoded files (by default, this is /usr/adlex/config/keys).

server.key.list

The file in the above directory that describes what keys are to be used for the monitored servers. The default name of the file is keylist. Note that the file lists keys to be used, but does not provide a mapping of servers to keys. This is because the NAM Probe is able to match keys to sessions automatically. The advantage of this approach – of not mapping a specific IP address of the server to the private key – is that servers residing behind load balancers can also be monitored, even though the same IP address is then apparently using a number of different keys.

The file listing the keys, as specified in server.key.list, is a plain-text file with each line describing a single key and being composed of the following fields.

key_type, [app_name :]key_identifier [, comment ]

where:

  • The square brackets (“[ ]”) imply that the given item is optional, and the brackets themselves should not be included in the actual entry.
  • This file may also be used by other protocols, so entries of other types may also appear there.
  • key_type for Kerberos SNC is the literal string snc.
  • key_identifier for Kerberos SNC is the name of the file that contains the encoded key.
  • The comment part in square brackets “[ ]” is an optional comment describing the entry in the line.

Sample entries with SNC keys:

snc,mySncKey01, key for service 1
snc,mySncKey02, key for service 2

After updating the keylist file, you need to re-start the kpa daemon and re-run the kpadmin utility.