IBM Streams 4.2.1

Introduction to Kerberos

Kerberos is a network authentication protocol developed by the Massachusetts Institute of Technology (MIT). The Kerberos protocol uses secret-key cryptography to provide secure communications over a non-secure network. Primary benefits are strong encryption and single sign-on (SSO).

SSO allows users to access systems and services with one user ID and password. With Kerberos SSO, users are only prompted once for their user ID and password.

Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal.

The KDC has three main components:
  • An authentication server that performs the initial authentication and issues ticket-granting tickets for users.
  • A ticket granting server that issues service tickets that are based on the initial ticket-granting tickets.
  • A principals database of secret keys for all the users and services that it maintains.

Kerberos uses cryptographic tickets to avoid transmitting plain text passwords. User principals obtain ticket-granting tickets from the Kerberos KDC and present those tickets as their network credentials to gain access to IBM® Streams services and interfaces.

Kerberos shares a secret key with the KDC. This secret key is known only to the KDC and the service principal on each IBM Streams resource. The service principal for IBM Streams is the authentication and authorization service. The authentication and authorization service on each resource must be registered with the KDC. The Kerberos administrator generates a keytab file that the authentication and authorization service uses to authenticate to the KDC.