Step 7. Configure Kerberos Authentication for the Domain
Run infasetup to change the authentication for the Informatica domain to Kerberos network authentication.
Note: Verify that all repository objects are checked in before you configure the domain to use Kerberos authentication.
When you run the infasetup command to change the domain authentication, the command creates the following LDAP security domains:
- •Internal security domain. The internal security domain is an LDAP security domain with the name _infaInternalNamespace. The _infaInternalNamespace security domain contains the default administrator user account created when you configure Kerberos authentication. After you configure Kerberos authentication, you cannot add users to the _infaInternalNamespace security domain or delete the security domain.
- •User realm security domain. The user realm security domain is an empty LDAP security domain with the same name as the Kerberos user realm. After you configure Kerberos authentication, you can import users from the Kerberos principal database into the user realm security domain.
The infasetup command also creates an administrator user account. You specify the user name for the administrator user. After you configure Kerberos authentication, the _infaInternalNamespace security domain contains the administrator user account.
To configure the domain to use Kerberos authentication, run the following command:
infasetup switchToKerberosMode
1. On a gateway node, run the infasetup command to change the authentication for the domain.
At the command prompt, go to the directory where the Informatica command line programs are located. By default, the command line programs are installed in the following directory: <InformaticaInstallationDir>/isp/bin
2. Run the infasetup command with the required options and arguments.
Enter the following commands:
- - Windows: infasetup switchToKerberosMode
- - UNIX: infasetup.sh switchToKerberosMode
The following table describes the options for the switchToKerberosMode command:
Option | Argument | Description |
|---|
-administratorName -ad | administrator_name | User name for the domain administrator account that is created when you configure Kerberos authentication. The user account must be in the Kerberos principal database. After you configure Kerberos authentication, this user is included in the _infaInternalNamespace security domain. |
-ServiceRealmName -srn | realm _name_of_node_spn | Name of the Kerberos realm to which the Informatica domain services belong. The realm name must be in uppercase and is case-sensitive. The service realm name and the user realm name must be the same. |
-UserRealmName -urn | realm _name_of_user_spn | Name of the Kerberos realm to which the Informatica domain users belong. The realm name must be in uppercase and is case-sensitive. The service realm name and the user realm name must be the same. |
-SPNShareLevel -spnSL | PROCESS |NODE | Service principal level for the domain. Set the property to one of the following levels: - - Process. The domain requires a unique service principal name (SPN) and keytab file for each node and each service on a node. The number of SPNs and keytab files required for each node depends on the number of service processes that run on the node. Use the process level option if the domain requires a high level of security, such as a production domain.
- - Node. The domain uses one SPN and keytab file for the node and all services that run on the node. It also requires a separate SPN and keytab file for all HTTP processes on the node. Use the node level option if the domain does not require a high level of security, such as a test or development domain.
Default is process. |
The switchToKerberosMode command changes the authentication mode for the domain from native or LDAP user authentication to Kerberos network authentication.