Configuring the Server for Kerberos

Configure the server for Kerberos authentication by modifying the node1.xml and csi_kerberos.xml files.

By default, the installation process creates a cluster configuration file called node1.xml. This file contains security information for the cluster, including a reference to the file that determines the authentication type. If you created a different cluster name during installation, your cluster configuration file name takes the form <node-name>.xml.

When Kerberos is the active authentication method, the <node-name>.xml file refers to a csi_kerberos.xml file, which provides configuration information for Kerberos authentication. Event Stream Processor provides a default csi_kerberos.xml file in the ESP_HOME/security directory that you can use as-is or modify based on your specific Kerberos implementation.

If you selected Kerberos at installation time, there is no need to modify the <node-name>.xml . If you installed with a different authentication type, perform these steps to enable and configure Kerberos:

  1. Use a text editor to open the cluster configuration file, ESP_HOME/cluster/nodes/<node-name>/<node-name>.xml, and locate the following lines. If they do not exist in the file, add them.
    <Property name="java.security.krb5.realm">REALM_PLACEHOLDER</Property>
<Property name="java.security.krb5.kdc">KDC_PLACEHOLDER</Property>
  2. Within the <Security> section of the cluster configuration file, in the <Csi> section, change the <File> value to csi_kerberos.xml, as follows:
    <Csi>
        <File>csi_kerberos.xml</File>
<Csi>
  3. Add the following to the ESP_HOME/security/csi_kerberos.xml file. You need to set the option for configuring the principal value to an ESP service name. The keytab option needs to be set to show the full path of a keytab file. The following is an example of a csi_kerberos.xml file entry with an ESP service name of "principal" and a defined keytab path:
    <config:configuration xmlns:config="http://www.sybase.com/csi/2.5/config">
	<config:authenticationProvider name="com.sybase.esp.cluster.security.KerberosLoginModule"/>
	<config:options name="principal" value="esp/myhost"/>
    <config:options name="keyTab" value="C:/Documents and Settings/user/krb.keytab"/>
	<config:provider name="com.sybase.security.core.NoSecAuthorizer" type="authorizer"/>
	<config:provider name="com.sybase.security.core.NoSecAttributer" type="attributer"/>
</config:configuration>
  4. Restart the server and all of the cluster managers.
Parent topic: Configuring Kerberos Authentication