Configure to use Kerberos when user login is not required

Complete these configuration steps to enable Process Manager to work with Kerberos when users are not required to log in to Process Manager with a password(JS_LOGIN_REQUIRED=false in js.conf).

Before you begin

Ensure you have met the requirements for using Process Manager with Kerberos. See Requirements to integrate with Kerberos for details.

About this task

When a user can log in to Process Manager without a password (JS_LOGIN_REQUIRED=false in js.conf on both the Process Manager client and Process Manager Server) Process Manager attempts to locate the user TGT on the client host in /tmp/krb5cc_user_UID, and if not found, in the environment variable KRB5CCNAME.

Once the user TGT is located, the Process Manager client forwards the user TGT to the Process Manager Server. The user TGT is forwarded with every client request along with the creation time of the user TGT file. The TGT is then copied to the Process Manager Server's work directory, where it is periodically renewed, and forwarded to LSF when jobs in the flow are submitted.

If no user TGT can be located, the client request still proceeds but messages are logged in the history file and in jfd.log.host_name.

Procedure

  1. Enable Kerberos authentication in LSF.

    Refer to Administering IBM Spectrum LSF for more details.

  2. Set the parameter LSB_KRB_TGT_FWD=Y in the LSF configuration file lsf.conf and reconfigure LSF to make the changes take effect.

    This setting identifies to Process Manager that Kerberos is enabled.

  3. Restart the Process Manager Server to make changes take effect.
    
    jadmin stop
    jadmin start