Multicluster with Kerberos authentication

Enable user authentication over Kerberos to enhance communication security when using the multicluster feature with IBM® Spectrum Symphony Advanced Edition. Kerberos authentication for the multicluster feature is supported only on Linux x86_64 hosts.

Kerberos authentication enhances security between the multicluster primary cluster and the multicluster management console, between the multicluster primary cluster and the smcadmin command line, and for the RESTful API client.

To enable Kerberos authentication for multicluster, you must configure the GSS-Kerberos ( sec-ego-sspikrb for Windows and sec_ego_gsskrb for Linux®) plug-in.
Important: To enable Kerberos authentication for the multicluster feature, the multicluster primary cluster, and all IBM Spectrum Symphony clusters must share same Key Distribution Center (KDC). With the multicluster management console or the CLI, when you manage application profiles and service packages on IBM Spectrum Symphony clusters, you can specify the username and password combination for each IBM Spectrum Symphony cluster with sufficient privileges to complete the action. You can also use multicluster logged in credentials on the IBM Spectrum Symphony cluster. For the sec_ego_gsskrb and sec_ego_sspikrb Kerberos plug-ins with multicluster logged in credentials, ensure that the administrator user is mapped to a Kerberos user, and that this mapped administrator user is the same user on the multicluster primary cluster and on all IBM Spectrum Symphony clusters.
Configuring Kerberos authentication involves the following high-level steps:
  1. Create the Kerberos principals in the KDC and deploy the key table file. You must create a service principal for the authentication server and a user principal for the authentication client.
  2. Define configuration in the ego.conf and sec_ego_gsskrb.conf files.
  3. Add Kerberos principals to the EGO namespace so that each principal is a multicluster user. Assign permissions for each user.
  4. Start the cluster.

For details of each step, follow the instructions in Kerberos user authentication in IBM Spectrum Symphony.