Preparing DSE Nodes for Kerberos
Use these instructions as guidelines for installing the Kerberos client libraries on DSE nodes, verifying Domain Name System (DNS) entries, and system time settings. Each node in your cluster requires DNS to be working properly, Network Time Protocol (NTP) to be enabled and the system time synchronized, and the Kerberos client libraries to be installed.
Do not upgrade DataStax Enterprise and set up Kerberos at the same time. See General upgrade restrictions.
Complete the following prerequisites:
All Key Distribution Scheme (KDS) requirements have been met. See Kerberos guidelines.
When using Oracle Java 8, DataStax recommends using the latest version, however, the minimum version is 1.8.0_151.
Each node has the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files enabled. Refer to Enabling JCE Unlimited. Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.
If you are not using the
JCE Unlimited Strength Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256.
- Verifying the node hostname and time settings
Ensure that the node hostname and IP address is resolvable by DNS and node time is set to a well-known NTP.
- Configuring Kerberos connection information for clients
Install Kerberos clients and configure the Kerberos connection details.
- Creating Kerberos Principals
Add service principals for each node in the DataStax Enterprise cluster.
- Creating a Kerberos Keytab file
Save the principal credentials in a keytab file to authenticate without entering a password each time.