Prepare DSE nodes for Kerberos
Use these instructions as guidelines for installing the Kerberos client libraries on DataStax Enterprise (DSE) nodes, verifying Domain Name System (DNS) entries, and system time settings. Each node in your cluster requires DNS to be working properly, Network Time Protocol (NTP) to be enabled and the system time synchronized, and the Kerberos client libraries to be installed.
|
Don’t upgrade DSE and set up Kerberos at the same time. |
Complete the following prerequisites:
-
All Key Distribution Scheme (KDS) requirements have been met. See Kerberos guidelines.
-
When using Oracle Java 11, DataStax recommends using the latest version.
-
Each node has Java Cryptography Extension (JCE) Unlimited enabled.
Starting in JDK 8u161, JCE Unlimited is enabled by default with support for AES-256.
If you aren’t using JCE Unlimited, your ticket granting principal must not use AES-256.
Then, explore the DSE Kerberos documentation to continue setting up Kerberos authentication:
- Verifying the node hostname and time settings
-
Ensure that the node hostname and IP address is resolvable by DNS and node time is set to a well-known NTP.
- Configuring Kerberos connection information for clients
-
Install Kerberos clients and configure the Kerberos connection details.
- Creating Kerberos Principals
-
Add service principals for each node in the DSE cluster.
- Creating a Kerberos Keytab file
-
Save the principal credentials in a keytab file to authenticate without entering a password each time.
