Table of Contents

Search

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication
  6. Domain Security
  7. SAML Authentication for Informatica Web Applications
  8. Security Management in Informatica Administrator
  9. Users and Groups
  10. Privileges and Roles
  11. Permissions
  12. Audit Reports
  13. Command Line Privileges and Permissions
  14. Custom Roles
  15. Default List of Cipher Suites

Security Guide

Security Guide

Configure the Kerberos Configuration File

Configure the Kerberos Configuration File

Set the properties required by Informatica in the Kerberos configuration file, and then copy the file to each node in the Informatica domain.
Kerberos stores configuration information in a file named krb5.conf. You must set the properties in the krb5.conf configuration file and then copy the file to every node in the Informatica domain.
If the domain uses Kerberos cross realm authentication, enter the required properties for each Kerberos realm.
  1. Configure the following Kerberos library properties in the libdefaults section of the file.
    The following table describes the properties to enter:
    Property Description
    default_realm
    Name of the Kerberos realm to which the Informatica domain services belong. The realm name must be in uppercase.
    If the domain uses a single Kerberos realm for authentication, the service realm name and the user realm name must be the same.
    forwardable Allows a service to delegate client user credentials to another service. The Informatica domain requires application services to authenticate the client user credentials with other services.
    Set to true.
    default_tkt_enctypes Encryption types for the session key included in ticket-granting tickets (TGT). Set this property only if session keys must use specific encryption types. Ensure that the Kerberos Key Distribution Center (KDC) supports the encryption type that you specify.
    Do not set this property to allow the Kerberos protocol to select the encryption type to use.
    If the node hosts or Informatica client hosts use 256-bit encryption, install the Java Cryptography Extension (JCE) unlimited strength policy files on all node hosts and Informatica client hosts to avoid authentication issues.
    rdns Determines whether reverse name lookup is used in addition to forward name lookup to canonicalize host names for use in service principal names.
    Set to false.
    renew_lifetime The default renewable lifetime for initial ticket requests.
    ticket_lifetime The default lifetime for initial ticket requests.
    udp_preference_limit Determines the protocol that Kerberos uses when it sends a message to the KDC.
    Set to 1 to use the TCP protocol if the domain experiences intermittent Kerberos authentication failures.
  2. Define each Kerberos realm in the realms section of the file.
    The following example shows the entry for a Kerberos realm named COMPANY.COM:
    [realms]
    COMPANY.COM = {...}
    
  3. Enter the following realm properties inside the brackets for each Kerberos realm in the realms section of the file.
    The following table describes the properties to enter:
    Property Description
    admin_server The name or IP address of the Kerberos administration server host.
    You can include an optional port number, separated from the host name by a colon. Default is 749.
    kdc The name or IP address of a host running the Key Distribution Center (KDC) for the realm.
    You can include an optional port number, separated from the host name by a colon. Default is 88.
    The following example shows the entries for each Kerberos realm in a Kerberos cross realm configuration:
    [realms]
    COMPANY.COM = {
    admin_server = KDC01.COMPANY.COM:749
    kdc = KDC01.COMPANY.COM:88
    }
    EAST.COMPANY.COM = {
    kdc = 10.75.141.193
    admin_server = 10.75.141.193
    }
    WEST.COMPANY.COM = {
    kdc = 10.78.140.111
    admin_server = 10.78.140.111
    }
    
  4. Map the Windows domains to the Kerberos realms in the domain_realm section of the file. The Windows domain name must be all lowercase. The Kerberos realm name must be all uppercase.
    The following example maps the company.com Windows domain to the COMPANY.COM Kerberos realm in a single Kerberos realm configuration:
    [domain_realm]
    .company.com = COMPANY.COM
    company.com = COMPANY.COM
    
    The following example maps multiple Windows domains to the corresponding Kerberos realms in a Kerberos cross realm configuration:
    [domain_realm]
    .company.com = COMPANY.COM
    company.com = COMPANY.COM
    .east.company.com = EAST.COMPANY.COM
    east.company.com = EAST.COMPANY.COM
    .west.company.com = WEST.COMPANY.COM
    west.company.com = WEST.COMPANY.COM
  5. Copy the configuration file to the following directory on every node in the domain:
    <Informatica installation directory>\services\shared\security
The following example shows the content of a Kerberos configuration file with the required properties for a single Kerberos realm configuration:
[libdefaults]
default_realm = COMPANY.COM
forwardable = true
rdns = false
renew_lifetime = 7d
ticket_lifetime = 24h
udp_preference_limit = 1

[realms]
COMPANY.COM = {
admin_server = KDC01.COMPANY.COM:749
kdc = KDC01.COMPANY.COM:88
}

[domain_realm]
.company.com = COMPANY.COM
company.com = COMPANY.COM
The following example shows the content of a Kerberos configuration file with the required properties for a Kerberos cross realm configuration:
[libdefaults]
default_realm = COMPANY.COM
forwardable = true
rdns = false
renew_lifetime = 7d
ticket_lifetime = 24h
udp_preference_limit = 1

[realms]
COMPANY.COM = {
admin_server = KDC01.COMPANY.COM:749
kdc = KDC01.COMPANY.COM:88
}
EAST.COMPANY.COM = {
kdc = 10.75.141.193
admin_server = 10.75.141.193
}
WEST.COMPANY.COM = {
kdc = 10.78.140.111
admin_server = 10.78.140.111

[domain_realm]
.company.com = COMPANY.COM
company.com = COMPANY.COM
.east.company.com = EAST.COMPANY.COM
east.company.com = EAST.COMPANY.COM
.west.company.com = WEST.COMPANY.COM
west.company.com = WEST.COMPANY.COM
For more information about the Kerberos configuration file, see the Kerberos network authentication documentation.


Updated October 10, 2019


Explore Informatica Network