Configuring Kerberos authentication for OpenAccess SDK Server

Configuring Security for OpenAccess SDK : Configuring OpenAccess SDK security : Configuring Kerberos authentication : Configuring Kerberos authentication for OpenAccess SDK Server

1. In your data access service or your OpenAccess SDK Agent service, set ServiceAuthMethods attribute to a value of kerberos.

2. In the server data source, set the DataSourceLogonMethod attribute to a value of OSIntegrated. This allows the service to authenticate the client using the operating system user ID and password.

If you installed the OpenAccess SDK Server on Windows, skip to Step 3.

If you installed the OpenAccess SDK Server on Linux and UNIX, modify the krb5.conf file to contain your Kerberos realm name and the KDC name for that Kerberos realm. Modify the krb5.conf file by editing the file with a text editor.

Note: In Windows Active Directory, the Kerberos realm name is the Windows domain name and the KDC name is the Windows domain controller name.

For example, if your Kerberos realm name is XYZ.COM and your KDC name is kdc1, your krb5.conf file would look like this:

[libdefaults]

default_realm = XYZ.COM

default_keytab_name = FILE:/installdir/lib/krb5/krb5.keytab

default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc

default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]

XYZ.COM = {

kdc = kdc1:88

admin_server = server1.eu.xyz.com:749

default_domain = kdc1

};

[domain_realm]

.xyz.com = XYZ.COM

.eu.xyz.com = XYZ.COM

[logging]

kdc = FILE:/var/krb5/log/krb5kdc.log

admin_server = FILE:/var/krb5/log/kadmin.log

default = FILE:/var/krb5/log/krb5lib.log

3. (Optional) If you want to use a service principal name other than the default name to identify the OpenAccess SDK service, specify a value for the ServiceKerberosPrincipalName attribute for data access services or the ServiceAdminKerberosPrincipalName attribute for OpenAccess SDK Agent services. See ServiceKerberosPrincipalName and ServiceAdminKerberosPrincipalName for details.