Security Guide > Security Guide > A. Configuring Actian X to Use Kerberos > The Actian X Service Principal--Authorize Client Connections
Was this helpful?
The Actian X Service Principal--Authorize Client Connections
A Kerberos principal is an entity to which credentials (validated tickets) may be assigned. Most principals of concern to Actian X are simply those that correspond to the login names of the Actian X users. For instance, for the domain MYDOMAIN.XYZ.COM, a principal representing the “ingres” user is “ingres@MYDOMAIN.XYZ.COM”.
Note:  The credentials associated with the “ingres” user are valid for all “ingres” logins in the Kerberos domain, regardless of the system passwords associated with the “ingres” login name on each machine.
A KDC must define user principals for each Actian X user that exists in the enterprise, and for each Actian X service principal. An Actian X service principal does not correspond to a login user name. Instead, the Actian X service principal represents an Actian X process that performs authentication on behalf of the user.
User principals get tickets directly from the KDC through the kinit or Leash Ticket Manager or Network Identify Manager programs, but an Actian X service principal requires no such initialization. Instead, the Actian X service principal relies on the Kerberos keytab file to establish its credentials.
An Actian X service principal definition is required for each node on the Kerberos domain that has an Actian X installation. The KDC installation must define a keytab file for all Actian X service principals in order to decrypt tickets received from the KDC. A copy of the keytab file must be installed on each Actian X node in the Kerberos domain. For the best security, set ownership of the keytab file to “ingres” or the installation owner, and set read-only permissions to the keytab file.
We strongly recommend that you define the KR5_KTNAME environment variable as the full path and file name of the keytab file. On Windows, this is mandatory.
The Actian X service principal uses the standard Kerberos “primary/instance@realm” format, as follows:
$ingres/hostname@realm
hostname
Is the fully-qualified domain name of the host on which the Actian X installation is running. To find the fully-qualified host name for your machine, execute the iinethost utility.
realm
Is the Kerberos administrative domain name.
In the example host name foo.xyz.com, the Actian X service principal would be named “$ingres/foo.xyz.com@MYDOMAIN.COM”.
Note:  The fully-qualified host name is required when defining the Actian X service principal. Thus, the name “$ingres.foo@MYDOMAIN.COM” is not a valid Actian X service principal name. The “$ingres/” prefix is mandatory. A principal name such as “ingres.foo@MYDOMAIN.COM” is invalid due to the missing dollar sign ($).
Last modified date: 08/14/2024