Preparing DSE nodes for Kerberos
Example instructions to install the Kerberos client libraries on DSE nodes, verify DNS entry, system time settings, and set up a service principal.
Use these instructions as guidelines for installing the Kerberos client libraries on DSE nodes, verifying DNS entry, and system time settings. Each node in your cluster requires DNS to be working properly, NTP to be enabled and the system time synchronized, and the Kerberos client libraries installed.
Note: Do not upgrade DataStax Enterprise and set up Kerberos at the same time; see General restrictions and limitations during the upgrade process.
Prerequisites
Complete the following prerequisites:
- Each node has a DNS entry that resolves the hostname to the correct IP address
- Each node uses NTP for the system time
- All KDS requirements have been met, see Kerberos guidelines.
- If using Oracle Java 8, DataStax recommends using the latest version, however the minimum version is 1.8.0_151
- Each node has the Java Cryptography Extension (JCE) Unlimited Strength
Jurisdiction Policy Files enabled. Refer to Enabling JCE Unlimited.Note: If you are not using the JCE Unlimited Strength Jurisdiction Policy, make sure that your ticket granting principal does not use AES-256. Starting in JDK 8u161, JCE Unlimited is enabled by default. Refer to the Release Notes for JDK 8u161.
Procedure
-
Verify the DNS resolves hostname and NTP settings on each node:
-
On each node, install Kerberos:
- RHEL-based
systems:
sudo yum install krb5-workstation krb5-libs krb5-pkinit-openssl
- Debian-based
systems:
sudo apt-get install krb5-user krb5-config krb5-pkinit
- RHEL-based
systems:
-
Your the krb5.conf for your REALM in the
/etc
directory on each DataStax Enterprise node.The krb5.conf file contains Realm configuration required by Kerberos, see MIT Kerberos krb5.conf documentation. DataStax recommends not using DNS lookup for KDC, and REALM entries. Relying on DNS may negative impact performance and functionality. Verify that thelibdefaults
section contains the following entries.[libdefaults] dns_lookup_kdc = false dns_lookup_realm = false
-
On the Key Distribution Center (KDC) server, create a Service Principal and
keytab for each node: