Setting up security for connections

If you use connections, such as platform connections, you should review the following information to determine whether there are any additional tasks that you must complete.

Configuration task Additional information
Configuring an external route to the Flight service The Flight service is a data connection service that enables assets, such as notebooks, to interact with various data sources without calling the REST APIs for the data sources. By default, the Flight service is only available to the IBM Cloud Pak for Data instance where the Flight service is running. However, a Red Hat OpenShift Container Platform project administrator can create an external route to the Flight service to enable other applications to interact with it.
Enabling platform connections to use Kerberos authentication If you want to connect to data sources that use Kerberos authentication, you must provide the Kerberos configuration file to the platform connections microservice. You must complete this task before you create a connection to data sources where Kerberos authentication is enabled.
The following connections types support Kerberos authentication.
  • Apache HDFS
  • Apache Hive
  • Apache Kafka
  • Cloudera Impala
Using a CA certificate to connect to internal servers from the platform If you want to enable the IBM Cloud Pak for Data platform to use your company's CA certificate to validate certificates from your internal servers, you must create a secret that contains the CA certificate. Additionally, if your internal servers use an SSL certificate that is signed using your company's CA certificate, you must create this secret to enable the platform to connect to the servers.
Requiring users to use secrets for credentials when creating connections When a user creates a connection, they can provide their credentials by entering them directly or by specifying a secret. A Red Hat OpenShift administrator can configure Cloud Pak for Data to enforce the exclusive use of secrets from an external vault (such as CyberArk or HashiCorp).
Important: Before you change this setting, ensure that the services that you plan to run can use connections that use credentials from a vault. For details, see Managing secrets and vaults.