Security Guide > Security Guide > Configuring Vector to Use Kerberos > Vector Configuration Options for Kerberos
Was this helpful?
Vector Configuration Options for Kerberos
To configure Vector to use Kerberos, you must set certain parameters in Configuration-By-Forms. In addition, connection attributes may be required depending on the requirements of the enterprise.
The following system components in Configuration-By-Forms are relevant:
Name Server
Net Server
Security, Configure, System
Security, Configure, System, Mechanisms
Basic Configuration for Kerberos
When you configure Vector to use Kerberos, you should first check the basic configuration. The basic configuration consists of the mechanisms parameter and the domain parameter in the Security component.
mechanisms Parameter--Specify Dynamic Mechanism
For Vector to use Kerberos as a dynamic mechanism, the mechanism parameter must be set to kerberos. In Configuration-By-Forms, the mechanisms parameter is located in Security, Configure, System.
The setting should look similar to this:
Name
Value
Units
mechanisms
kerberos
mechanism list
Note:  The ingres, system, or null mechanisms are invalid entries to this list, since its purpose is to specify the dynamic authentication mechanisms.
domain Parameter--Specify Domain Name
In addition to the mechanism parameter, the domain parameter must be set to configure Vector to use Kerberos.
In Configuration-By-Forms, the domain parameter is located in Security, Configure, System, Mechanisms, Kerberos.
The domain parameter must contain the fully qualified host name of the local installation. This name corresponds to the Vector service principal name. For example, for machine foo.xyz.com, the value for the domain parameter should be “foo.xyz.com.” If the entry reads simply “foo,” edit and correct the entry.
The setting should look similar to this:
Name
Value
Units
domain
foo.xyz.com
hostname
remote_mechanism Parameter--Configure Client in a Homogeneous Kerberos Environment
The Name Server can be configured to use Kerberos for authentication for all remote targets. If so configured, connection attempts on non-Kerberos targets will fail. Use the remote_mechanism parameter for this purpose.
In Configuration-By-Forms, the remote_mechanism parameter is located in the Name Server component. Add kerberos to the mechanism list (if not already added in the Security configuration), and specify kerberos as the value on the remote_mechanism parameter.
The setting should look similar to this:
Name
Value
Units
remote_mechanism
kerberos
none, default, mechansim name
In a homogeneous Kerberos environment, it is not necessary to add login/password information for the vnode definitions in netutil. They are ignored at connect time.
vnode Connection Attributes--Configure Client in a Heterogeneous Kerberos Environment
Heterogeneous Kerberos environments are those in which both Kerberos and non-Kerberos connection targets exist in the enterprise. In such an environment, the Name Server settings in Configuration-By-Forms must remain at their default values. The local client behavior must change, depending on the connection target.
To configure the client in a heterogeneous Kerberos environment, specify connection attributes for a vnode using the netutil utility.
Here is a sample vnode configuration in netutil:
Connection data for vnode 'newyork'
Type
Net Address
Protocol
Listen Address
Global
newyork-xp1.
tcp_ip
TS
 
Other attribute data for vnode 'newyork'
Type
Attr_Name
Attr_Value
Private
authentication_mechanism
kerberos
Notes:
The login/password entry for a Kerberos target should remain blank. A login/password entry is not required because the local Kerberos user principal is used for authentication, and the KDC authenticates using the ticket cache of the local user, rather than the system password on the remote connection target.
Kerberos authentication requires a TCP/IP-compatible network protocol on the local installation. On Windows, tcp_ip or win_tcp are acceptable protocol settings.
Encryption Parameters--Enable Kerberos Encryption
To specify encryption, the following options are available in Configuration-By-Forms under the Net Server (also known as Communications Server) component:
ib_encrypt_mech
Determine the encryption mechanism for inbound connections. Valid values are
kerberos
Specifies that Kerberos be used.
*
Specifies that Kerberos will be used if included as an item on the mechanism list.
ob_encrypt_mech
Determine the encryption mechanism for outbound connections. Valid values are the same as for ib_encrypt_mech.
ib_encrypt_mode
Determines the encryption mode for the inbound data stream. Valid values are as follows:
Off
Specifies that encryption be neither requested nor allowed.
Optional
Specifies that encryption may occur but is not requested.
On
Specifies that encryption is requested, if possible (if both ends support it).
Note:  This option replaces the REQUIRED option, which is deprecated.
Preferred
Specifies that encryption is desired and occurs if a compatible encryption mechanism is available unless peer is configured as OFF. No warning is given if encryption is not possible.
ob_encrypt_mode
Determines the encryption mode for the outbound data stream. Valid values are the same as for ib_encrypt_mode.
Outbound connection items may be configured as connection attributes in netutil.
The following example specifies Kerberos encryption for all inbound connections:
Name
Value
Units
ib_incrypt_mech
kerberos
*, mechanism name
ib_incrypt_mode
required
off, optional, on, required
How Name Server Delegation Works
Delegation provides an alternate method of acquiring and forwarding authentication. When delegation is configured, the Name Server generates authentication certificates as if it were the client.
This method requires Kerberos to be configured as both the local and remote authentication mechanism. The client process generates an authentication certificate for the local Name Server. The local Name Server, in turn, uses its delegation capabilities to generate an authentication certificate, and forwards the certificate on behalf of the client to the remote Name Server.
If delegation is not enabled, or Kerberos is not configured as the local authentication mechanism, then the Name Server cannot generate the remote authentication certificate. Instead, the client acquires the authentication certificate prior to making the remote connection. The client then forwards the credentials directly to the remote Name Server. Either method is valid for making secure connections through Kerberos.
Set Delegation
The process of acquiring and forwarding authentication can be delegated to the Name Server.
To set delegation
1. Start Configuration-By-Forms and select Security, Configure, Mechanisms, Kerberos.
2. Set the delegation parameter to on.
Last modified date: 01/26/2023