Configuring Kerberos for Linux Clients

Requirements
- Prerequisites
- Required Software on the Client Machine
Setting Up Client System with Kerberos Authentication
Running psql
- To connect to LightDB-A Database with psql
Running a Java Application

You can configure Linux client applications to connect to a LightDB-A Database system that is configured to authenticate with Kerberos.

If your JDBC application on Red Hat Enterprise Linux uses Kerberos authentication when it connects to your LightDB-A Database, your client system must be configured to use Kerberos authentication. If you are not using Kerberos authentication to connect to a LightDB-A Database, Kerberos is not needed on your client system.

Requirements
Setting Up Client System with Kerberos Authentication
Running a Java Application

For information about enabling Kerberos authentication with LightDB-A Database, see the chapter “Setting Up Kerberos Authentication” in the LightDB-A Database Administrator Guide.

Parent topic: Configuring Client Authentication

Requirements

The following are requirements to connect to a LightDB-A Database that is enabled with Kerberos authentication from a client system with a JDBC application.

Prerequisites
Required Software on the Client Machine

Prerequisites

Kerberos must be installed and configured on the LightDB-A Database coordinator host.

Important LightDB-A Database must be configured so that a remote user can connect to LightDB-A Database with Kerberos authentication. Authorization to access LightDB-A Database is controlled by the pg_hba.conf file. For details, see “Editing the pg_hba.conf File” in the LightDB-A Database Administration Guide, and also see the LightDB-A Database Security Configuration Guide.
The client system requires the Kerberos configuration file krb5.conf from the LightDB-A Database coordinator.
The client system requires a Kerberos keytab file that contains the authentication credentials for the LightDB-A Database user that is used to log into the database.
The client machine must be able to connect to LightDB-A Database coordinator host.

If necessary, add the LightDB-A Database coordinator host name and IP address to the system hosts file. On Linux systems, the hosts file is in /etc.

Required Software on the Client Machine

The Kerberos kinit utility is required on the client machine. The kinit utility is available when you install the Kerberos packages:
- krb5-libs
- krb5-workstation
  > Note When you install the Kerberos packages, you can use other Kerberos utilities such as klist to display Kerberos ticket information.

Java applications require this additional software:

Java JDK

Java JDK 1.7.0_17 is supported on Red Hat Enterprise Linux 6.x.
Ensure that JAVA_HOME is set to the installation directory of the supported Java JDK.

Setting Up Client System with Kerberos Authentication

To connect to LightDB-A Database with Kerberos authentication requires a Kerberos ticket. On client systems, tickets are generated from Kerberos keytab files with the kinit utility and are stored in a cache file.

Install a copy of the Kerberos configuration file krb5.conf from the LightDB-A Database coordinator. The file is used by the LightDB-A Database client software and the Kerberos utilities.

Install krb5.conf in the directory /etc.

If needed, add the parameter default_ccache_name to the [libdefaults] section of the krb5.ini file and specify location of the Kerberos ticket cache file on the client system.
Obtain a Kerberos keytab file that contains the authentication credentials for the LightDB-A Database user.
Run kinit specifying the keytab file to create a ticket on the client machine. For this example, the keytab file gpdb-kerberos.keytab is in the current directory. The ticket cache file is in the gpadmin user home directory.
```
> kinit -k -t gpdb-kerberos.keytab -c /home/gpadmin/cache.txt 
   gpadmin/kerberos-gpdb@KRB.EXAMPLE.COM
```

Running psql

From a remote system, you can access a LightDB-A Database that has Kerberos authentication enabled.

To connect to LightDB-A Database with psql

As the gpadmin user, open a command window.
Start psql from the command window and specify a connection to the LightDB-A Database specifying the user that is configured with Kerberos authentication.

The following example logs into the LightDB-A Database on the machine kerberos-gpdb as the gpadmin user with the Kerberos credentials gpadmin/kerberos-gpdb:
```
$ psql -U "gpadmin/kerberos-gpdb" -h kerberos-gpdb postgres
```

Running a Java Application

Accessing LightDB-A Database from a Java application with Kerberos authentication uses the Java Authentication and Authorization Service (JAAS)

Create the file .java.login.config in the user home folder.

For example, on a Linux system, the home folder is similar to /home/gpadmin.

Add the following text to the file:

pgjdbc {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  useTicketCache=true
  ticketCache = "/home/gpadmin/cache.txt"
  debug=true
  client=true;
};

Create a Java application that connects to LightDB-A Database using Kerberos authentication and run the application as the user.

This example database connection URL uses a PostgreSQL JDBC driver and specifies parameters for Kerberos authentication.

jdbc:postgresql://kerberos-gpdb:5432/mytest? 
  kerberosServerName=postgres&jaasApplicationName=pgjdbc& 
  user=gpadmin/kerberos-gpdb

The parameter names and values specified depend on how the Java application performs Kerberos authentication.