diff --git a/continuousintegration/docker/ctafrontend/cc7/config/ctafrontend/etc/cta/cta-frontend-xrootd.conf b/continuousintegration/docker/ctafrontend/cc7/config/ctafrontend/etc/cta/cta-frontend-xrootd.conf
index f5981be0b019640b64bf85ea1bcb0aab055df752..a7ab0e089c35420a7c8b3f9e28fd9deef7607a43 100644
--- a/continuousintegration/docker/ctafrontend/cc7/config/ctafrontend/etc/cta/cta-frontend-xrootd.conf
+++ b/continuousintegration/docker/ctafrontend/cc7/config/ctafrontend/etc/cta/cta-frontend-xrootd.conf
@@ -19,7 +19,7 @@ xrootd.seclib libXrdSec.so
 # Protocol specification
 # The xroot server process needs to be able to read the keytab file
 sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab cta/cta-frontend@TEST.CTA
-sec.protocol sss -s /etc/ctafrontend_SSS_s.keytab -c /etc/ctafrontend_SSS_c.keytab
+sec.protocol sss -s /etc/cta/cta-cli.sss.keytab
 #sec.protocol unix
 
 # Only Kerberos 5 and sss are allowed
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
index 69aba714ba9ce04dcedb14495f5b3692de147db9..8efec1fb1dc28d25da733e0aba4fe806998b9649 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
@@ -34,7 +34,7 @@ eoshost=`hostname -f`
 EOS_INSTANCE=`hostname -s`
 TAPE_FS_ID=65535
 CTA_BIN=/usr/bin/eoscta_stub
-CTA_KT=/etc/ctafrontend_SSS_c.keytab
+CTA_KT=/etc/cta/cta-cli.sss.keytab
 CTA_XrdSecPROTOCOL=sss
 CTA_PROC_DIR=/eos/${EOS_INSTANCE}/proc/cta
 CTA_WF_DIR=${CTA_PROC_DIR}/workflow
@@ -191,7 +191,7 @@ test -e /usr/lib64/libjemalloc.so.1 && export LD_PRELOAD=/usr/lib64/libjemalloc.
 # for sss authorisation  unix has to be replaced by sss
 
 # Set the worfklow rule for archiving files to tape
-eos attr set sys.workflow.closew.default="bash:shell:cta XrdSecPROTOCOL=${CTA_XrdSecPROTOCOL} XrdSecSSSKT=${CTA_KT} ${CTA_BIN} archive --user <eos::wfe::rusername> --group <eos::wfe::rgroupname> --diskid <eos::wfe::fid> --instance eoscta --srcurl <eos::wfe::turl> --size <eos::wfe::size> --checksumtype <eos::wfe::checksumtype> --checksumvalue <eos::wfe::checksum> --storageclass <eos::wfe::cxattr:CTA_StorageClass> --diskfilepath <eos::wfe::path> --diskfileowner <eos::wfe::username> --diskfilegroup <eos::wfe::groupname> --recoveryblob:base64 <eos::wfe::base64:metadata> --reportURL 'eosQuery://${EOS_INSTANCE}//eos/wfe/passwd?mgm.pcmd=event\&mgm.fid=<eos::wfe::fxid>\&mgm.logid=cta\&mgm.event=archived\&mgm.workflow=default\&mgm.path=/eos/wfe/passwd\&mgm.ruid=0\&mgm.rgid=0' --stderr" ${CTA_WF_DIR}
+eos attr set sys.workflow.closew.default="bash:shell:cta XrdSecPROTOCOL=${CTA_XrdSecPROTOCOL} XrdSecSSSKT=${CTA_KT} ${CTA_BIN} archive --user <eos::wfe::rusername> --group <eos::wfe::rgroupname> --diskid <eos::wfe::fid> --instance ignored_instance_name --srcurl <eos::wfe::turl> --size <eos::wfe::size> --checksumtype <eos::wfe::checksumtype> --checksumvalue <eos::wfe::checksum> --storageclass <eos::wfe::cxattr:CTA_StorageClass> --diskfilepath <eos::wfe::path> --diskfileowner <eos::wfe::username> --diskfilegroup <eos::wfe::groupname> --recoveryblob:base64 <eos::wfe::base64:metadata> --reportURL 'eosQuery://${EOS_INSTANCE}//eos/wfe/passwd?mgm.pcmd=event\&mgm.fid=<eos::wfe::fxid>\&mgm.logid=cta\&mgm.event=archived\&mgm.workflow=default\&mgm.path=/eos/wfe/passwd\&mgm.ruid=0\&mgm.rgid=0' --stderr" ${CTA_WF_DIR}
 
 # Set the worflow rule for creating tape file replicas in the EOS namespace.
 eos attr set sys.workflow.archived.default="bash:shell:cta eos file tag <eos::wfe::path> +<eos::wfe::cxattr:CTA_TapeFsId>" ${CTA_WF_DIR}
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
index 7c8ce9e88955e7c62279f53b378a380f550ba8c7..7774824ddffe49fa4a9c8b81dc0e46ff8e67dfa7 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
@@ -31,12 +31,12 @@ echo ${DATABASEURL} >/etc/cta/cta-catalogue.conf
 # EOS INSTANCE NAME used as username for SSS key
 EOSINSTANCE=ctaeos
 
-# Create SSS key for ctafrontend, must be forwardable in kubernetes realm
-echo y | xrdsssadmin -k ctafrontend+ -u ${EOSINSTANCE} -g cta add /etc/ctafrontend_SSS_s.keytab
-# copy it in the client file that contains only one SSS
-cp /etc/ctafrontend_SSS_s.keytab /etc/ctafrontend_SSS_c.keytab
-chmod 600 /etc/ctafrontend_SSS_s.keytab /etc/ctafrontend_SSS_c.keytab
-chown cta /etc/ctafrontend_SSS_s.keytab /etc/ctafrontend_SSS_c.keytab
+# Create SSS key for cta-cli, must be forwardable in kubernetes realm (this is what the + is for)
+# USER IN THE SSS FILE IS THE EOS INSTANCE NAME THE REST IS BS
+echo y | xrdsssadmin -k cta-cli+ -u ${EOSINSTANCE} -g cta add /etc/cta/cta-cli.sss.keytab
+chmod 600 /etc/cta/cta-cli.sss.keytab
+chown cta /etc/cta/cta-cli.sss.keytab
+# DO NOT FORGET THAT YOU CAN DEFINE SEPARATE CLIENT AND SERVER KEYTABS
 
 # Wait for the keytab file to be pushed in by the creation script.
 echo -n "Waiting for /etc/cta/cta-frontend.krb5.keytab"
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/eos_configure_preprod.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/eos_configure_preprod.sh
index 339ccabe05bb1a8c1d3b34caf544762a3b676c47..a0831211ad70f95d43b0c6831483670390ff3972 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/eos_configure_preprod.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/eos_configure_preprod.sh
@@ -14,7 +14,7 @@ eos attr set CTA_StorageClass=ctaStorageClass ${PREPROD_DIR}
 
 eos attr set CTA_TapeFsId=65535 ${PREPROD_DIR}
 
-eos attr set sys.workflow.closew.default="bash:shell:cta XrdSecPROTOCOL=sss XrdSecSSSKT=/etc/ctafrontend_SSS_c.keytab ${CTA_BIN} archive --user <eos::wfe::rusername> --group <eos::wfe::rgroupname> --diskid <eos::wfe::fid> --instance eoscta --srcurl <eos::wfe::turl> --size <eos::wfe::size> --checksumtype <eos::wfe::checksumtype> --checksumvalue <eos::wfe::checksum> --storageclass <eos::wfe::cxattr:CTA_StorageClass> --diskfilepath <eos::wfe::path> --diskfileowner <eos::wfe::username> --diskfilegroup <eos::wfe::groupname> --recoveryblob:base64 cmVjb3ZlcnkK --reportURL 'eosQuery://ctaeos//eos/wfe/passwd?mgm.pcmd=event\&mgm.fid=<eos::wfe::fxid>\&mgm.logid=cta\&mgm.event=archived\&mgm.workflow=default\&mgm.path=/eos/wfe/passwd\&mgm.ruid=0\&mgm.rgid=0' --stderr" ${PREPROD_DIR}
+eos attr set sys.workflow.closew.default="bash:shell:cta XrdSecPROTOCOL=sss XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab ${CTA_BIN} archive --user <eos::wfe::rusername> --group <eos::wfe::rgroupname> --diskid <eos::wfe::fid> --instance ignored_instance_name --srcurl <eos::wfe::turl> --size <eos::wfe::size> --checksumtype <eos::wfe::checksumtype> --checksumvalue <eos::wfe::checksum> --storageclass <eos::wfe::cxattr:CTA_StorageClass> --diskfilepath <eos::wfe::path> --diskfileowner <eos::wfe::username> --diskfilegroup <eos::wfe::groupname> --recoveryblob:base64 cmVjb3ZlcnkK --reportURL 'eosQuery://ctaeos//eos/wfe/passwd?mgm.pcmd=event\&mgm.fid=<eos::wfe::fxid>\&mgm.logid=cta\&mgm.event=archived\&mgm.workflow=default\&mgm.path=/eos/wfe/passwd\&mgm.ruid=0\&mgm.rgid=0' --stderr" ${PREPROD_DIR}
 
 #eos attr set sys.workflow.archived.default="bash:shell:cta eos file tag <eos::wfe::path> +<eos::wfe::cxattr:CTA_TapeFsId>" ${PREPROD_DIR}
 eos attr set sys.workflow.archived.default="bash:create_tape_drop_disk_replicas:cta <eos::wfe::path> <eos::wfe::cxattr:CTA_TapeFsId>" ${PREPROD_DIR}
diff --git a/continuousintegration/orchestration/create_instance.sh b/continuousintegration/orchestration/create_instance.sh
index a1f37ac88df88baf991462585c79aad6e125125c..87c76607d8fa0807e7b9a3b5b985b9d8ca82674b 100755
--- a/continuousintegration/orchestration/create_instance.sh
+++ b/continuousintegration/orchestration/create_instance.sh
@@ -275,11 +275,13 @@ kubectl --namespace=${instance} exec ctacli klist
 echo -n "Configuring cta SSS for ctafrontend access from ctaeos"
 for ((i=0; i<300; i++)); do
   echo -n "."
-  [ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/ctafrontend_SSS_c.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
+  [ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] && break
   sleep 1
 done
-[ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/ctafrontend_SSS_c.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
-kubectl --namespace=${instance} exec ctafrontend -- cat /etc/ctafrontend_SSS_c.keytab | kubectl --namespace=${instance} exec -i ctaeos --  bash -c "cat > /etc/ctafrontend_SSS_c.keytab; chmod 600 /etc/ctafrontend_SSS_c.keytab; chown daemon /etc/ctafrontend_SSS_c.keytab"
+[ "`kubectl --namespace=${instance} exec ctafrontend -- bash -c "[ -f /etc/cta/cta-cli.sss.keytab ] && echo -n Ready || echo -n Not ready"`" = "Ready" ] || die "TIMED OUT"
+# just in case /etc/cta directory does not exist yet
+kubectl --namespace=${instance} exec -i ctaeos --  bash -c "mkdir -p /etc/cta"
+kubectl --namespace=${instance} exec ctafrontend -- cat /etc/cta/cta-cli.sss.keytab | kubectl --namespace=${instance} exec -i ctaeos --  bash -c "cat > /etc/cta/cta-cli.sss.keytab; chmod 600 /etc/cta/cta-cli.sss.keytab; chown daemon /etc/cta/cta-cli.sss.keytab"
 echo OK
 
 
diff --git a/eos_wfe_scripts/delete_archive_file b/eos_wfe_scripts/delete_archive_file
index 3abcd2089a03b254ebaa3cdd7075b2e9474cbafe..ffa8ae5211a30f38f59f69cf7038a5bb3bcddd3a 100755
--- a/eos_wfe_scripts/delete_archive_file
+++ b/eos_wfe_scripts/delete_archive_file
@@ -4,8 +4,7 @@ EINVAL=22
 ECANCELED=125
 
 export XrdSecPROTOCOL=sss
-export XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab   # This location is used on EOSCTATAPE
-export XrdSecSSSKT=/etc/ctafrontend_SSS_c.keytab # This location is used for CI
+export XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab   # This location is used on EOSCTATAPE AND CI
 
 export XRD_STREAMTIMEOUT=600     # increased from 60s
 export XRD_TIMEOUTRESOLUTION=600 # increased from 15s
diff --git a/eos_wfe_scripts/retrieve_archive_file b/eos_wfe_scripts/retrieve_archive_file
index df67149a87db6db7d685f6ad030dfd705ebabe97..5085be1cf72769e4bccafd05afa2af3d8066b768 100755
--- a/eos_wfe_scripts/retrieve_archive_file
+++ b/eos_wfe_scripts/retrieve_archive_file
@@ -4,8 +4,7 @@ EINVAL=22
 ECANCELED=125
 
 export XrdSecPROTOCOL=sss
-export XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab   # This location is used on EOSCTATAPE
-export XrdSecSSSKT=/etc/ctafrontend_SSS_c.keytab # This location is used for CI
+export XrdSecSSSKT=/etc/cta/cta-cli.sss.keytab   # This location is used on EOSCTATAPE AND CI
 
 export XRD_STREAMTIMEOUT=600     # increased from 60s
 export XRD_TIMEOUTRESOLUTION=600 # increased from 15s