Table of Contents

Search

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication Setup
  6. Domain Security
  7. Security Management in Informatica Administrator
  8. Users and Groups
  9. Privileges and Roles
  10. Permissions
  11. Audit Reports
  12. Command Line Privileges and Permissions
  13. Custom Roles

Step 3. Set Up the Kerberos Configuration File

Step 3. Set Up the Kerberos Configuration File

Kerberos stores configuration information in a file named
krb5.conf
. Informatica requires specific properties in the Kerberos configuration file to be set so that the Informatica domain can use Kerberos authentication correctly. You must set the properties in the krb5.conf configuration file and then copy the file to the Informatica directory.
The configuration file contains the information about the Kerberos server, including the Kerberos realm and the address of the KDC. You can request the Kerberos administrator to set the properties in the configuration file and send you a copy of the file.
  1. Back up the krb5.conf file before you make any changes.
  2. Edit the krb5.conf file.
  3. In the
    libdefaults
    section, set or add the properties required by Informatica.
    The following table lists the values to which you must set properties In the libdefaults section:
    Parameter
    Value
    default_realm
    Name of the service realm for the Informatica domain.
    forwardable
    Allows a service to delegate client user credentials to another service. Set this parameter to True. The Informatica domain requires application services to authenticate the client user credentials with other services.
    default_tkt_enctypes
    Encryption type for the session key in the ticket-granting ticket (TGT). Set this parameter to
    rc4-hmac
    . Informatica supports only the
    rc4-hmac
    encryption type.
    udp_preference_limit
    Determines the protocol that Kerberos uses when it sends a message to the KDC. Set udp_preference_limit = 1 to always use TCP. The Informatica domain supports only the TCP protocol. If the udp_preference_limit is set to any other value, the Informatica domain can shut down unexpectedly.
  4. In the
    realms
    section, include the port number in the address of the KDC separated by a colon.
    For example, if the KDC address is kerberos.example.com and the port number is 88, set the
    kdc
    parameter to the following:
    kdc = kerberos.example.com:88
  5. Save the krb5.conf file.
  6. Copy the configuration file to the Informatica directory.
    You must copy the krb5.conf to the following directory:
    <INFA_HOME>/services/shared/security
    If the domain has multiple nodes, copy the krb5.conf to the same directory on all the nodes in the domain.
The following example shows the content of a krb5.conf with the required properties:
[libdefaults] default_realm = AFNIKRB.AFNIDEV.COM forwardable = true default_tkt_enctypes = rc4-hmac udp_preference_limit = 1 [realms] AFNIKRB.AFNIDEV.COM = { admin_server = SMPLKERDC01.AFNIKRB.AFNIDEV.COM kdc = SMPLKERDC01.AFNIKRB.AFNIDEV.COM:88 } [domain_realm] afnikrb.afnidev.com = AFNIKRB.AFNIDEV.COM .afnikrb.afnidev.com = AFNIKRB.AFNIDEV.COM
For more information about the Kerberos configuration file, see the Kerberos network authentication documentation.


Updated April 29, 2019