Prerequisites (MIT Kerberos)
Before you can use Kerberos with IBM® Spectrum Symphony, your environment must meet certain prerequisites.
Operating system support
Operating system | Host |
---|---|
Linux or Linux for POWER® | All supported version of Linux or Linux for POWER 64-bit management, compute, and client hosts (see Linux support). |
Windows | Windows Server 2012 R2 64-bit client hosts (see Windows support). |
Environment requirements
To use Kerberos with IBM Spectrum Symphony, you must install and configure Kerberos on all the hosts in your cluster. IBM Spectrum Symphony supports MIT Kerberos 5 release 1.10.4, 1.16, or 1.18. Note that release 1.1.8 is supported for Linux only, not for Linux for POWER. Additionally, before using the Kerberos security plug-in, if you use version 1.18 on a host in the cluster, back up the original $EGO_LIBDIR/sec_ego_gsskrb.so binary file on the host, and then rename the 1.18 binary from $EGO_LIBDIR/sec_ego_gsskrb.so.1.18.3 to $EGO_LIBDIR/sec_ego_gsskrb.so on the host.
- The Kerberos Key Distribution Center (KDC) must be set up on a server to issue Kerberos tickets.
- The Kerberos client must be installed on all management (primary and primary-candidate) and compute hosts in your cluster.
- IBM Spectrum Symphony must be installed and entitled on all your Kerberos hosts.
- All Linux hosts in your cluster (management, compute, and client hosts) must be joined to a single MIT KDC. The KDC must be the MIT implementation of Kerberos 5 release 1.10.4, 1.16, or 1.18. With this setup, you can use a client principal (which is added to MIT Kerberos) on Linux hosts to authenticate to a Linux service (which holds the service principal).
- All Windows client hosts must be joined to a single Microsoft Active Directory (AD) domain. Ensure
that the following steps are complete for your setup:
- Join each Windows client host to one AD domain.
- Establish trust between the between the AD domain and the MIT Kerberos domain.
- Add the MIT KDC domain to each Windows client host. To
do this, you can use the Ksetup command (for example, ksetup /addkdc
$MIT_REALM_NAME $KDC_HOST_NAME).Note: When adding the cross-realm KRBTGT account principal to the KDC, ensure that the AD domain name is specified in upper case in the MIT Kerberos KDC.
- Ensure that the clock settings on the Windows host, the AD server, and the MIT KDC are identical.
With this setup, you can take the following steps on Windows client hosts:
- Use an AD user to authenticate against a Linux service. To achieve this, ensure that the trust between the AD and the KDC is set up so as to get the TGT for an AD user from AD and use the TGT to request the TGS for a service principal from the KDC.
- Use a client principal (which is added to MIT Kerberos) to authenticate against a Linux service.