Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Configuring Kerberos authentication for Analyzer server

To use Kerberos authentication for the Analyzer server, you must configure the following settings.

Workflow for configuring Kerberos authentication

The workflow for connecting to the Kerberos server varies depending on whether only an external authentication server is used or both an external authentication server and an external authorization server (LDAP directory server) are used.

The following figure shows the workflow for connecting to the Kerberos server.

GUID-C4A09FDE-EFE2-42D0-8525-404D96DB7A8D-low.gif
NoteTo use StartTLS to communicate between the LDAP directory server and the Analyzer server, you need to set up an environment specifically for this purpose to ensure secure communications.

Configuring the Kerberos server

On the Kerberos server, create a user account for the Analyzer server. To use an external authorization server (LDAP directory server), check the configuration details of the LDAP directory server, and then create an LDAP search user account.

Creating user accounts on the Kerberos server

On the Kerberos server, you need to create user accounts (user IDs and passwords) to be used on the Analyzer server.

For details about how to create user accounts on the Kerberos server, see the documentation of the Kerberos server.

User IDs and passwords must satisfy the following conditions:

  • They are within 256 bytes.
  • They use no characters other than the following:

    A to Z

    a to z

    0 to 9

    ! # $ % & ' ( ) * + - . = @ \ ^ _ |

In Analyzer server, user IDs are not case-sensitive. The combination of character types for passwords must follow the settings in the external authentication server.

Configuring LDAP directory server as external authorization server

To use the LDAP directory server as an external authorization server, you must configure the LDAP directory server.

For details about how to configure the LDAP directory server, see the following descriptions:

  • Checking the LDAP directory server settings

    Check the BaseDN for the LDAP directory server. You will need the BaseDN information when you edit the exauth.properties file of the Analyzer server.

  • Creating an LDAP search user account

    On the LDAP directory server, create an LDAP search user account. This user account is necessary when the Analyzer server connects to the LDAP directory server to acquire user information and other information.

Connecting to the Kerberos server

To connect to the Kerberos server, you must perform the following operations on the Analyzer server.

Before you begin

  • You must have the Administrator permission (for Windows) or the root permission (for Linux) of the OS to do this operation.
  • On the Kerberos server, create a user account to be used on the Analyzer server.
  • Check the following information. This information is necessary for editing the file exauth.properties.
    • Method for connecting to the Kerberos server

      The properties to be specified depend on whether information about the Kerberos server is to be directly specified, or whether information about the connection-destination Kerberos server is to be obtained from the DNS server.

    • Machine information about the Kerberos server (Host name or IP address, Port number)
    • Realm name

If you also want to connect to an external authorization server (an LDAP directory server), check the following requirements.

  • Create a user account on the LDAP directory server for searching for user information.
  • Check the following information. This information is necessary for editing the file exauth.properties.
    • Method for connecting to the LDAP directory server

      The properties to be specified depend on whether information about the LDAP directory server is to be directly specified, or whether information about the connection-destination LDAP directory server is to be obtained from the DNS server.

    • Machine information about the LDAP directory server (Host name or IP address, Port number)
    • BaseDN
    • Domain name for external authorization servers managed by the LDAP directory server

Procedure

  1. Edit the exauth.properties file.

    1. Make a copy of the exauth.properties file template, which is stored in the following location, and place the copy in another folder or directory.

      • In Windows

        common-component-installation-destination-folder\sample\conf\exauth.properties

      • In Linux

        common-component-installation-destination-directory/sample/conf/exauth.properties

    2. In the copy of the exauth.properties file, specify the required information.

    3. Save the exauth.properties file in the following location:

      • In Windows

        common-component-installation-destination-folder\conf

      • In Linux

        common-component-installation-destination-directory/conf

    4. If the values of the property auth.ocsp.enable or the property auth.ocsp.responderURL have been changed, restart the Analyzer server service.

  2. If a connection also needs to be established with an external authorization server (an LDAP directory server), register on the Analyzer server a user account to be used for retrieving user information.

    1. Run the hcmds64ldapuser command to register the LDAP search user account.

      • In Windows
        common-component-installation-destination-folder\bin\hcmds64ldapuser /set /dn DN-of-user-account-used-to-search-for-LDAP-user-info [/pass password-of-user-account-used-to-search-for-LDAP-user-info] /name name
      • In Linux
        common-component-installation-destination-directory/bin/hcmds64ldapuser -set -dn DN-of-user-account-used-to-search-for-LDAP-user-info [-pass password-of-user-account-used-to-search-for-LDAP-user-info] -name name
    2. To view a list of LDAP directory servers for which LDAP search user accounts are registered, run the following command.

      • In Windows
        common-component-installation-destination-folder\bin\hcmds64ldapuser /list
      • In Linux
        common-component-installation-destination-directory/bin/hcmds64ldapuser -list
      Tip

      To delete the LDAP search user account from the Analyzer server, run the hcmds64ldapuser command with the delete option.

  3. Run the hcmds64checkauth command to confirm whether connections to the external authentication server and the external authorization server can be established properly.

    • In Windows
      common-component-installation-destination-folder\bin\hcmds64checkauth [/user user-ID] [/pass password] [/summary]
    • In Linux
      common-component-installation-destination-directory/bin/hcmds64checkauth [-user user-ID] [-pass password] [-summary]
  4. On the web client, specify the following settings.

    • When a Kerberos server is configured for external user authentication:

      • Create an user account.

        Make sure that the user ID is the same as the user ID that was created on the external authentication server.

      • Change the user authentication method.
      • Specify the operation permissions for the user.
    • When a Kerberos server is configured for external user authentication and an LDAP directory server is configured for authorization:

      • Register an authorization group.
      • Specify the operation permissions for the authorization group.

    For details about how to perform these operations on the web client, see the Hitachi Ops Center Analyzer User Guide.

    Note

    If you are using both an external authentication server and an external authorization server, and the user ID created on the external authentication server is registered on the Analyzer server, the user account is authenticated internally by the Analyzer server.

    If the current configuration uses only an external authentication server and you want to use both an external authentication server and an external authorization server, you must remove the user ID that was created with the same name on the Analyzer server.

Kerberos configuration properties

In the exauth.properties file, set the type of the external authentication server to be used, the server identification name, and the machine information about the external authentication server.

Items to be configured in the exauth.properties file differ depending on the Kerberos server environment. Use the following table to check the configuration items corresponding to your Kerberos server environment.

External authorization server used

Server connection method

Reference

No

Directly specify information about the Kerberos server.

Settings for connecting directly to a Kerberos server

Obtain Kerberos server information from the DNS server.

Settings for using DNS to connect to a Kerberos server

Yes

Directly specify information about the Kerberos server.

Settings for connecting directly to a Kerberos server and an authorization server

Obtain Kerberos server information from the DNS server.

Settings for using DNS to connect to a Kerberos server and an authorization server
Note
  • Be sure to distinguish between uppercase and lowercase letters for property settings.

  • To use StartTLS for communication between the Analyzer server and the LDAP directory server, you need to directly specify information about the LDAP directory server in the exauth.properties file.

  • If you use a DNS server to look up the LDAP directory server to connect to, it might take longer for users to log on.

Settings for connecting directly to a Kerberos server

To use a Kerberos server as an external authorization server by directly specifying the Kerberos server information in the exauth.properties file, specify the settings in the exauth.properties file as shown in the following table.

Property namesDetails
auth.server.type

Specify an external authentication server type. Specify kerberos.

Default value: internal (do not connect to an external authentication server)

auth.group.mapping

Specify whether to also connect to an external authorization server (LDAP directory server). Specify false (do not connect).

Default value: false (do not connect)

auth.kerberos.default_realm

Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required.

Default value: none

auth.kerberos.dns_lookup_kdc

Specify whether to use the DNS server to look up the information about the Kerberos server. Specify false (do not look up the information).

Default value: false (do not look up the information)

auth.kerberos.default_tkt_enctypes

Specify the encryption type used for Kerberos authentication. This property is enabled only if the Analyzer server OS is Windows.

You can use the following encryption types:

  • aes256-cts

  • aes128-cts

  • rc4-hmac

  • des3-cbc-sha1

  • des-cbc-md5

  • des-cbc-crc

If you want to specify multiple encryption types, use a comma to separate the encryption types.

Among the specified encryption types, an encryption type that is supported by both the Analyzer server OS and a Kerberos server will be used.

auth.kerberos.clockskew

Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs.

Specifiable values: 0 to 300 (seconds)

Default value: 300

auth.kerberos.timeout

Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 3

auth.kerberos.realm_name

Specify the realm identification names. You can specify any name for this attribute in order to identify which realms the property attribute settings are applied to. You must specify at least one name. When specifying multiple realm identification names, separate the names with commas (,). Do not register the same realm identification name more than once.

Default value: none

auth.kerberos.auth.kerberos.realm_name-property-value.realm

Specify the name of the realm set in the Kerberos server. This attribute is required.

Default value: none

auth.kerberos.auth.kerberos.realm_name-property-value.kdc

Specify the information about the Kerberos server in the following format:

host-name-or-IP-address[:port-number]

This attribute is required.

  • host-name-or-IP-address

    If you specify the host name, make sure beforehand that the name can be resolved to an IP address.

    If you specify the IP address, use an IPv4 address. In an IPv6 environment, you must specify the host name. Note that you cannot specify the loopback address (localhost or 127.0.0.1).

    When using StartTLS as the protocol for connecting to the external authorization server (LDAP directory server), specify the same host name as the value of CN in the external authorization server certificate. You cannot use an IP address.

  • port-number

    Make sure beforehand that the port you specify is set as the listen port number on the Kerberos server. If you do not specify a port number or the specified port number cannot be used in a Kerberos server, 88 is assumed.

When configuring the Kerberos server in redundant configuration, separate the servers with commas (,) as follows:

host-name-or-IP-address[:port-number],host-name-or-IP-address[:port-number], ...

Settings for using DNS to connect to a Kerberos server

To use a Kerberos server as an external authorization server by obtaining the Kerberos server information from the DNS server, specify the settings in the exauth.properties file as shown in the following table.

Property namesDetails
auth.server.type

Specify an external authentication server type. Specify kerberos.

Default value: internal (do not connect to an external authentication server)

auth.group.mapping

Specify whether to also connect to an external authorization server (LDAP directory server). Specify false (do not connect).

Default value: false (do not connect)

auth.kerberos.default_realm

Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required.

Default value: none

auth.kerberos.dns_lookup_kdc

Specify whether to use the DNS server to look up the information about the Kerberos server. Specify true (look up the information). This attribute is required.

However, if all the following attributes values are already set, the Kerberos server will not be looked up by using the DNS server.

  • auth.kerberos.realm_name

  • auth.kerberos.auth.kerberos.realm_name-property-value.realm

  • auth.kerberos.auth.kerberos.realm_name-property-value.kdc

Default value: false (do not look up the information)

auth.kerberos.default_tkt_enctypes

Specify the encryption type used for Kerberos authentication. This property is enabled only if the Analyzer server OS is Windows.

You can use the following encryption types:

  • aes256-cts

  • aes128-cts

  • rc4-hmac

  • des3-cbc-sha1

  • des-cbc-md5

  • des-cbc-crc

If you want to specify multiple encryption types, use a comma to separate the encryption types.

Among the specified encryption types, an encryption type that is supported by both the Analyzer server OS and a Kerberos server will be used.

auth.kerberos.clockskew

Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs.

Specifiable values: 0 to 300 (seconds)

Default value: 300

auth.kerberos.timeout

Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 3

Settings for connecting directly to a Kerberos server and an authorization server

To use an LDAP directory server as an external authorization server and to use a Kerberos server as an external authentication server by directly specifying the Kerberos server information in the exauth.properties file, specify the settings in the exauth.properties file as shown in the following table.

Property namesDetails
auth.server.type

Specify an external authentication server type. Specify kerberos.

Default value: internal (do not connect to an external authentication server)

auth.group.mapping

Specify whether to also connect to an external authorization server (LDAP directory server). Specify true (connect).

Default value: false (do not connect)

auth.ocsp.enable

Specify whether or not to verify the validity of an LDAP directory server's electronic signature certificate by using an OCSP responder when the LDAP directory server and StartTLS are used for communication.

If you want to verify the validity of certificates, specify true. To not verify the validity of certificates, specify false.

Default value: false

auth.ocsp.responderURL

Specify the URL of an OCSP responder if you want to use an OCSP responder that is not the one written in the AIA field of the electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP responder written in the AIA field is used.

Default value: none

auth.kerberos.default_realm

Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required.

Default value: none

auth.kerberos.dns_lookup_kdc

Specify whether to use the DNS server to look up the information about the Kerberos server. Specify false (do not look up the information).

Default value: false (do not look up the information)

auth.kerberos.default_tkt_enctypes

Specify the encryption type used for Kerberos authentication. This property is enabled only if the Analyzer server OS is Windows.

You can use the following encryption types:

  • aes256-cts

  • aes128-cts

  • rc4-hmac

  • des3-cbc-sha1

  • des-cbc-md5

  • des-cbc-crc

If you want to specify multiple encryption types, use a comma to separate the encryption types.

Among the specified encryption types, an encryption type that is supported by both the Analyzer server OS and a Kerberos server will be used.

auth.kerberos.clockskew

Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs.

Specifiable values: 0 to 300 (seconds)

Default value: 300

auth.kerberos.timeout

Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 3

auth.kerberos.realm_name

Specify the realm identification names. You can specify any name for this attribute in order to identify which realms the property attribute settings are applied to. You must specify at least one name. When specifying multiple realm identification names, separate the names with commas (,). Do not register the same realm identification name more than once.

Default value: none

auth.kerberos.auth.kerberos.realm_name-property-value.realm

Specify the name of the realm set in the Kerberos server. This attribute is required.

Default value: none

auth.kerberos.auth.kerberos.realm_name-property-value.kdc

Specify the information about the Kerberos server in the following format:

host-name-or-IP-address[:port-number]

This attribute is required.

  • host-name-or-IP-address

    If you specify the host name, make sure beforehand that the name can be resolved to an IP address.

    If you specify the IP address, use an IPv4 address. In an IPv6 environment, you must specify the host name. Note that you cannot specify the loopback address (localhost or 127.0.0.1).

    When using StartTLS as the protocol for connecting to the external authorization server (LDAP directory server), specify the same host name as the value of CN in the external authorization server certificate. You cannot use an IP address.

  • port-number

    Make sure beforehand that the port you specify is set as the listen port number on the Kerberos server. If you do not specify a port number or the specified port number cannot be used in a Kerberos server, 88 is assumed.

When configuring the Kerberos server in redundant configuration, separate the servers with commas (,) as follows:

host-name-or-IP-address[:port-number],host-name-or-IP-address[:port-number], ...

auth.group.realm-name.protocol

Specify the protocol for connecting to the LDAP directory server (external authorization server).

When communicating in plain text format, specify ldap. When using StartTLS communication, specify tls.

Before specifying tls, you must specify the security settings of Common component. In addition, make sure that one of the following encryption methods can be used on the LDAP directory server.

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA

Specifiable values: ldap or tls

Default value: ldap

auth.group.realm-name.port

Specify the port number of the LDAP directory server. Make sure beforehand that the port you specify is set as the listen port number on the LDAP directory server.

Specifiable values: 1 to 65535

Default value: 389

auth.group.realm-name.basedn

Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information on the LDAP directory server (external authorization server). The user entries that are located in the hierarchy below this DN will be checked during authorization. Specify the DN of the hierarchy that includes all of the user entries to be searched.

Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN, you need to use a backslash (\) to escape each character.

Spaces # + ; , < = > \

If characters that need to be escaped are included in the specified BaseDN, escape all of those characters correctly because the specified value will be passed to the LDAP directory server without change.

If you omit this attribute, the value specified in the defaultNamingContext property of Active Directory is assumed as the BaseDN.

Default value: none

auth.group.realm-name.timeout

Specify the amount of time to wait before timing out when connecting to the LDAP directory server (external authorization server). If you specify 0, the system waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 15

auth.group.realm-name.retry.interval

Specify the retry interval (in seconds) for when an attempt to connect to the LDAP directory server (external authorization server) fails.

Specifiable values: 1 to 60 (seconds)

Default value: 1

auth.group.realm-name.retry.times

Specify the number of retries to attempt when an attempt to connect to the LDAP directory server (external authorization server) fails. If you specify 0, no retries are attempted.

Specifiable values: 0 to 50

Default value: 20

Note:

For realm-name, specify the value specified for auth.kerberos.auth.kerberos.realm_name-property-value.realm.

Settings for using DNS to connect to a Kerberos server and an authorization server

To use an LDAP directory server as an external authorization server and to use a Kerberos server as an external authentication server by obtaining the Kerberos server information from the DNS server, specify the settings in the exauth.properties file as shown in the following table.

Property namesDetails
auth.server.type

Specify an external authentication server type. Specify kerberos.

Default value: internal (do not connect to an external authentication server)

auth.group.mapping

Specify whether to also connect to an external authorization server (LDAP directory server). Specify true (connect).

Default value: false (do not connect)

auth.kerberos.default_realm

Specify the default realm name. If you specify a user ID but not a realm name in the logon window of the GUI, the user is authenticated as a user who belongs to the realm specified for this attribute. This attribute is required.

Default value: none

auth.kerberos.dns_lookup_kdc

Specify whether to use the DNS server to look up the information about the Kerberos server. Specify true (look up the information). This attribute is required.

However, if all the following attributes values are already set, the Kerberos server will not be looked up by using the DNS server.

  • auth.kerberos.realm_name

  • auth.kerberos.auth.kerberos.realm_name-property-value.realm

  • auth.kerberos.auth.kerberos.realm_name-property-value.kdc

Default value: false (do not look up the information)

auth.kerberos.default_tkt_enctypes

Specify the encryption type used for Kerberos authentication. This property is enabled only if the Analyzer server OS is Windows.

You can use the following encryption types:

  • aes256-cts

  • aes128-cts

  • rc4-hmac

  • des3-cbc-sha1

  • des-cbc-md5

  • des-cbc-crc

If you want to specify multiple encryption types, use a comma to separate the encryption types.

Among the specified encryption types, an encryption type that is supported by both the Analyzer server OS and a Kerberos server will be used.

auth.kerberos.clockskew

Specify the acceptable range of difference between the Analyzer server time and Kerberos server time. If the difference exceeds this value, an authentication error occurs.

Specifiable values: 0 to 300 (seconds)

Default value: 300

auth.kerberos.timeout

Specify the amount of time to wait before timing out when connecting to the Kerberos server. If you specify 0, the system waits until a communication error occurs without timing out.

Specifiable values: 0 to 120 (seconds)

Default value: 3

Examples of specifying settings in the exauth.properties file to use a Kerberos server for authentication

Examples of how to set the exauth.properties file when using a Kerberos server to perform authentication are provided below.

  • When directly specifying information about a Kerberos server (when not connecting to an external authorization server):

    auth.server.type=kerberos
    auth.group.mapping=false
    auth.kerberos.default_realm=EXAMPLE.COM
    auth.kerberos.dns_lookup_kdc=false
    auth.kerberos.clockskew=300
    auth.kerberos.timeout=3
    auth.kerberos.realm_name=RealmName
    auth.kerberos.RealmName.realm=EXAMPLE.COM
    auth.kerberos.RealmName.kdc=kerberos.example.com:88
    
  • When using the DNS server to look up a Kerberos server (when not connecting to an external authorization server):

    auth.server.type=kerberos
    auth.group.mapping=false
    auth.kerberos.default_realm=EXAMPLE.COM
    auth.kerberos.dns_lookup_kdc=true
    auth.kerberos.clockskew=300
    auth.kerberos.timeout=3
    
  • When directly specifying information about a Kerberos server (when also connecting to an external authorization server):

    auth.server.type=kerberos
    auth.group.mapping=true
    auth.ocsp.enable=false
    auth.ocsp.responderURL=
    auth.kerberos.default_realm=EXAMPLE.COM
    auth.kerberos.dns_lookup_kdc=false
    auth.kerberos.clockskew=300
    auth.kerberos.timeout=3
    auth.kerberos.realm_name=RealmName
    auth.kerberos.RealmName.realm=EXAMPLE.COM
    auth.kerberos.RealmName.kdc=kerberos.example.com:88
    auth.group.EXAMPLE.COM.protocol=ldap
    auth.group.EXAMPLE.COM.port=389
    auth.group.EXAMPLE.COM.basedn=dc=Example,dc=com
    auth.group.EXAMPLE.COM.timeout=15
    auth.group.EXAMPLE.COM.retry.interval=1
    auth.group.EXAMPLE.COM.retry.times=20
    
  • When using the DNS server to look up a Kerberos server (when also connecting to an external authorization server):

    auth.server.type=kerberos
    auth.group.mapping=true
    auth.kerberos.default_realm=EXAMPLE.COM
    auth.kerberos.dns_lookup_kdc=true
    auth.kerberos.clockskew=300
    auth.kerberos.timeout=3
    
  • When using a redundant configuration:

    auth.server.type=kerberos
    auth.group.mapping=false
    auth.kerberos.default_realm=EXAMPLE.COM
    auth.kerberos.dns_lookup_kdc=false
    auth.kerberos.clockskew=300
    auth.kerberos.timeout=3
    auth.kerberos.realm_name=S1
    auth.kerberos.S1.realm=EXAMPLE.COM
    auth.kerberos.S1.kdc=kerberos.example.com:88,kerberos.example.net:88
    
  • When specifying multiple realm identifiers:

    auth.server.type=kerberos
    auth.group.mapping=false
    auth.kerberos.default_realm=EXAMPLE.COM
    auth.kerberos.dns_lookup_kdc=false
    auth.kerberos.clockskew=300
    auth.kerberos.timeout=3
    auth.kerberos.realm_name=S1,S2
    auth.kerberos.S1.realm=EXAMPLE.COM
    auth.kerberos.S1.kdc=kerberos1.example.com:88,kerberos1.example.net:88
    auth.kerberos.S2.realm=EXAMPLE.NET
    auth.kerberos.S2.kdc=kerberos2.example.com:88,kerberos2.example.net:88