Configuring Kerberos authentication for Analyzer server
To use Kerberos authentication for the Analyzer server, you must configure the following settings.
Workflow for configuring Kerberos authentication
The workflow for connecting to the Kerberos server varies depending on whether only an external authentication server is used or both an external authentication server and an external authorization server (LDAP directory server) are used.
The following figure shows the workflow for connecting to the Kerberos server.
Configuring the Kerberos server
On the Kerberos server, create a user account for the Analyzer server. To use an external authorization server (LDAP directory server), check the configuration details of the LDAP directory server, and then create an LDAP search user account.
Creating user accounts on the Kerberos server
On the Kerberos server, you need to create user accounts (user IDs and passwords) to be used on the Analyzer server.
For details about how to create user accounts on the Kerberos server, see the documentation of the Kerberos server.
User IDs and passwords must satisfy the following conditions:
- They are within 256 bytes.
-
They use no characters other than the following:
A
toZ
a
toz
0
to9
! # $ % & ' ( ) * + - . = @ \ ^ _ |
In Analyzer server, user IDs are not case-sensitive. The combination of character types for passwords must follow the settings in the external authentication server.
Configuring LDAP directory server as external authorization server
To use the LDAP directory server as an external authorization server, you must configure the LDAP directory server.
For details about how to configure the LDAP directory server, see the following descriptions:
-
Checking the LDAP directory server settings
Check the BaseDN for the LDAP directory server. You will need the BaseDN information when you edit the exauth.properties file of the Analyzer server.
-
Creating an LDAP search user account
On the LDAP directory server, create an LDAP search user account. This user account is necessary when the Analyzer server connects to the LDAP directory server to acquire user information and other information.
Connecting to the Kerberos server
To connect to the Kerberos server, you must perform the following operations on the Analyzer server.
Before you begin
- You must have the Administrator permission (for Windows) or the root permission (for Linux) of the OS to do this operation.
- On the Kerberos server, create a user account to be used on the Analyzer server.
- Check the following information. This information is necessary for editing the
file exauth.properties.
- Method for connecting to the Kerberos server
The properties to be specified depend on whether information about the Kerberos server is to be directly specified, or whether information about the connection-destination Kerberos server is to be obtained from the DNS server.
- Machine information about the Kerberos server (Host name or IP address, Port number)
- Realm name
- Method for connecting to the Kerberos server
If you also want to connect to an external authorization server (an LDAP directory server), check the following requirements.
- Create a user account on the LDAP directory server for searching for user information.
- Check the following information. This information is necessary for editing the
file exauth.properties.
- Method for connecting to the LDAP directory server
The properties to be specified depend on whether information about the LDAP directory server is to be directly specified, or whether information about the connection-destination LDAP directory server is to be obtained from the DNS server.
- Machine information about the LDAP directory server (Host name or IP address, Port number)
- BaseDN
- Domain name for external authorization servers managed by the LDAP directory server
- Method for connecting to the LDAP directory server
Procedure
Edit the exauth.properties file.
Make a copy of the exauth.properties file template, which is stored in the following location, and place the copy in another folder or directory.
- In Windows
common-component-installation-destination-folder\sample\conf\exauth.properties
- In Linux
common-component-installation-destination-directory/sample/conf/exauth.properties
- In Windows
In the copy of the exauth.properties file, specify the required information.
Save the exauth.properties file in the following location:
- In Windows
common-component-installation-destination-folder\conf
- In Linux
common-component-installation-destination-directory/conf
- In Windows
If the values of the property
auth.ocsp.enable
or the propertyauth.ocsp.responderURL
have been changed, restart the Analyzer server service.
If a connection also needs to be established with an external authorization server (an LDAP directory server), register on the Analyzer server a user account to be used for retrieving user information.
Run the hcmds64ldapuser command to register the LDAP search user account.
- In Windows
common-component-installation-destination-folder\bin\hcmds64ldapuser /set /dn DN-of-user-account-used-to-search-for-LDAP-user-info [/pass password-of-user-account-used-to-search-for-LDAP-user-info] /name name
- In Linux
common-component-installation-destination-directory/bin/hcmds64ldapuser -set -dn DN-of-user-account-used-to-search-for-LDAP-user-info [-pass password-of-user-account-used-to-search-for-LDAP-user-info] -name name
- In Windows
To view a list of LDAP directory servers for which LDAP search user accounts are registered, run the following command.
- In Windows
common-component-installation-destination-folder\bin\hcmds64ldapuser /list
- In Linux
common-component-installation-destination-directory/bin/hcmds64ldapuser -list
TipTo delete the LDAP search user account from the Analyzer server, run the hcmds64ldapuser command with the
delete
option.- In Windows
Run the hcmds64checkauth command to confirm whether connections to the external authentication server and the external authorization server can be established properly.
- In Windows
common-component-installation-destination-folder\bin\hcmds64checkauth [/user user-ID] [/pass password] [/summary]
- In Linux
common-component-installation-destination-directory/bin/hcmds64checkauth [-user user-ID] [-pass password] [-summary]
- In Windows
On the web client, specify the following settings.
-
When a Kerberos server is configured for external user authentication:
- Create an user account.
Make sure that the user ID is the same as the user ID that was created on the external authentication server.
- Change the user authentication method.
- Specify the operation permissions for the user.
- Create an user account.
-
When a Kerberos server is configured for external user authentication and an LDAP directory server is configured for authorization:
- Register an authorization group.
- Specify the operation permissions for the authorization group.
For details about how to perform these operations on the web client, see the Hitachi Ops Center Analyzer User Guide.
NoteIf you are using both an external authentication server and an external authorization server, and the user ID created on the external authentication server is registered on the Analyzer server, the user account is authenticated internally by the Analyzer server.
If the current configuration uses only an external authentication server and you want to use both an external authentication server and an external authorization server, you must remove the user ID that was created with the same name on the Analyzer server.
-
Kerberos configuration properties
In the exauth.properties file, set the type of the external authentication server to be used, the server identification name, and the machine information about the external authentication server.
Items to be configured in the exauth.properties file differ depending on the Kerberos server environment. Use the following table to check the configuration items corresponding to your Kerberos server environment.
External authorization server used |
Server connection method |
Reference |
No |
Directly specify information about the Kerberos server. | Settings for connecting directly to a Kerberos server |
Obtain Kerberos server information from the DNS server. | Settings for using DNS to connect to a Kerberos server | |
Yes |
Directly specify information about the Kerberos server. | Settings for connecting directly to a Kerberos server and an authorization server |
Obtain Kerberos server information from the DNS server. | Settings for using DNS to connect to a Kerberos server and an authorization server |
-
Be sure to distinguish between uppercase and lowercase letters for property settings.
-
To use StartTLS for communication between the Analyzer server and the LDAP directory server, you need to directly specify information about the LDAP directory server in the
exauth.properties
file. -
If you use a DNS server to look up the LDAP directory server to connect to, it might take longer for users to log on.
Settings for connecting directly to a Kerberos server
To use a Kerberos server as an external authorization server by directly specifying the Kerberos server information in the exauth.properties file, specify the settings in the exauth.properties file as shown in the following table.
Property names | Details |
auth.server.type |
Specify an external authentication server type.
Specify Default value: |
auth.group.mapping |
Specify whether to also connect to an external authorization server (LDAP
directory server). Specify Default value: |
auth.kerberos.default_realm |
Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required. Default value: none |
auth.kerberos.dns_lookup_kdc |
Specify whether to use the DNS server to look up the information about the
Kerberos server. Specify Default value: |
auth.kerberos.default_tkt_enctypes |
Specify the encryption type used for Kerberos authentication. This property is enabled only if the Analyzer server OS is Windows. You can use the following encryption types:
If you want to specify multiple encryption types, use a comma to separate the encryption types. Among the specified encryption types, an encryption type that is supported by both the Analyzer server OS and a Kerberos server will be used. |
auth.kerberos.clockskew |
Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs. Specifiable values: 0 to 300 (seconds) Default value: 300 |
auth.kerberos.timeout |
Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 3 |
auth.kerberos.realm_name |
Specify the realm identification names. You can
specify any name for this attribute in order to identify which
realms the property attribute settings are applied to. You must
specify at least one name. When specifying multiple realm
identification names, separate the names with commas
( Default value: none |
auth.kerberos.auth.kerberos.realm_name-property-value.realm |
Specify the name of the realm set in the Kerberos server. This attribute is required. Default value: none |
auth.kerberos.auth.kerberos.realm_name-property-value.kdc |
Specify the information about the Kerberos server in the following format:
This attribute is required.
When configuring the Kerberos server in
redundant configuration, separate the servers with commas
(
|
Settings for using DNS to connect to a Kerberos server
To use a Kerberos server as an external authorization server by obtaining the Kerberos server information from the DNS server, specify the settings in the exauth.properties file as shown in the following table.
Property names | Details |
auth.server.type |
Specify an external authentication server type.
Specify Default value: |
auth.group.mapping |
Specify whether to also connect to an external authorization server (LDAP
directory server). Specify Default value: |
auth.kerberos.default_realm |
Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required. Default value: none |
auth.kerberos.dns_lookup_kdc |
Specify whether to use the DNS server to look up the information about the
Kerberos server. Specify However, if all the following attributes values are already set, the Kerberos server will not be looked up by using the DNS server.
Default value: |
auth.kerberos.default_tkt_enctypes |
Specify the encryption type used for Kerberos authentication. This property is enabled only if the Analyzer server OS is Windows. You can use the following encryption types:
If you want to specify multiple encryption types, use a comma to separate the encryption types. Among the specified encryption types, an encryption type that is supported by both the Analyzer server OS and a Kerberos server will be used. |
auth.kerberos.clockskew |
Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs. Specifiable values: 0 to 300 (seconds) Default value: 300 |
auth.kerberos.timeout |
Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 3 |
Settings for connecting directly to a Kerberos server and an authorization server
To use an LDAP directory server as an external authorization server and to use a Kerberos server as an external authentication server by directly specifying the Kerberos server information in the exauth.properties file, specify the settings in the exauth.properties file as shown in the following table.
Property names | Details |
auth.server.type |
Specify an external authentication server type.
Specify Default value: |
auth.group.mapping |
Specify whether to also connect to an external authorization server (LDAP
directory server). Specify Default value: |
auth.ocsp.enable |
Specify whether or not to verify the validity of an LDAP directory server's electronic signature certificate by using an OCSP responder when the LDAP directory server and StartTLS are used for communication. If you want to verify the validity of certificates, specify
Default value: |
auth.ocsp.responderURL |
Specify the URL of an OCSP responder if you want to use an OCSP responder that is not the one written in the AIA field of the electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP responder written in the AIA field is used. Default value: none |
auth.kerberos.default_realm |
Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required. Default value: none |
auth.kerberos.dns_lookup_kdc |
Specify whether to use the DNS server to look up the information about the
Kerberos server. Specify Default value: |
auth.kerberos.default_tkt_enctypes |
Specify the encryption type used for Kerberos authentication. This property is enabled only if the Analyzer server OS is Windows. You can use the following encryption types:
If you want to specify multiple encryption types, use a comma to separate the encryption types. Among the specified encryption types, an encryption type that is supported by both the Analyzer server OS and a Kerberos server will be used. |
auth.kerberos.clockskew |
Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs. Specifiable values: 0 to 300 (seconds) Default value: 300 |
auth.kerberos.timeout |
Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 3 |
auth.kerberos.realm_name |
Specify the realm identification names. You can
specify any name for this attribute in order to identify which
realms the property attribute settings are applied to. You must
specify at least one name. When specifying multiple realm
identification names, separate the names with commas
( Default value: none |
auth.kerberos.auth.kerberos.realm_name-property-value.realm |
Specify the name of the realm set in the Kerberos server. This attribute is required. Default value: none |
auth.kerberos.auth.kerberos.realm_name-property-value.kdc |
Specify the information about the Kerberos server in the following format:
This attribute is required.
When configuring the Kerberos server in
redundant configuration, separate the servers with commas
(
|
auth.group.realm-name.protocol |
Specify the protocol for connecting to the LDAP directory server (external authorization server). When communicating in plain text format, specify
Before specifying
Specifiable values: Default value: |
auth.group.realm-name.port |
Specify the port number of the LDAP directory server. Make sure beforehand that the port you specify is set as the listen port number on the LDAP directory server. Specifiable values: 1 to 65535 Default value: 389 |
auth.group.realm-name.basedn |
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information on the LDAP directory server (external authorization server). The user entries that are located in the hierarchy below this DN will be checked during authorization. Specify the DN of the hierarchy that includes all of the user entries to be searched. Specify the DN by following the rules defined in
RFC4514. For example, if any of the following characters are
included in a DN, you need to use a backslash
( Spaces If characters that need to be escaped are included in the specified BaseDN, escape all of those characters correctly because the specified value will be passed to the LDAP directory server without change. If you omit this attribute, the value specified in
the Default value: none |
auth.group.realm-name.timeout |
Specify the amount of time to wait before timing out when connecting to the LDAP directory server (external authorization server). If you specify 0, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 15 |
auth.group.realm-name.retry.interval |
Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server (external authorization server) fails. Specifiable values: 1 to 60 (seconds) Default value: 1 |
auth.group.realm-name.retry.times |
Specify the number of retries to attempt when an attempt to connect to the LDAP directory server (external authorization server) fails. If you specify 0, no retries are attempted. Specifiable values: 0 to 50 Default value: 20 |
Note: For |
Settings for using DNS to connect to a Kerberos server and an authorization server
To use an LDAP directory server as an external authorization server and to use a Kerberos server as an external authentication server by obtaining the Kerberos server information from the DNS server, specify the settings in the exauth.properties file as shown in the following table.
Property names | Details |
auth.server.type |
Specify an external authentication server type.
Specify Default value: |
auth.group.mapping |
Specify whether to also connect to an external authorization server (LDAP
directory server). Specify Default value: |
auth.kerberos.default_realm |
Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required. Default value: none |
auth.kerberos.dns_lookup_kdc |
Specify whether to use the DNS server to look up the information about the
Kerberos server. Specify However, if all the following attributes values are already set, the Kerberos server will not be looked up by using the DNS server.
Default value: |
auth.kerberos.default_tkt_enctypes |
Specify the encryption type used for Kerberos authentication. This property is enabled only if the Analyzer server OS is Windows. You can use the following encryption types:
If you want to specify multiple encryption types, use a comma to separate the encryption types. Among the specified encryption types, an encryption type that is supported by both the Analyzer server OS and a Kerberos server will be used. |
auth.kerberos.clockskew |
Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs. Specifiable values: 0 to 300 (seconds) Default value: 300 |
auth.kerberos.timeout |
Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 3 |
Examples of specifying settings in the exauth.properties file to use a Kerberos server for authentication
Examples
of how to set the exauth.properties
file when using a Kerberos server to
perform authentication are provided below.
-
When directly specifying information about a Kerberos server (when not connecting to an external authorization server):
auth.server.type=kerberos auth.group.mapping=false auth.kerberos.default_realm=EXAMPLE.COM auth.kerberos.dns_lookup_kdc=false auth.kerberos.clockskew=300 auth.kerberos.timeout=3 auth.kerberos.realm_name=RealmName auth.kerberos.RealmName.realm=EXAMPLE.COM auth.kerberos.RealmName.kdc=kerberos.example.com:88
-
When using the DNS server to look up a Kerberos server (when not connecting to an external authorization server):
auth.server.type=kerberos auth.group.mapping=false auth.kerberos.default_realm=EXAMPLE.COM auth.kerberos.dns_lookup_kdc=true auth.kerberos.clockskew=300 auth.kerberos.timeout=3
-
When directly specifying information about a Kerberos server (when also connecting to an external authorization server):
auth.server.type=kerberos auth.group.mapping=true auth.ocsp.enable=false auth.ocsp.responderURL= auth.kerberos.default_realm=EXAMPLE.COM auth.kerberos.dns_lookup_kdc=false auth.kerberos.clockskew=300 auth.kerberos.timeout=3 auth.kerberos.realm_name=RealmName auth.kerberos.RealmName.realm=EXAMPLE.COM auth.kerberos.RealmName.kdc=kerberos.example.com:88 auth.group.EXAMPLE.COM.protocol=ldap auth.group.EXAMPLE.COM.port=389 auth.group.EXAMPLE.COM.basedn=dc=Example,dc=com auth.group.EXAMPLE.COM.timeout=15 auth.group.EXAMPLE.COM.retry.interval=1 auth.group.EXAMPLE.COM.retry.times=20
-
When using the DNS server to look up a Kerberos server (when also connecting to an external authorization server):
auth.server.type=kerberos auth.group.mapping=true auth.kerberos.default_realm=EXAMPLE.COM auth.kerberos.dns_lookup_kdc=true auth.kerberos.clockskew=300 auth.kerberos.timeout=3
-
When using a redundant configuration:
auth.server.type=kerberos auth.group.mapping=false auth.kerberos.default_realm=EXAMPLE.COM auth.kerberos.dns_lookup_kdc=false auth.kerberos.clockskew=300 auth.kerberos.timeout=3 auth.kerberos.realm_name=S1 auth.kerberos.S1.realm=EXAMPLE.COM auth.kerberos.S1.kdc=kerberos.example.com:88,kerberos.example.net:88
-
When specifying multiple realm identifiers:
auth.server.type=kerberos auth.group.mapping=false auth.kerberos.default_realm=EXAMPLE.COM auth.kerberos.dns_lookup_kdc=false auth.kerberos.clockskew=300 auth.kerberos.timeout=3 auth.kerberos.realm_name=S1,S2 auth.kerberos.S1.realm=EXAMPLE.COM auth.kerberos.S1.kdc=kerberos1.example.com:88,kerberos1.example.net:88 auth.kerberos.S2.realm=EXAMPLE.NET auth.kerberos.S2.kdc=kerberos2.example.com:88,kerberos2.example.net:88