Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
This command adds a new, randomly generated master key. The –s option requests that the new master key be stored in the default keytab.
# kdb5_util add_mkey -s Creating new master key for master key principal 'K/[email protected]' You will be prompted for a new database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key:/** Type strong password **/ Re-enter KDC database master key to verify: xxxxxxxx
# kdb5_util list_mkeys Master keys for Principal: K/[email protected] KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC, No activate time set KNVO: 1, Enctype: AES-128 CTS mode with 96-bit SHA-1 HMAC, Active on: Fri Dec 31 18:00:00 CST 2011 *
The asterisk in this output identifies the currently active master key.
# date Fri Jul 11 17:57:00 CDT 2014 # kdb5_util use_mkey 2 'now+2days' # kdb5_util list_mkeys Master keys for Principal: K/[email protected] KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC, Active on: Sun Jul 13 17:57:15 CDT 2014 KNVO: 1, Enctype: AES-128 CTS mode with 96-bit SHA-1 HMAC, Active on: Fri Dec 31 18:00:00 CST 2011 *
In this example, the date is set to two days in the future to allow time for the new master key to propagate to all of the KDCs. Adjust the date as appropriate for your environment.
# kadmin.local -q 'getprinc tamiko' |egrep 'Principal|MKey' Authenticating as principal root/[email protected] with password. Principal: [email protected] MKey: vno 2
In this example, MKey: vno 2 indicates that the principal's secret key is protected by newly created master key, 2.
If you add a pattern argument to the end of the command, the principals that match the pattern will be updated. Add the –n option to this command syntax to identify which principals will be updated.
# kdb5_util update_princ_encryption -f -v Principals whose keys WOULD BE re-encrypted to master key vno 2: updating: host/[email protected] skipping: [email protected] updating: kadmin/[email protected] updating: kadmin/[email protected] updating: kdc/[email protected] updating: host/[email protected] 6 principals processed: 5 updated, 1 already current
After a master key is no longer used to protect any principal secret keys, it can be purged from the master key principal. This command will not purge the key if the key is still being used by any principals. Add the –n option to this command to verify that the correct master key will be purged.
# kdb5_util purge_mkeys -f -v Purging the follwing master key(s) from K/[email protected]: KNVO: 1 1 key(s) purged.
# kdb5_util list_mkeys Master keys for Principal: K/[email protected] KNVO: 2, Enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC, Active on: Sun Jul 13 17:57:15 CDT 2014 *
# kdb5_util stash Using existing stashed keys to update stash file.
# klist -kt /var/krb5/.k5.EXAMPLE.COM Keytab name: FILE:.k5.EXAMPLE.COM KVNO Timestamp Principal ---- ---------------- --------------------------------------------------------- 2 05/11/2014 18:03 K/[email protected]