Setting up the environment for Kerberos

Each node in your cluster requires DNS to be working properly, NTP to be enabled and the system time set, and the Kerberos client libraries installed.

Each node in your cluster requires DNS to be working properly, NTP to be enabled and the system time synchronized, and the Kerberos client libraries installed.

Note: Do not upgrade DataStax Enterprise and set up Kerberos at the same time; see Security Recommendations.

Prerequisites

  • You have read and implemented the Kerberos guidelines.
  • Latest version of Oracle Java SE Runtime Environment 7 or 8 or OpenJDK 7 is recommended.
    Note: If using Oracle Java 7, you must use at least 1.7.0_25. If using Oracle Java 8, you must use at least 1.8.0_40. In some cases, using JDK 1.8 causes minor performance degradation compared to JDK 1.7.
  • If you are using Oracle Java, make sure the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are installed on each node.

Procedure

Perform the following steps on every node:

  1. On each node, confirm DNS is working: 
    $ hostname
    node1.example.com
  2. On each node, confirm that NTP is configured and running: 
    $ ntpq -p
    
remote           refid            st t when poll reach   delay   offset  jitter
==============================================================================
*li506-17.member 209.51.161.238   2  u 331 1024  377   80.289    1.384   1.842
-tock.eoni.com   216.228.192.69   2  u 410 1024  377   53.812    1.706  34.692
+time01.muskegon 64.113.32.5      2  u 402 1024  377   59.378   -1.635   1.840
-time-a.nist.gov .ACTS.           1  u 746 1024  151  132.832   26.931  55.018
+golem.canonical 131.188.3.220    2  u 994 1024  377  144.080   -1.732  20.072
  3. Install the Kerberos client software.
    • RHEL-based systems:
      $ sudo yum install krb5-workstation krb5-libs krb5-pkinit-openssl
    • Debian-based systems:
      $ sudo apt-get install krb5-user krb5-config krb5-pkinit
  4. If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256.
  5. If your Kerberos sever is using MIT Kerberos server for Linux, copy the krb5.conf from the Kerberos server to each DataStax Enterprise node. If using other Kerberos server solution, copy the REALM section to the krb5.conf on each DataStax Enterprise node. 
    $ scp /etc/krb5.conf node1.example.com:/etc/
    The krb5.conf file contains configuration information for your Kerberos domain.

What's next

Adding Kerberos service principals for each node in a cluster