Configure to use Kerberos when user login is required

Complete these configuration steps to enable Process Manager to work with Kerberos when users are required to log in to Process Manager with a password(JS_LOGIN_REQUIRED=true in js.conf).

Before you begin

Ensure you have met the requirements for using Process Manager with Kerberos. See Requirements to integrate with Kerberos for details.

About this task

When a user is required to log in to Process Manager with a password (JS_LOGIN_REQUIRED=true in js.conf), Process Manager uses the Pluggable Authentication Module (PAM) on the Process Manager server to generate a valid user TGT.

Whenever a user successfully logs in to Process Manager, Process Manager generates a valid user TGT in /tmp/krb5cc_user_UID. The TGT is then copied to the Process Manager server's work directory, where it is periodically renewed, and forwarded to LSF when jobs in the flow are submitted.

Should Process Manager fail to acquire or renew the user TGT, Process Manager logs history messages and messages in jfd.log.host_name.

1. Enable Kerberos authentication in LSF.

   Refer to Administering IBM Spectrum LSF for more details.

2. Set the parameter LSB_KRB_TGT_FWD=Y in the LSF configuration file lsf.conf and reconfigure LSF to make the changes take effect.

   This setting identifies to Process Manager that Kerberos is enabled.

3. On the Process Manager Server host, configure the PAM Kerberos module (pam_krb5.so) so that every time a user logs in to the host, a valid user TGT is generated.

   Refer to your Kerberos documentation for more details.

4. Configure a service eauth_userpass file, then add the module pam_krb5.so. This enables Process Manager to authenticate with PAM.
   • On Red Hat Linux:
     1. Check that pam_krb5.so is listed in the file /etc/pam.d/password-auth. For example:

        #%PAM-1.0# This file is auto-generated.
        # # User changes will be destroyed the next time authconfig is run.
        auth required pam_env.so
        auth sufficient pam_unix.so nullok try_first_pass
        auth requisite pam_succeed_if.so uid >= 500 quiet
        auth sufficient pam_krb5.so use_first_pass
        
        auth required pam_deny.so
        ...

     2. Create the /etc/pam.d/eauth_userpass file and include the following line in the file:

        auth include password-auth

   • On SUSE Linux, AIX, Solaris, and HP-UX operating systems, add an entry to the /etc/pam.conf file. For example:

     eauth_userpass auth required pam_krb5.so

5. Restart the Process Manager Server to make changes take effect.

   
   jadmin stop
   jadmin start

   Note:

   If for some reason the system does not allow Process Manager to generate a user TGT, set JS_KRB_USE_KINIT=true in js.conf.