Table of Contents

Search

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication
  6. Domain Security
  7. SAML Authentication for Informatica Web Applications
  8. Security Management in Informatica Administrator
  9. Users and Groups
  10. Privileges and Roles
  11. Permissions
  12. Audit Reports
  13. Command Line Privileges and Permissions
  14. Custom Roles
  15. Default List of Cipher Suites

Security Guide

Security Guide

Converting a Domain From Kerberos Single Realm Authentication to Kerberos Cross Realm Authentication

Converting a Domain From Kerberos Single Realm Authentication to Kerberos Cross Realm Authentication

You can convert an Informatica domain that uses a single Kerberos realm to authenticate users to use Kerberos cross realm authentication.
You must upgrade the domain to version 10.2 HotFix 2 before you convert the domain to use Kerberos cross realm authentication.
You must also import user and group accounts from the Active Directory global catalog into an LDAP security domain. When you import accounts, existing accounts in the LDAP security domain, which use the samAccount name attribute, are deleted and are replaced with new accounts that use the user principal name attribute.
Users log in to Informatica clients with the fully qualified user principal name, which is in the following format:
<user name>@<KERBEROS REALM NAME>
After you import the user and group accounts, assign privileges, roles, and permissions to the accounts.
  1. Upgrade the domain to version 10.2 HotFix 2.
  2. Add the required properties for each Kerberos realm to the Kerberos configuration file.
    Set the properties for each realm in the krb5.conf configuration file on each node in the domain. Restart the domain after you update the file on all of the nodes in the domain.
    For more information about configuring the krb5.conf configuration file for Kerberos cross realm authentication, see Configure the Kerberos Configuration File.
  3. Copy the updated krb5.conf file to the following directory on each computer that hosts an Informatica client:
    <Informatica installation directory>\clients\shared\security
  4. Run the infasetup UpdateGatewayNode and infasetup UpdateWorkerNode commands on the domain nodes.
    Specify the name of each Kerberos realm that the domain uses to authenticate users as the values for the -srn and -urn options, separated by a comma.
    For more information about running the infasetup commands, see the "infasetup Command Reference" chapter in the Informatica 10.2 HotFix 2 Command Reference.
  5. Run the UpdateKerberosConfig command on a gateway node within the domain.
    Specify the name of each Kerberos realm that the domain uses to authenticate users as the values for the -srn and -urn options, separated by a comma.
  6. Run the UpdateKerberosAdminUser command on a gateway node within the domain.
    Specify the fully qualified user principal name for the domain administrator user account.
  7. Import user and group accounts into LDAP security domains.
    Connect to the Active Directory global catalog. When you connect to the global catalog, you import users from the Active Directory server used by each Kerberos realm.
    For more information about connecting to the global catalog and importing accounts, see Import User Accounts from Active Directory into LDAP Security Domains.
  8. Assign privileges, roles, and permissions to the user and group accounts you imported into an LDAP security domain.
    For more information about assigning privileges and roles, see Privileges and Roles.
    For more information about assigning permissions, see Permissions.


Updated October 10, 2019


Explore Informatica Network