Security Guide > Kerberos Authentication Setup > Custom Kerberos Libraries
  

Custom Kerberos Libraries

You can configure custom or native database clients and Informatica processes within an Informatica domain to use custom Kerberos libraries instead of the default Kerberos libraries that Informatica uses.
You might want to use custom Kerberos libraries in the following scenarios:
Use custom Kerberos libraries in an Informatica domain that is not configured to use Kerberos.
In this scenario, you have a database client that connects to source or target databases used in mappings. The databases are configured to use custom Kerberos libraries for authentication. However, the Informatica domain is not configured to use Kerberos authentication.
To enable the database client to connect to the databases through Informatica, you can make the custom libraries available to the database client. However the Informatica domain processes do not use the custom Kerberos libraries for authentication.
Use custom Kerberos libraries in a Kerberos-protected Informatica domain.
In this scenario, the database client connects to source or target databases configured to use custom Kerberos libraries. However, the Informatica domain is configured to use the default Informatica Kerberos libraries for authentication.
To enable the database client to connect to the databases through Informatica, you can configure the Informatica domain to load the custom Kerberos libraries instead of the default Informatica Kerberos libraries. All Informatica domain processes and subprocesses use the custom Kerberos libraries.
If required, you can remove the linkages to the custom Kerberos libraries, and update the nodes in the domain to revert back to using the default Informatica Kerberos libraries.

Using Custom Kerberos Libraries

Use the infasetup updateMitKerberosLinkage command to configure database clients and application services in an Informatica domain to use custom Kerberos libraries.
You must specify the directory that contains the Kerberos libraries you want to use. You can copy the libraries to each node or to a shared location that is accessible to all nodes in the domain.
If the Informatica domain uses Kerberos authentication, ensure that the custom Kerberos libraries that you want to use are the same version number as the Kerberos libraries that Informatica uses by default.
    1. Place the custom Kerberos libraries in a location that is accessible to all nodes in the Informatica domain.
    2. Shut down the domain.
    3. Run the infasetup updateMitKerberosLinkage command on each node in the domain.
    The following table describes the infasetup updateMitKerberosLinkage command options and arguments:
    Option
    Argument
    Description
    -useKeberos
    -krb
    true|false
    Required. Set this value to true if the Informatica domain uses Kerberos authentication. If true, Informatica processes make Kerberos calls with the default Kerberos libraries or with the libraries in the directory specified with the -mkd option.
    Set this value to false if the Informatica domain does not use Kerberos authentication. If false, the Informatica domain does not load Kerberos libraries. Database clients perform Kerberos calls with the custom libraries specified in the directory specified with the -mkd option.
    -mitKerberosDirectory
    -mkd
    kerberos_library_directory_node_spn
    Optional. The directory that contains the custom Kerberos libraries. The directory must contain the library files. You cannot use symbolic links.
    If the -krb option is true, ensure that the custom Kerberos libraries that you want to use are the same version number as the Kerberos libraries that Informatica uses by default.
    If there are multiple versions of the same library, all versions must be the same size and have the same checksum. For instance, if the directory contains two versions of libkrb5, such as libkr5.so.3 and libkrb5.so, then both libraries must have the same file size and checksum value.
    If the specified directory is empty, the command removes all custom Kerberos libraries from the Informatica domain.
    If the -krb option is true, but you do not specify a library directory, Informatica uses the default Kerberos libraries.
    4. Restart the domain after running the command on all nodes.

Reverting to the Default Kerberos Libraries

Run the infasetup restoreMitKerberosLinkage command on nodes in an Informatica domain to restore the linkages to the default Kerberos libraries used by Informatica. The command removes linkages to any custom Kerberos libraries that exist within the Informatica domain.
    1. Shut down the domain.
    2. Run the infasetup restoreMitKerberosLinkage command on each node in the domain.
    The command does not use any options or arguments.
    3. Restart the domain after running the command on all nodes.