Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Data Engineering Integration 10.5.2
  • All Products

Table of Contents

Search

  1. Preface
  2. Introduction to Data Engineering Administration
  3. Authentication
  4. Running Mappings on a Cluster with Kerberos Authentication
  5. Authorization
  6. Cluster Configuration
  7. Cloud Provisioning Configuration
  8. Data Integration Service Processing
  9. Appendix A: Connections Reference
  10. Appendix B: Monitoring REST API

Data Engineering Administrator Guide

Data Engineering Administrator Guide

Back Next

Step 1. Set Up the Kerberos Configuration File on the Domain Host

Step 1. Set Up the Kerberos Configuration File on the Domain Host

Set the properties required by Informatica in the Kerberos configuration file, and then copy the file to each node in the Informatica domain.
krb5.conf
is located in the
<Informatica Installation Directory>/java/jre/lib/security
 directory.
  1. Back up
    krb5.conf
    before you make any changes.
  2. Open
    krb5.conf
     for editing.
  3. Configure the following Kerberos library properties in the
    libdefaults
     section of the file.
    The following table describes the properties to enter:
    Property
    Description
    default_realm
    Name of the Kerberos realm to which the Informatica domain services belong. The realm name must be in uppercase.
    If the domain uses a single Kerberos realm for authentication, the service realm name and the user realm name must be the same.
    forwardable
    Allows a service to delegate client user credentials to another service. The Informatica domain requires application services to authenticate the client user credentials with other services.
    Set to true.
    default_tkt_enctypes
    Encryption types for the session key included in ticket-granting tickets (TGT). Set this property only if session keys must use specific encryption types. Ensure that the Kerberos Key Distribution Center (KDC) supports the encryption type that you specify.
    Do not set this property to allow the Kerberos protocol to select the encryption type to use.
    If the node hosts or Informatica client hosts use 256-bit encryption, install the Java Cryptography Extension (JCE) unlimited strength policy files on all node hosts and Informatica client hosts to avoid authentication issues.
    rdns
    Determines whether reverse name lookup is used in addition to forward name lookup to canonicalize host names for use in service principal names.
    Set to false.
    renew_lifetime
    The default renewable lifetime for initial ticket requests.
    ticket_lifetime
    The default lifetime for initial ticket requests.
    udp_preference_limit
    Determines the protocol that Kerberos uses when it sends a message to the KDC.
    Set to 1 to use the TCP protocol if the domain experiences intermittent Kerberos authentication failures.
    dns_lookup_kdc
    Indicates whether the Kerberos client uses DNS SRV records to locate the KDCs and other servers for a realm, if they are not listed in the information for the realm. DNS uses SRV records to identify computers that host specific services. Required when the domain is Kerberos-enabled.
    Requires you to set the admin_server realm property.
    Set to true.
    dns_lookup_realm
    Indicates whether the Kerberos client uses DNS TXT records to determine the Kerberos realm of a host. DNS uses text or TXT records to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information. Required when the domain is Kerberos-enabled.
    Set to true.
  4. In the
    realms
     section, set or add the properties required by Informatica.
    The following table lists the values to which you must set properties in the realms section:
    Property
    Description
    admin_server
    The name or IP address of the Kerberos administration server host.
    You can include an optional port number, separated from the host name by a colon. Default is 749.
    kdc
    The name or IP address of a host running the Key Distribution Center (KDC) for the realm.
    You can include an optional port number, separated from the host name by a colon. Default is 88.
    When you use a Kerberos-enabled Cloudera CDP Public Cloud cluster, set both admin_server and kdc to the KDC server IP address. To find the KDC server IP address, run the following command on any cluster node:
    ping kdc.<default realm name>
    The following example shows the parameters for the Hadoop realm if the Informatica domain does not use Kerberos authentication: 
    [realms]
HADOOP-REALM = {
     kdc = 123abcdl34.hadoop-realm.com
     admin server = def456.hadoop-realm.com
                                     }
    The following example shows the parameters for the Hadoop realm if the Informatica domain uses Kerberos authentication: 
    [realms]
INFA-AD-REALM = {
     kdc = 123abcd.infa-realm.com
     admin server = 123abcd.infa-realm.com
                                     }
HADOOP-REALM = {
     kdc = 123abcdl34.hadoop-realm.com
     admin server = def456.hadoop-realm.com
                                     }
  5. In the
    domain_realms
     section, map the domain name or host name to a Kerberos realm name. The domain name is prefixed by a period (.).
    The following example shows the parameters for the Hadoop domain_realm if the Informatica domain does not use Kerberos authentication: 
    [domain_realm]
 .hadoop_realm.com = HADOOP-REALM
  hadoop_realm.com = HADOOP-REALM
    The following example shows the parameters for the Hadoop domain_realm if the Informatica domain uses Kerberos authentication: 
    [domain_realm]
.infa_ad_realm.com = INFA-AD-REALM
  infa_ad_realm.com = INFA-AD-REALM
.hadoop_realm.com = HADOOP-REALM
  hadoop_realm.com = HADOOP-REALM
  6. Copy the
    krb5.conf
     file to the following locations on the machine that hosts the Data Integration Service:
    • <Informatica installation directory>/services/shared/security/
    • <Informatica installation directory>/java/jre/lib/security
The following example shows the content of a Kerberos configuration file with the required properties for a single Kerberos realm configuration: 
[libdefaults]
default_realm = COMPANY.COM
forwardable = true
rdns = false
renew_lifetime = 7d
ticket_lifetime = 24h
udp_preference_limit = 1
dns_lookup_kdc = true
dns_lookup_realm = true

[realms]
COMPANY.COM = {
admin_server = KDC01.COMPANY.COM:749
kdc = KDC01.COMPANY.COM:88
}

[domain_realm]
.company.com = COMPANY.COM
company.com = COMPANY.COM
The following example shows the content of a Kerberos configuration file with the required properties for a Kerberos cross realm configuration: 
[libdefaults]
default_realm = COMPANY.COM
forwardable = true
rdns = false
renew_lifetime = 7d
ticket_lifetime = 24h
udp_preference_limit = 1
dns_lookup_kdc = true
dns_lookup_realm = true

[realms]
COMPANY.COM = {
admin_server = KDC01.COMPANY.COM:749
kdc = KDC01.COMPANY.COM:88
}
EAST.COMPANY.COM = {
kdc = 10.75.141.193
admin_server = 10.75.141.193
}
WEST.COMPANY.COM = {
kdc = 10.78.140.111
admin_server = 10.78.140.111

[domain_realm]
.company.com = COMPANY.COM
company.com = COMPANY.COM
.east.company.com = EAST.COMPANY.COM
east.company.com = EAST.COMPANY.COM
.west.company.com = WEST.COMPANY.COM
west.company.com = WEST.COMPANY.COM
For more information about the Kerberos configuration file, see the Kerberos network authentication documentation.
0 COMMENTS
We’d like to hear from you!