You must have the Kerberos client installed on your machine and have been assigned a MIPL Kerberos Principal (AKA a kerberos account) to authenticate yourself and acquire a valid kerberos ticket.
The Kerberos utilities kinit, kdestroy, and klist (UNIX) or multinet kerberos init, multinet kerberos destroy, and multinet kerberos list (Open-VMS) are used to manage Kerberos tickets. Both UNIX and Open-VMS Kerberos utilities are covered in this tutorial, but only V2 FEI and Database applications run under Open-VMS (supporting GLL and MPF projects). Projects using V3 applications (DS1, Cassini and Mars Missions), will not run on Open-VMS.
If your Systems Administrator has installed kerberos help you can get more information on each kerberos utility by running:
man untility name (Unix)It is important to note that once acquired, a kerberos ticket expires after 8 hrs. Although expired, the ticket is not automatically destroyed (but will be unusable) and will display when you list your tickets (using klist or multinet kerberos list covered below). So, be sure to always note the expiration time when you list your tickets to ensure they are valid. When in doubt, you can always get a new ticket, which replaces the current ticket without risk of harming running applications.
or
help @multinet kerberos (DEC Alpha).
The kerberos utility kinit (UNIX) or multinet kerberos init (Open-VMS), allows you to identify yourself to the Kerberos Server and obtain a tgs ticket. You must have a tgs ticket to use kerberized applications and will receive error messages when attempting to run applications without one.This utility runs silently, simply returning to the OS prompt when run properly. An error will be reported if there is a problem. While getting acquainted with kerberos it is helpful to list your ticket after you get it for assurance it is there.
A kerberos ticket is specific to a user on a given platform. If you move from one machine to another you must get a ticket on each machine.
The ticket is valid for 8 hrs, so typically a user need only initialize a ticket each morning, possibly included it in your login script, to provide access to kerberized applications for the entire day.
Each time you execute this utility your current tgs ticket is replaced by a new ticket. There is no harm in reacquiring tickets as often as you like to ensure you always have a non-expired ticket on hand. You could run kinit or multinet kerberos init every hour if you like.
The principal is the kerberos username assigned by MIPL. Kinit will prompt for your password - enter the kerberos password assigned by MIPL. After running this simple utility you now can run MIPL kerberized applications for up to 8 hours without running this utility again.kinit principal [-r] (UNIX)
or
multinet kerberos init /username=principal [/realm=JPL-MIPS.JPL.NASA.GOV] (Open-VMS)The [-r], [/realm=JPL-MIPS.JPL.NASA.GOV] option is used to specify the kerberos realm you wish to operate in. The realm is required if you use non-MIPL kerberized applications in addition to our applications. In that case you must acquire a ticket from the realm which controls access for the application. Your kerberos environment will also be configured to include multiple kerberos realms. If this applies to your site see your System Adminstrator to ensure the environment is set up properly. Then include the realm parameter and enter, when prompted (UNIX) or include on the command line (Open-VMS), the MIPL realm JPL-MIPS.JPL.NASA.GOV, when getting a ticket to run a MIPL application:
kinit principal -r (UNIX)
or
multinet kerberos init /username=principal /realm=JPL-MIPS.JPL.NASA.GOV]List Kerberos Tickets
The kerberos utility klist (UNIX) or multinet kerberos list (Open-VMS), lists the tickets you have on a particular machine. Service tickets are automatically obtained by kerberized client applications as needed, thus you may see many tickets listed, depending on which applications you are using, that you don't recall getting. When looking at the listing, the krbtgt entry is the ticket you expressly acquire, and is the ticket you want to be sure is valid (has not expired) when running kerberized applications.klist (UNIX)
or
multinet kerberos list (Open-VMS)Results in:
Ticket file: /tmp/tkt1056 Principal: test@JPL-MIPS.JPL.NASA.GOV Issued Expires Principal Oct 13 08:30:46 Oct 13 18:30:46 krbtgt.JPL-MIPS.JPL.NASA.GOV@JPL-MIPS.JPL.NASA.GOV Oct 13 08:30:53 Oct 13 18:30:53 mipsFEI01.coda4@JPL-MIPS.JPL.NASA.GOVThe kerberos user who got the ticket is the Principal, in this example the user name is test. The kerberos realm is associated with the principal and is appended to the username following the @ symbol. In this example the realm is JPL-MIPS.JPL.NASA.GOV . The default realm (JPL-MIPS.JPL.NASA.GOV) is assigned if you do not specify the realm and are not operating in a multiple kerberos realm environment.In this example the user has also executed an FEI application which acquired a Service ticket to access the FEI server called mipsFEI01.coda4 in the same realm.
Destroy Tickets
The kerberos utility kdestroy (UNIX) or multinet kerberos destroy (Open-VMS), destroys all kerberos tickets for the user on a machine including all Service tickets acquired by the applications run by the user on that machine. Kerberos does not automatically destroy tickets when they expire or when you log out, so you must explicitly do so using this command. Be careful that you do not destroy tickets if you have batch or background processes running that require these tickets. You can logoff your machine leaving a ticket active for these batch or background processes and often will want to.Remember tickets will automatically expire in 5 minutes to 8 hours (depending on the utility you use to acquire them, covered in this tutorial so far has only been kinit which keeps a ticket for 8 hours by default, but can be changed using the -l switch).
Although, it is good practice to "clean house" after yourself, it is safe to choose not to destroy your ticket leaving it on a machine all day for convenient access and simply allow it to expire at the end of the day.
kdestroy (UNIX)
or
multinet kerberos destroy (Open-VMS) VMS)Batch Tickets
The kerberos utility ksrvtgt (UNIX only) can be used to acquire short lived tickets (5 minutes) for batch processing When running FEI V3 (DS1), users must always (24/7) have a valid kerberos ticket available to the FEI Subscribe utility if the "restart" option is used. Instructions to configure this environment, as well as special accounts, are provided to project members from the FEI Administrator for their project.ksrvtgt name instance [ [ realm ] srvtab ] (UNIX)