Enabling Kerberos authentication in Watson Query

Before you begin

Who needs to complete this task?

To complete this task, you must be an administrator of the project (namespace) where Cloud Pak for Data is installed.

Procedure

Complete the following tasks to configure Kerberos in Watson Query:

1. Providing the Kerberos configuration file (krb5.conf) in Watson Query
2. Optional: Verifying the Kerberos configuration and environment variables in Watson Query
3. If you have instances of Watson Query running in tethered projects, you must copy the krb5-conf-files configmap to the tethered projects. For more information, see Copying secrets and configmaps to tethered projects in Watson Query.

Providing the Kerberos configuration file (krb5.conf) in Watson Query

1. Retrieve the krb5.conf Kerberos configuration file from the node where the Key Distribution Center (KDC) is configured. The file is typically in /etc directory.
2. Copy the krb5.conf file to a workstation that can access the environment where the oc commands are run.
3. Create a ConfigMap object named krb5-config-files in the same Cloud Pak for Data project where the Watson Query service is running. The ConfigMap contains the Kerberos configuration file (krb5.conf) information.

   oc create configmap krb5-config-files \
   --from-file=${KRB5_CONF_FILE} \
   --namespace=${PROJECT_CPD_INST_OPERANDS}

   Where:

   • ${PROJECT_CPD_INST_OPERANDS} is the name of the Cloud Pak for Data project (namespace).
   • ${KRB5_CONF_FILE} is the Kerberos configuration file from the node where the Key Distribution Center (KDC) is configured
4. Additional step for the Apache Hive connection for these conditions:
   • You are running Cloud Pak for Data on a FIPS-enabled cluster.
   • Your Apache Hive Kerberos instance is not configured for AES 256 encryption.
   Add the following setting to the ConfigMap (krb5-config-files):

   allow_weak_crypto = true

Optional: Verifying the Kerberos configuration and environment variables in Watson Query

1. Verify that the KRB5_CONF_FILE environment variable is set and points to the default configuration file location /mnt/blumeta0/configmap/external/krb5-config-files/krb5.conf in the c-db2u-dv-db2u-0 pod.

   oc exec -it c-db2u-dv-db2u-0 -n ${PROJECT_CPD_INST_OPERANDS} -c db2u -- bash
   su - db2inst1
   echo ${KRB5_CONF_FILE}
   

   The output matches the following example.

   /mnt/blumeta0/configmap/external/krb5-config-files/krb5.conf
   

2. Verify that the configuration file content is mounted as a file under the default file location /mnt/blumeta0/configmap/external/krb5-config-files/.

   oc exec -it c-db2u-dv-db2u-0 -n ${PROJECT_CPD_INST_OPERANDS} -c db2u -- bash
   su - db2inst1
   ls -l ${KRB5_CONF_FILE}
   

   The output resembles the following example.

   lrwxrwxrwx. 1 root root 16 May  4 09:25 /mnt/blumeta0/configmap/external/krb5-config-files/krb5.conf -> ..data/krb5.conf
   

3. Verify the content of the krb5.conf file that is mounted in the pod.

   oc exec -it c-db2u-dv-db2u-0 -n ${PROJECT_CPD_INST_OPERANDS} -c db2u -- bash su - db2inst1 cat ${KRB5_CONF_FILE}

   The output resembles the following example:

   [libdefaults]
   forwardable= true
   default_realm = IBM.COM
   ticket_lifetime = 24h
   dns_lookup_realm = false
   dns_lookup_kdc = false
   
   [logging]
   default = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
   kdc = FILE:/var/log/krb5kdc.log
   
   [realms]
   IBM.COM = {
       admin_server = mykrbadminserver.ibm.com
       kdc = mykdcadminserver.ibm.com
   }
   

   Note: If the Kerberos configuration file (krb5.conf) is not mounted under /mnt/blumeta0/configmap/external/krb5-config-files, force the pod to restart to ensure that ConfigMap updates are picked up by Watson Query.