Configure your environment to begin enabling Kerberos authentication with DataStax
Enterprise.
Each node in your cluster requires DNS to be working properly, NTP to be enabled and
the system time set, and the Kerberos client libraries installed.
Procedure
-
On each node, confirm DNS is working.
$ hostname
node1.example.com
-
On each node, confirm NTP is configured and running.
$ ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*li506-17.member 209.51.161.238 2 u 331 1024 377 80.289 1.384 1.842
-tock.eoni.com 216.228.192.69 2 u 410 1024 377 53.812 1.706 34.692
+time01.muskegon 64.113.32.5 2 u 402 1024 377 59.378 -1.635 1.840
-time-a.nist.gov .ACTS. 1 u 746 1024 151 132.832 26.931 55.018
+golem.canonical 131.188.3.220 2 u 994 1024 377 144.080 -1.732 20.072
-
If you are using Oracle Java, make sure the Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files are installed on each node.
By default Kerberos uses the AES-256 cypher. Oracle Java does not include the
AES-256 cypher by default due to export restrictions to certain countries.
OpenJDK includes AES-256 because it is not export restricted.
For general instructions on installing the JCE Unlimited Strength Policy
Files for Oracle Java, see the DataStax Enterprise
documentation.
If you are using Debian/Ubuntu and are using the webupd8 PPA repository to manage
your Oracle Java 8 installations, install the Unlimited Strength Policy
Files:
$ sudo apt-get install oracle-java8-unlimited-jce-policy
-
If you are using RedHat or CentOS, install the EPEL repository.
$ sudo yum install epel-release
-
Install the Kerberos client packages on each node.
RedHat and CentOS
$ sudo yum install krb5-workstation krb5-libs krb5-pkinit-openssl
Debian and Ubuntu
$ sudo apt-get install krb5-user krb5-config krb5-pkinit
-
Copy the krb5.conf file from the Kerberos server to each
node.
The krb5.conf file contains configuration information
for your Kerberos domain.
From the Kerberos server or Kerberos Domain Controller (KDC):
$ scp /etc/krb5.conf node1.example.com:/etc/
Repeat these steps for each node in your cluster.