Security Guide > Security Guide > A. Configuring Ingres to Use Kerberos > The Ingres Service Principal--Authorize Client Connections
Was this helpful?
The Ingres Service Principal--Authorize Client Connections
A Kerberos principal is an entity to which credentials (validated tickets) may be assigned. Most principals of concern to Ingres are simply those that correspond to the login names of the Ingres users. For instance, for the domain MYDOMAIN.XYZ.COM, a principal representing the “ingres” user is “ingres@MYDOMAIN.XYZ.COM”.
Note:  The credentials associated with the “ingres” user are valid for all “ingres” logins in the Kerberos domain, regardless of the system passwords associated with the “ingres” login name on each machine.
A KDC must define user principals for each Ingres user that exists in the enterprise, and for each Ingres service principal. An Ingres service principal does not correspond to a login user name. Instead, the Ingres service principal represents an Ingres process that performs authentication on behalf of the user.
User principals get tickets directly from the KDC through the kinit or Leash Ticket Manager or Network Identify Manager programs, but an Ingres service principal requires no such initialization. Instead, the Ingres service principal relies on the Kerberos keytab file to establish its credentials.
An Ingres service principal definition is required for each node on the Kerberos domain that has an Ingres installation. The KDC installation must define a keytab file for all Ingres service principals in order to decrypt tickets received from the KDC. A copy of the keytab file must be installed on each Ingres node in the Kerberos domain. For the best security, set ownership of the keytab file to “ingres” or the installation owner, and set read-only permissions to the keytab file.
We strongly recommend that you define the KR5_KTNAME environment variable as the full path and file name of the keytab file. On Windows, this is mandatory.
The Ingres service principal uses the standard Kerberos “primary/instance@realm” format, as follows:
$ingres/hostname@realm
hostname
Is the fully-qualified domain name of the host on which the Ingres installation is running. To find the fully-qualified host name for your machine, execute the iinethost utility.
realm
Is the Kerberos administrative domain name.
In the example host name foo.xyz.com, the Ingres service principal would be named “$ingres/foo.xyz.com@MYDOMAIN.COM”.
Note:  The fully-qualified host name is required when defining the Ingres service principal. Thus, the name “$ingres.foo@MYDOMAIN.COM” is not a valid Ingres service principal name. The “$ingres/” prefix is mandatory. A principal name such as “ingres.foo@MYDOMAIN.COM” is invalid due to the missing dollar sign ($).
Last modified date: 11/28/2023