Kerberos keytab file
The Netezza Performance Server system requires a Kerberos keytab file krb5.keytab to define the keys that define the Netezza Performance Server system as a Kerberos client.
The Kerberos administrator adds the Netezza Performance Server host service principals to the Kerberos database. You must add the hostname of all control plane nodes as the service principal in the Kerberos database.
The Kerberos administrator can run these commands on the Kerberos server or any client in the Kerberos realm where the Netezza Performance Server system is a member. The Kerberos administrator might also run these commands from the Netezza Performance Server host after the Kerberos configuration file (krb5.conf) has been added to the Netezza Performance Server host.
KRB5_CONFIG variable set in the .bashrc file. The variable is
added by the SET AUTHENTICATION KERBEROS command, but if you have not yet run
that command, you might need to set the variable manually to point to the
/nz/data/config/krb5.conf file.The following sample commands show how to configure the service principals for all Cloud Pak for Data System control plane nodes.
Configuring service principals for Cloud Pak for Data System control plane nodes
Creating keytab files on a Linux Kerberos server
- Create principals on a Kerberos server:
Where[root@krb4nps1 ~]# kadmin.local kadmin.local:add_principal netezza/ABC-node1.DNSdomainName kadmin.local:add_principal netezza/ABC-node2.DNSdomainName kadmin.local:add_principal netezza/ABC-node3.DNSdomainNameABC-node1.DNSdomainName,ABC-node2.DNSdomainName, andABC-node3.DNSdomainNameare the hostnames of all three Cloud Pak for Data System control plane nodes. - Add the newly created principals to the Kerberos
database:
kadmin.local:ktadd -k /home/nz/krb5node1.keytab netezza/ ABC-node1.DNSdomainNamekadmin.local:ktadd -k /home/nz/krb5node2.keytab netezza/ ABC-node2.DNSdomainNamekadmin.local:ktadd -k /home/nz/krb5node3.keytab netezza/ ABC-node3.DNSdomainNameThe Kerberos keys are extracted to a file named krb5.keytab.
The Kerberos keys are extracted to a file named krb5.keytab.
If the keytab file was created on another system, you must copy it to the Netezza Performance Server system.
Creating keytab files on a Windows Active Directory server
- As an administrator, open Active Directory Users and Computers.
- Go to
- Create principals for all three control plane nodes by adding new users.
- Enter passwords for each principal.
- As an administrator, generate a keytab file for each principal by using the
ktpass
tool.
ktpass -princ netezza/<node_FQDN@WindowsAd_domain> -mapuser <UserAccount> -pass <principal_password> -out krb5node1.keytabNote: Each Windows Active Directory domain acts as a Kerberos realm and is case-sensitive.- For
node1:ktpass -princ netezza/npshost-node1.abc.com@CPSDEVELOPMENT.FYRE.IBM.COM -mapuser CPSDEVELOPMENT\npshost-node1 -pass npshost-node1pass -out krb5node1.keytab - For
node2:ktpass -princ netezza/npshost-node2.abc.com@CPSDEVELOPMENT.FYRE.IBM.COM -mapuser CPSDEVELOPMENT\npshost-node2 -pass npshost-node2pass -out krb5node2.keytab - For
node3:ktpass -princ netezza/npshost-node3.abc.com@CPSDEVELOPMENT.FYRE.IBM.COM -mapuser CPSDEVELOPMENT\npshost-node3 -pass npshost-node3pass -out krb5node3.keytab
- For
The Kerberos keys are extracted to a file named krb5.keytab.
The Kerberos keys are extracted to a file named krb5.keytab.
If the keytab file was created on another system, you must copy it to the Netezza Performance Server system.
Copying the krb5.keytab file to Netezza
-
Copy the three keytab files from step 2 of the Configuring service principals for Cloud Pak for Data System control plane nodes section to
npshost. -
On
npshost, merge the three keytab files:[nz@ABC-npshost krbSetup]$ ktutil ktutil: read_kt krb5node1.keytab ktutil: read_kt krb5node2.keytab ktutil: read_kt krb5node3.keytab ktutil: write_kt krb5.keytab - Copy
krb5.keytabto /nz/data/config:cp krb5.keytab /nz/data/config/