Kerberos guidelines

An overview of Kerberos in DataStax Enterprise and recommendations.

This section provides information on configuring DataStax Enterprise as a Kerberos client. Kerberos is a computer network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner using tickets. For information on installing and setting up Kerberos, see the MIT Kerberos Consortium documentation.

Note: The Kerberos Tutorial provides step-by-step instructions on configuring DataStax Enterprise as a Kerberos client. It is intended for anyone interested in enabling Kerberos authentication in DataStax Enterprise and OpsCenter.

Kerberos guidelines 

The following are general guidelines for setting up Kerberos and configuring DataStax Enterprise as a Kerberos client:

CAUTION:
When using Kerberos security, be aware of the scope of Kerberos tickets. Using the su or sudo command leaves existing credentials behind and requires you to re-authenticate as that new user. If you encounter authentication issues, ensure that you have a proper Kerberos ticket.
  • Ensure that you are familiar with Kerberos and have reviewed the MIT Kerberos Consortium documentation. At a minimum understand how to use these commands: kinit, klist, and kdestroy.
  • You must have authority to set cassandra.yaml and dse.yaml options.
  • Before implementing Kerberos on your DataStax Enterprise nodes, set up your Kerberos servers.
  • Set up several machines as authentication servers (Key Distribution Center [KDC]). One server is the primary or administration KDC, the other servers will be secondary.
  • You must have privileges or have access to KDC administrators who can manage Kerberos principals and export keytab files.
  • Do not install the KDC servers on DataStax Enterprise nodes.
  • Set up firewalls on each KDC server.
  • Physically protect the KDC machines.
  • Secure the keytab files that are owned by the user running DataStax Enterprise. The files should be readable and writable only by the owner, without permissions for any other user (chmod 600).
  • If using Oracle Java 7, you must use at least 1.7.0_25. If using Oracle Java 8, you must use at least 1.8.0_40. In some cases, using JDK 1.8 causes minor performance degradation compared to JDK 1.7.

Using Kerberos with DataStax Enterprise 

The following topics provide information on using Kerberos with various DataStax Enterprise features and other software: