Table of Contents

Search

  1. Installation Overview
  2. Before You Install the Services
  3. Service Installation
  4. After You Install the Services
  5. Client Installation
  6. Uninstallation
  7. Starting and Stopping Informatica Services
  8. Connecting to Databases from Windows
  9. Connecting to Databases from UNIX
  10. Updating the DynamicSections Parameter of a DB2 Database
  11. Installation and Configuration Checklist
  12. Split Domain Configuration for Metadata Manager

Installation and Configuration Guide

Installation and Configuration Guide

Create the Service Principal Names and Keytab Files

Create the Service Principal Names and Keytab Files

After you generate the list of SPN and keytab file names in Informatica format, send a request to the Kerberos administrator to add the SPNs to the Kerberos principal database and create the keytab files.
Use the following guidelines when you create the SPN and keytab files:
The user principal name (UPN) must be the same as the SPN.
When you create a user account for the service principal, you must set the UPN with the same name as the SPN. The application services in the Informatica domain can act as a service or a client depending on the operation. You must configure the service principal to be identifiable by the same UPN and SPN.
A user account must be associated with only one SPN. Do not set multiple SPNs for one user account.
Enable delegation in Microsoft Active Directory.
You must enable delegation for all user accounts with service principals used in the Informatica domain. In the Microsoft Active Directory Service, set the
Trust this user for delegation to any service (Kerberos only)
option for each user account that you set an SPN.
Delegated authentication happens when a user is authenticated with one service and that service uses the credentials of the authenticated user to connect to another service. Because services in the Informatica domain need to connect to other services to complete an operation, the Informatica domain requires the delegation option to be enabled in Microsoft Active Directory.
For example, when a PowerCenter client connects to the PowerCenter Repository Service, the client user account is authenticated with the PowerCenter Repository Service principal. When the PowerCenter Repository Service connects to the PowerCenter Integration Service, the PowerCenter Repository Service principal can use the client user credential to authenticate with the PowerCenter Integration Service. There is no need for the client user account to also authenticate with the PowerCenter Integration Service.
Use the ktpass utility to create the service principal keytab files.
Microsoft Active Directory supplies the ktpass utility to create keytab files. Informatica supports Kerberos authentication only on Microsoft Active Directory and has certified only keytab files that are created with ktpass.
The keytab files for a node must be available on the machine that hosts the node. By default, the keytab files are stored in the following directory:
<Informatica installation directory>/isp/config/keys
. During installation, you can specify a directory on the node to store the keytab files.
When you receive the keytab files from the Kerberos administrator, copy the keytab files to a directory that is accessible to the machine where you plan to install the Informatica services. When you run the Informatica installer, specify the location of the keytab files. The Informatica installer copies the keytab files to the directory for keytab files on the Informatica node.