Managing KDC definitions

If your datasource requires authentication using Kerberos, you can specify the information needed for Guardium to obtain a Kerberos ticket before making the connection.

About this task

You can assign a KDC to a specific datasource or managed unit group, to provide Guardium authentication for Mongo and Hive databases. The appliance gets a ticket via the JDBC connection, so the users do not need to get tickets themselves. Note that this is independent from what the appliance itself is set up to use.

You can define up to 5 Kerberos Key Distribution Centers (KDC) on a Central Manager, and one on a standalone Guardium. To add a Key Distribution Center to Guardium you specify:

  • realm: domain name in uppercase letters
  • KDC: hostname of the Kerberos server
  • encryption type for Kerberos tickets
    • des-cbc-md5
    • des-cbc-crc
    • rc4-hmac
    • des3-cbc-sha1
    • aes128-cts-hmac-sha1-96
    • aes256-cts-hmac-sha1-96
    The default is aes256-cts-hmac-sha1-96, which is the most secure encryption type.

Procedure

  1. Click Setup > Tools and Views > Kerberos configuration
  2. Click plus icon to create a new configuration.
  3. Specify Name, KDC, and Realm.
  4. Specify Encryption Type. The default is aes256-cts-hmac-sha1-96.
  5. Click Save.

What to do next

After you have created a Kerberos KDC, you can select it when configuring your datasource setup.