Preparing DSE Nodes for Kerberos

Use these instructions as guidelines for installing the Kerberos client libraries on DSE nodes, verifying Domain Name System (DNS) entries, and system time settings. Each node in your cluster requires DNS to be working properly, Network Time Protocol (NTP) to be enabled and the system time synchronized, and the Kerberos client libraries to be installed.

Do not upgrade DataStax Enterprise and set up Kerberos at the same time. See General upgrade restrictions.

Complete the following prerequisites:

  1. All Key Distribution Scheme (KDS) requirements have been met. See Kerberos guidelines.

  2. When using Oracle Java 11, DataStax recommends using the latest version.

  3. Each node has the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files enabled. Refer to Enabling JCE Unlimited. Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.

    If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256.

Verifying the node hostname and time settings

Ensure that the node hostname and IP address is resolvable by DNS and node time is set to a well-known NTP.

Configuring Kerberos connection information for clients

Install Kerberos clients and configure the Kerberos connection details.

Creating Kerberos Principals

Add service principals for each node in the DataStax Enterprise cluster.

Creating a Kerberos Keytab file

Save the principal credentials in a keytab file to authenticate without entering a password each time.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,