Security Guide : 10. Configuring Vector to Use Kerberos : The Vector Service Principal--Authorize Client Connections
 
Share this page                  
The Vector Service Principal--Authorize Client Connections
A Kerberos principal is an entity to which credentials (validated tickets) may be assigned. Most principals of concern to Vector are simply those that correspond to the login names of the Vector users. For instance, for the domain MYDOMAIN.XYZ.COM, a principal representing the “actian” user is “actian@MYDOMAIN.XYZ.COM”.
Note:  The credentials associated with the “actian” user are valid for all “actian” logins in the Kerberos domain, regardless of the system passwords associated with the “actian” login name on each machine.
A KDC must define user principals for each Vector user that exists in the enterprise, and for each Vector service principal. A Vector service principal does not correspond to a login user name. Instead, it represents a Vector process that performs authentication on behalf of the user.
User principals get tickets directly from the KDC through the kinit or Leash Ticket Manager or Network Identify Manager programs, but a Vector service principal requires no such initialization. Instead, the service principal relies on the Kerberos keytab file to establish its credentials.
A Vector service principal definition is required for each node on the Kerberos domain that has a Vector installation. The KDC installation must define a keytab file for all Vector service principals in order to decrypt tickets received from the KDC. A copy of the keytab file must be installed on each Vector node in the Kerberos domain. For the best security, set ownership of the keytab file to “actian” or the installation owner, and set read-only permissions to the keytab file.
We strongly recommend that you define the KRB5_KTNAME environment variable as the full path and file name of the keytab file. On Windows, this is mandatory.
The Vector service principal uses the standard Kerberos “primary/instance@realm” format, as follows:
$ingres/hostname@realm
hostname
Is the fully-qualified domain name of the host on which the Vector installation is running. To find the fully-qualified host name for your machine, execute the iinethost utility.
realm
Is the Kerberos administrative domain name.
In the example host name foo.xyz.com, the Vector service principal would be named “$ingres/foo.xyz.com@MYDOMAIN.COM”.
Note:  The fully-qualified host name is required when defining the Vector service principal. Thus, the name “$ingres.foo@MYDOMAIN.COM” is not a valid Vector service principal name. The “$ingres/” prefix is mandatory. A principal name such as “ingres.foo@MYDOMAIN.COM” is invalid due to the missing dollar sign ($).