Security Guide : 9. Configuring Vector to Use Kerberos : Kerberos Configuration in the Enterprise
 
Share this page                  
Kerberos Configuration in the Enterprise
Before using Kerberos with Vector, Kerberos should be appropriately configured in your enterprise.
A primary component of Kerberos is the Key Distribution Center (KDC). The KDC is a server process that performs the core authentication. The authentication protocol is a set of encrypted tickets that are passed from the KDC to client processes or intermediate agents known as “service principals.” For the sake of simplicity, let us assume that a single KDC will perform the Kerberos authentication.
If the enterprise contains only one DBMS Server, a possible option is to execute the KDC on the same machine as the DBMS Server:
If enough resources are available, it is desirable to install the KDC on a network node separate from the Vector installation. In this way, security restrictions can be imposed on the Kerberos node that may not be possible if Kerberos resided on the same machine as a DBMS Server:
The example above demonstrates why Kerberos is sometimes referred to as “distributed authentication.” The KDC performs authentication for all Vector nodes in the enterprise, even though the KDC itself resides on a separate network node.
Note:  The above example assumes all the Vector nodes will use Kerberos for authentication, but this is not a requirement; some nodes may continue to use INGRES authentication.