Table of Contents

Search

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication Setup
  6. Domain Security
  7. Security Management in Informatica Administrator
  8. Users and Groups
  9. Privileges and Roles
  10. Permissions
  11. Audit Reports
  12. Command Line Privileges and Permissions
  13. Custom Roles

Step 7. Configure Kerberos Authentication for the Domain

Step 7. Configure Kerberos Authentication for the Domain

Run infasetup to change the authentication for the Informatica domain to Kerberos network authentication.
Verify that all repository objects are checked in before you configure the domain to use Kerberos authentication.
When you run the infasetup command to change the domain authentication, the command creates the following LDAP security domains:
  • Internal security domain. The internal security domain is an LDAP security domain with the name
    _infaInternalNamespace
    . The _infaInternalNamespace security domain contains the default administrator user account created when you configure Kerberos authentication. After you configure Kerberos authentication, you cannot add users to the _infaInternalNamespace security domain or delete the security domain.
  • User realm security domain. The user realm security domain is an empty LDAP security domain with the same name as the Kerberos user realm. After you configure Kerberos authentication, you can import users from the Kerberos principal database into the user realm security domain.
The infasetup command also creates an administrator user account. You specify the user name for the administrator user. After you configure Kerberos authentication, the _infaInternalNamespace security domain contains the administrator user account.
To configure the domain to use Kerberos authentication, run the following command:
infasetup switchToKerberosMode
  1. On a gateway node, run the infasetup command to change the authentication for the domain.
    At the command prompt, go to the directory where the Informatica command line programs are located. By default, the command line programs are installed in the following directory:
    <InformaticaInstallationDir>/isp/bin
  2. Run the infasetup command with the required options and arguments.
    Enter the following commands:
    • Windows:
      infasetup switchToKerberosMode
    • UNIX:
      infasetup.sh switchToKerberosMode
    The following table describes the options for the switchToKerberosMode command:
    Option
    Argument
    Description
    -administratorName
    -ad
    administrator_name
    User name for the domain administrator account that is created when you configure Kerberos authentication. The user account must be in the Kerberos principal database.
    After you configure Kerberos authentication, this user is included in the
    _infaInternalNamespace
    security domain.
    -ServiceRealmName
    -srn
    realm _name_of_node_spn
    Name of the Kerberos realm to which the Informatica domain services belong. The realm name must be in uppercase and is case-sensitive.
    The service realm name and the user realm name must be the same.
    -UserRealmName
    -urn
    realm _name_of_user_spn
    Name of the Kerberos realm to which the Informatica domain users belong. The realm name must be in uppercase and is case-sensitive.
    The service realm name and the user realm name must be the same.
    -SPNShareLevel
    -spnSL
    PROCESS |NODE
    Service principal level for the domain. Set the property to one of the following levels:
    • Process. The domain requires a unique service principal name (SPN) and keytab file for each node and each service on a node. The number of SPNs and keytab files required for each node depends on the number of service processes that run on the node. Use the process level option if the domain requires a high level of security, such as a production domain.
    • Node. The domain uses one SPN and keytab file for the node and all services that run on the node. It also requires a separate SPN and keytab file for all HTTP processes on the node. Use the node level option if the domain does not require a high level of security, such as a test or development domain.
    Default is process.
The switchToKerberosMode command changes the authentication mode for the domain from native or LDAP user authentication to Kerberos network authentication.


Updated April 29, 2019