Setting up your environment

Configure your environment to begin enabling Kerberos authentication with DataStax Enterprise.

Each node in your cluster requires DNS to be working properly, NTP to be enabled and the system time set, and the Kerberos client libraries installed.

Prerequisites

You must have installed the required software as described in Before you start this tutorial.

Procedure

  1. On each node, confirm DNS is working. 
    $ hostname
    node1.example.com
  2. On each node, confirm NTP is configured and running. 
    $ ntpq -p
          remote          refid      st t when poll reach   delay   offset  jitter
==============================================================================
*li506-17.member 209.51.161.238   2 u  331 1024  377   80.289    1.384   1.842
-tock.eoni.com   216.228.192.69   2 u  410 1024  377   53.812    1.706  34.692
+time01.muskegon 64.113.32.5      2 u  402 1024  377   59.378   -1.635   1.840
-time-a.nist.gov .ACTS.           1 u  746 1024  151  132.832   26.931  55.018
+golem.canonical 131.188.3.220    2 u  994 1024  377  144.080   -1.732  20.072
  3. If you are using Oracle Java, make sure the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are installed on each node.

    By default Kerberos uses the AES-256 cypher. Oracle Java does not include the AES-256 cypher by default due to export restrictions to certain countries. OpenJDK includes AES-256 because it is not export restricted.

    For general instructions on installing the JCE Unlimited Strength Policy Files for Oracle Java, see the DataStax Enterprise documentation.

    If you are using Debian/Ubuntu and are using the webupd8 PPA repository to manage your Oracle Java 8 installations, install the Unlimited Strength Policy Files:

    $ sudo apt-get install oracle-java8-unlimited-jce-policy
  4. If you are using RedHat or CentOS, install the EPEL repository. 
    $ sudo yum install epel-release
  5. Install the Kerberos client packages on each node.

    RedHat and CentOS

    $ sudo yum install krb5-workstation krb5-libs krb5-pkinit-openssl

    Debian and Ubuntu

    $ sudo apt-get install krb5-user krb5-config krb5-pkinit
  6. Copy the krb5.conf file from the Kerberos server to each node.

    The krb5.conf file contains configuration information for your Kerberos domain.

    From the Kerberos server or Kerberos Domain Controller (KDC):

    $ scp /etc/krb5.conf node1.example.com:/etc/

    Repeat these steps for each node in your cluster.