Rotating Keys

Rotating a Kerberos keytab used for File Storage authentication must done carefully to avoid an availability outage.

NFS clients using Kerberos for authentication refresh tickets based on an interval specified by the KDC administrator. When rotating keytab entries, the mount target must accept both the old values and the new values until all clients have refreshed their tickets. If the old keytab entry is removed too early, clients that haven't refreshed their tickets can experience an availability outage.

To safely update a Kerberos keytab used in File Storage authentication:

1. Generate a keytab from the KDC with new key versions, and convert it into Base64 format.
2. Upload the keytab to OCI Vault as a new secret version of the existing keytab secret. Ensure that the selected format of the new secret version is Base64. For more information, see Overview of Vault.
3. Update the mount target's Keytab Information:
   1. Open the navigation menu and click Storage. Under File Storage, click Mount Targets.
   2. In the List scope section, under Compartment, select a compartment.
   3. Find the mount target that you need to update Kerberos keytab versions for, click the Actions menu (), and then click View Details.
   4. Click the NFS tab to view the existing NFS settings for the mount target.
   5. Next to Kerberos, click Manage.
   6. In the Keytab Information section, update the keytabs:
      • Select the new keytab version as the Current Keytab Secret Version
      • Select the old keytab version as the Backup Keytab Secret Version.
4. Wait until all NFS clients have refreshed their Kerberos tickets.
5. Remove the Backup Keytab Secret Version from the mount target configuration.