Generate the Service Principal and Keytab File Name Format
If you run the Informatica domain with Kerberos authentication, you must associate Kerberos service principal names (SPN) and keytab files with the nodes and processes in the Informatica domain. Informatica requires keytab files to authenticate services without requests for passwords.
Based on the security requirements for the domain, you can set the service principal level to one of the following levels:
- Node Level
- If the domain is used for testing or development and does not require a high level of security, you can set the service principal at the node level. You can use one SPN and keytab file for the node and all the service processes on the node. You must also set up a separate SPN and keytab file for the HTTP processes on node.
- Process Level
- If the domain is used for production and requires a high level of security, you can set the service principal at the process level. Create a unique SPN and keytab file for each node and each process on the node. You must also set up a separate SPN and keytab file for the HTTP processes on node.
The Informatica domain requires the service principal and keytab file names to follow a specific format. To ensure that you follow the correct format for the service principal and keytab file names, use the Informatica Kerberos SPN Format Generator to generate a list of the service principal and keytab file names in the format required by the Informatica domain.
The Informatica Kerberos SPN Format Generator is shipped with the Informatica services installer.
Service Principal Requirements at Node Level
If the Informatica domain does not require a high level of security, the node and service processes can share the same SPNs and keytab files. The domain does not require a separate SPN for each service process in a node.
The Informatica domain requires SPNs and keytab files for the following components at node level:
- Principal distinguished name (DN) for the LDAP directory service
- Principal name for the bind user DN that is used to search the LDAP directory service. The name of the keytab file must be infa_ldapuser.keytab.
- Node process
- Principal name for the Informatica node that initiates or accepts authentication calls. The same principal name is used to authenticate the services in the node. Each gateway node in the domain requires a separate principal name.
- HTTP processes in the domain
- Principal name for all web application services in the Informatica domain, including Informatica Administrator. The browser uses this principal name to authenticate with all HTTP processes in the domain. The name of the keytab file must be webapp_http.keytab.
Service Principal Requirements at Process Level
If the Informatica domain requires a high level of security, create a separate SPN and keytab file for each node and each service in the node.
The Informatica domain requires SPNs and keytab files for the following components at process level:
- Principal distinguished name (DN) for the LDAP directory service
- Principal name for the bind user DN that is used to search the LDAP directory service. The name of the keytab file must be infa_ldapuser.keytab.
- Node process
- Principal name for the Informatica node that initiates or accepts authentication calls.
- Informatica Administrator service
- Principal name for the Informatica Administrator service that authenticates the service with other services in the Informatica domain. The name of the keytab file must be_AdminConsole.keytab.
- HTTP processes in the domain
- Principal name for all web application services in the Informatica domain, including Informatica Administrator. The browser uses this principal name to authenticate with all HTTP processes in the domain. The name of the keytab file must be webapp_http.keytab.
- Service process
- Principal name for the service that runs on a node in the Informatica domain. Each service requires a unique service principal and keytab file name.
- You do not need to create the SPNs and keytab files for the services before you run the installer. You can create the SPN and keytab file for a service when you create the service in the domain. The SPN and keytab file for a service must be available when you enable the service.
Running the SPN Format Generator on Linux
You can run the Informatica Kerberos SPN Format Generator to generate a file that shows the correct format for the SPNs and keytab file names required in the Informatica domain.
You can run the SPN Format Generator from the command line or from the Informatica installer. The SPN Format Generator generates a file with the names of the service principal and keytab files based on the parameters you provide.
Note: Verify that the information you provide is correct. The SPN Format Generator does not validate the values you enter.
1. On the machine where you extracted the installation files, go to the following directory: <Informatica installation files directory>/Server/Kerberos
2. On a shell command line, run the SPNFormatGenerator.sh file.
3. Press Enter to continue.
4. In the Service Principal Level section, select the level at which to set the Kerberos service principals for the domain.
The following table describes the levels you can select:
Level | Description |
|---|
Process Level | Configures the domain to use a unique service principal name (SPN) and keytab file for each node and each application service on a node. The number of SPNs and keytab files required for each node depends on the number of application service processes that run on the node. Use the process level option for domains that require a high level of security, such as productions domains. |
Node Level | Configures the domain to share SPNs and keytab files on a node. This option requires one SPN and keytab file for the node and all application services that run on the node. It also requires a separate SPN and keytab file for all HTTP processes on the node. Use the node level option for domains that do not require a high level of security, such as test and development domains. |
5. Enter the domain and node parameters required to generate the SPN format.
The following table describes the parameters you must specify:
Prompt | Description |
|---|
Domain Name | Name of the domain. The name must not exceed 128 characters and must be 7-bit ASCII only. It cannot contain a space or any of the following characters: ` % * + ; " ? , < > \ / |
Node name | Name of the Informatica node. |
Node host name | Fully qualified host name or the IP address of the machine on which to create the node. The node host name cannot contain the underscore (_) character. Note: Do not use localhost. The host name must explicitly identify the machine. |
Service Realm Name | Name of the Kerberos realm for the Informatica domain services. The realm name must be in uppercase. |
If you set the service principal at node level, the prompt Add Node? appears. If you set the service principal at process level, the prompt Add Service? appears.
6. At the Add Node? prompt, enter 1 to generate the SPN format for an additional node. Then enter the node name and node host name.
To generate the SPN formats for multiple nodes, enter 1 at each Add Node? prompt and enter a node name and node host name.
7. At the Add Service? prompt, enter 1 to generate the SPN format for a service that will run on the preceding node. Then enter the service name.
To generate the SPN formats for multiple services, enter 1 at each Add Service? prompt and enter a service name.
8. Enter 2 to end the Add Service? or Add Node? prompts.
The SPN Format Generator displays the path and file name of the file that contains the list of service principal and keytab file names.
9. Press Enter to exit the SPN Format Generator.
The SPN Format Generator generates a text file that contains the SPN and keytab file names in the format required for the Informatica domain.