Table of Contents

Search

  1. Preface
  2. Introduction to Data Engineering Administration
  3. Authentication
  4. Running Mappings on a Cluster with Kerberos Authentication
  5. Authorization
  6. Cluster Configuration
  7. Cloud Provisioning Configuration
  8. Data Integration Service Processing
  9. Appendix A: Connections Reference
  10. Appendix B: Monitoring REST API

Step 1. Set Up the Kerberos Configuration File on the Domain Host

Step 1. Set Up the Kerberos Configuration File on the Domain Host

Set the configuration properties for the Kerberos realm that the Hadoop cluster uses to krb5.conf on the machine on which the Data Integration Service runs.
krb5.conf
is located in the
<Informatica Installation Directory>/java/jre/lib/security
directory.
  1. Back up
    krb5.conf
    before you make any changes.
  2. Open
    krb5.conf
    for editing.
  3. In the
    libdefaults
    section, set the following properties:
    • default_realm. Name of the service realm for the Informatica domain. The value is the same whether or not the domain uses Kerberos authentication.
    • udp_preference_limit. Determines the protocol that Kerberos uses when it sends a message to the KDC. Set to 1 to use the TCP protocol.
    The following example shows the value if the Informatica domain does not use Kerberos authentication:
    [libdefaults] default_realm = hadoop-realm.example.com udp_preference_limit=1
    The following example shows the value if the Informatica domain uses Kerberos authentication:
    [libdefaults] default_realm = INFA-AD-REALM.example.com udp_preference_limit=1
  4. In the
    realms
    section, set or add the properties required by Informatica.
    The following table lists the values to which you must set properties in the realms section:
    Parameter
    Value
    kdc
    Name of the host running a KDC server for that realm.
    admin_server
    Name of the Kerberos administration server.
    The following example shows the parameters for the Hadoop realm if the Informatica domain does not use Kerberos authentication:
    [realms] HADOOP-REALM = { kdc = 123abcdl34.hadoop-realm.com admin server = def456.hadoop-realm.com }
    The following example shows the parameters for the Hadoop realm if the Informatica domain uses Kerberos authentication:
    [realms] INFA-AD-REALM = { kdc = 123abcd.infa-realm.com admin server = 123abcd.infa-realm.com } HADOOP-REALM = { kdc = 123abcdl34.hadoop-realm.com admin server = def456.hadoop-realm.com }
  5. In the
    domain_realms
    section, map the domain name or host name to a Kerberos realm name. The domain name is prefixed by a period (.).
    The following example shows the parameters for the Hadoop domain_realm if the Informatica domain does not use Kerberos authentication:
    [domain_realm] .hadoop_realm.com = HADOOP-REALM hadoop_realm.com = HADOOP-REALM
    The following example shows the parameters for the Hadoop domain_realm if the Informatica domain uses Kerberos authentication:
    [domain_realm] .infa_ad_realm.com = INFA-AD-REALM infa_ad_realm.com = INFA-AD-REALM .hadoop_realm.com = HADOOP-REALM hadoop_realm.com = HADOOP-REALM
  6. Copy the
    krb5.conf
    file to the following locations on the machine that hosts the Data Integration Service:
    • <Informatica installation directory>/services/shared/security/
    • <Informatica installation directory>/java/jre/lib/security
The following example shows the content of
krb5.conf
with the required properties for an Informatica domain that does not use Kerberos authentications:
[libdefaults] default_realm = HADOOP-REALM udp_preference_limit=1 [realms] HADOOP-REALM = { kdc = l23abcd134.hadoop-realm.com admin_server = 123abcd124.hadoop-realm.com } [domain_realm] .hadoop_realm.com = HADOOP-REALM hadoop_realm.com = HADOOP-REALM
The following example shows the content of
krb5.conf
with the required properties for an Informatica domain that uses Kerberos authentication:
[libdefaults] default_realm = INFA-AD-REALM udp_preference_limit=1 [realms] INFA-AD-REALM = { kdc = abc123.infa-ad-realm.com admin_server = abc123.infa-ad-realm.com } HADOOP-REALM = { kdc = def456.hadoop-realm.com admin_server = def456.hadoop-realm.com } [domain_realm] .infa_ad_realm.com = INFA-AD-REALM infa_ad_realm.com = INFA-AD-REALM .hadoop_realm.com = HADOOP-REALM hadoop_realm.com = HADOOP-REALM

0 COMMENTS

We’d like to hear from you!