Kerberos is a network authentication, allowing nodes to communicate using an invisible network and to securely make their identity known to each other. Kerberos is the recommended method for user authentication in Microsoft® Windows networks. In addition, it is widely used with Linux operating systems and is designed for use with all major platforms.
The prerequisites for a Kerberos integration are the following:
To customize Kerberos, please refer to the ARIS Connect online help (see chapter Administrate ARIS Connect > Configure ARIS Connect > Set up user management > Customize Kerberos settings). If you are going to migrate data from ARIS 9.8.7 or later, customize Kerberos after the migration. The Kerberos settings of the former ARIS version will overwrite the current settings during data migration.
You can use Kerberos for single sign-on.
Creating a key table file
If you have no key table file available, generate a key table file using the JRE tool ktab.exe. To do so, enter the following in the console:
ktab -a userPrincipalName@REALM password -n 0 -append -k umc.keytab
Display existing key table file
You can display the content of an existing key table file using the JRE tool ktab.exe. To do so, enter the following in the console:
ktab -l -e -t -k FILE:C:\<file location of the umc.ktab file>\umc.ktab
Kerberos keys
You can configure Kerberos as required.
Properties that are highlighted as cross-tenant properties can only be changes using ARIS Cloud Controller Command-line Tool. To change these settings enter the following:
reconfigure umcadmin_<size of your installation, s, m, or l> JAVA-D<property name>="<value>"
Example
reconfigure umcadmin_m JAVA-Dcom.aris.umc.loadbalancer.url="https://myserver.com"
General
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.kerberos.active |
Use Kerberos Specifies whether a Kerberos-based login is allowed. |
True, False |
|
com.aris.umc.kerberos.kdc |
KDC Specifies the fully qualified name of the central Key Distribution Center (KDC). This is usually the fully qualified host name of the LDAP server. |
String |
mykdc.mydomain.com |
com.aris.umc.kerberos.realm |
Realm Specifies the realm of Kerberos tickets. Fully qualified domain name in uppercase letters. |
String |
MY.CORP.SOFTWAREAG.COM |
com.aris.umc.kerberos.servicePrincipalName |
Principal Specifies the name of the technical user used for verifying Kerberos tickets. If Kerberos is used, each user, computer or service provided by a server must be defined as a principal. |
String |
MyLogin |
com.aris.umc.kerberos.keyTab |
Key table Specifies the location of the keytab file that is used for Kerberos tickets. The file can be uploaded directly. |
String |
C:/safePlace/krb-umc.keytab |
com.aris.umc.kerberos.config |
Configuration file Storage location of the configuration file for Kerberos. The file can be uploaded directly. |
String |
./config/Kerberos/krb5.conf |
Advanced settings
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.kerberos.debug |
Debug output Specifies whether debug output is allowed for Kerberos operations. |
True, False |
|
com.aris.umc.kerberos.allowLocalUsers |
Allow local users Specifies whether the LDAP connection is mandatory for Kerberos-based login. If this option is enabled, Kerberos is used for the login of local users also. |
True, False |
|
com.aris.umc.kerberos.validateuser |
Ignore realm from service ticket Specifies whether or not the realm defined for the user principal name provided in the Kerberos ticket is to be ignored. The default value is false. |
True, False |
|
com.aris.umc.kerberos.tenant |
Default tenant Specifies the default tenant for a Kerberos-based login. Cross-tenant property that can only be changed using ARIS Cloud Controller. For further information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual. |
True, False |
|