Enabling Kerberos Authentication
You can enable Kerberos authentication in an Informatica domain when you install the Informatica services, or you can enable Kerberos authentication after you install the services.
For information on how to enable Kerberos authentication when you install the Informatica services, see the Informatica 10.2 HotFix 2 Installation and Configuration Guide.
If you do not enable Kerberos authentication during installation, follow the steps in this section to use the Informatica command line programs to enable Kerberos authentication after you install the services.
Enable Kerberos Authentication in the Domain
Enable Kerberos on a gateway node within the domain.
Run the infasetup switchToKerberosMode command on a gateway node within the domain to change the authentication to Kerberos network authentication.
1. Shut down the domain and all Informatica services. Shut down the services in the following order:
- - Metadata Manager Service
- - PowerCenter® Integration Service
- - PowerCenter® Repository Service
- - Content Management Service
- - Analyst Service
- - Data Integration Service
- - Model Repository Service
2. At the command prompt on a gateway node, switch to the directory where the infasetup executable is located:
<Informatica installation directory>\isp\bin
3. Run the following command:
infasetup switchToKerberosMode -ad <administrator name> -srn <Kerberos realm names> -urn <Kerberos realm names> -spnSL <service principal level>
The following table describes the options and arguments for the infasetup switchToKerberosMode command:
Option | Argument | Description |
|---|
-administratorName -ad | user_name | User name for the domain administrator account that is created when you configure Kerberos authentication. Specify the name of an account that exists in Active Directory. After you configure Kerberos authentication, this user is included in the _infaInternalNamespace security domain that the command creates. If the domain uses a single Kerberos realm to authenticate users, specify the samAccount name of the account you want to use as the administrator account. If the domain uses Kerberos cross realm authentication, specify the fully qualified user principal name of the account you want to use as the administrator account, including the realm name. For example: sysadmin@COMPANY.COM |
-ServiceRealmName -srn | Kerberos_realm_name | Name of the Kerberos realm that the domain uses to authenticate users. The realm name must be in uppercase and is case-sensitive. To configure Kerberos cross realm authentication, specify the name of each Kerberos realm that the domain uses to authenticate users, separated by a comma. For example: COMPANY.COM,EAST.COMPANY.COM,WEST.COMPANY.COM Use an asterisk as a wildcard character before a realm name to include all realms that include the name. For example: *EAST.COMPANY.COM |
-UserRealmName -urn | Kerberos_realm_name | Name of the Kerberos realm that the domain uses to authenticate users. The realm name must be in uppercase and is case-sensitive. To configure Kerberos cross realm authentication, specify the name of each Kerberos realm that the domain uses to authenticate users, separated by a comma. For example: COMPANY.COM,EAST.COMPANY.COM,WEST.COMPANY.COM Use an asterisk as a wildcard character before a realm name to include all realms that include the name. For example: *EAST.COMPANY.COM |
-SPNShareLevel -spnSL | NODE|PROCESS | Service principal level for the domain. Set to NODE to enable Kerberos at the node level. Set to PROCESS to enable Kerberos at the process level. |
The following example changes the domain authentication to Kerberos and sets the sysadmin user account as the administrator account in a domain that uses a single Kerberos realm to authenticate users:
infasetup switchToKerberosMode -ad sysadmin -srn COMPANY.COM -urn COMPANY.COM –spnSL NODE
The following example changes the domain authentication to Kerberos and sets the sysadmin user account as the administrator account in a domain that uses Kerberos cross realm authentication:
infasetup switchToKerberosMode -ad sysadmin@COMPANY.COM -srn COMPANY.COM,COMPANY.EAST.COM,COMPANY.WEST.COM -urn COMPANY.COM,COMPANY.EAST.COM,COMPANY.WEST.COM –spnSL NODE
Update the Nodes in the Domain
Update all gateway and worker nodes with the Kerberos authentication server information except the gateway nodes on which you ran the infasetup switchToKerberosMode command.
Use the following commands to update the gateway and worker nodes:
- infasetup UpdateGatewayNode
- Use the UpdateGatewayNode command to set the Kerberos authentication parameters on a gateway node in the domain. If the domain has multiple gateway nodes, run the UpdateGatewayNode command on each gateway node.
- infasetup UpdateWorkerNode
- Use the UpdateWorkerNode command to set the Kerberos authentication parameters on a worker node in the domain. If the domain has multiple worker nodes, run the UpdateWorkerNode command on each worker node.
1. At the command prompt on a node, switch to the directory where the infasetup executable is located:
<Informatica installation directory>\isp\bin
2. To set the Kerberos authentication parameters on a gateway node, run the following command:
infasetup UpdateGatewayNode -krb <true|false> -srn <Kerberos realm names> -urn <Kerberos realm names>
To set the Kerberos authentication parameters on a worker node, run the following command:
infasetup UpdateWorkerNode -krb <true|false> -srn <Kerberos realm names> -urn <Kerberos realm names>
The following table describes the options and arguments required to enable Kerberos authentication on a node:
Option | Argument | Description |
|---|
-EnableKerberos -krb | true|false | Configures the Informatica domain to use Kerberos authentication. Set to true to enable Kerberos authentication. Default is false. |
-ServiceRealmName -srn | Kerberos_realm_name | Name of the Kerberos realm that the domain uses to authenticate users. The realm name must be in uppercase and is case-sensitive. To configure Kerberos cross realm authentication, specify the name of each Kerberos realm that the domain uses to authenticate users, separated by a comma. For example: COMPANY.COM,EAST.COMPANY.COM,WEST.COMPANY.COM Use an asterisk as a wildcard character before a realm name to include all realms that include the name. For example: *EAST.COMPANY.COM |
-UserRealmName -urn | Kerberos_realm_name | Name of the Kerberos realm that the domain uses to authenticate users. The realm name must be in uppercase and is case-sensitive. To configure Kerberos cross realm authentication, specify the name of each Kerberos realm that the domain uses to authenticate users, separated by a comma. For example: COMPANY.COM,EAST.COMPANY.COM,WEST.COMPANY.COM Use an asterisk as a wildcard character before a realm name to include all realms that include the name. For example: *EAST.COMPANY.COM |
The following example updates a worker node to use Kerberos authentication:
infasetup updateWorkerNode -krb true -srn COMPANY.COM -urn COMPANY.COM
The following example updates a worker node to use Kerberos cross realm authentication:
infasetup updateWorkerNode -krb true -srn COMPANY.COM,COMPANY.EAST.COM,COMPANY.WEST.COM -urn COMPANY.COM,COMPANY.EAST.COM,COMPANY.WEST.COM