What is Kerberos?
Kerberos is a network authentication protocol designed to provide secure authentication over insecure networks. It uses symmetric key cryptography to enable secure exchange of credentials between clients and servers, ensuring that both parties can trust each other without transmitting passwords. Kerberos relies on a trusted third-party service called the Key Distribution Center (KDC) to authenticate users and grant them "tickets" for accessing resources on the network.
Why Kerberos in PowerFolder?
In the PowerFolder.config the username and password is stored for the database connection, server-admin can select the ticket-authentication-method using Kerberos.
The advantage of using the Kerberos is that username and password is not required in the PowerFolder.config.
Preconditions
Create a Kerberos account, e.g. powerfolderdbadmin
Change the required settings, e.g. timezone, time-server and name server
Installation and Configuration
Please follow the following steps (Linux server):
apt update; apt -y upgrade; root@kerbtest:~# apt install -y krb5-user cat > /etc/krb5.conf
Change the configuration as follows:
Please take care of the case-sensitive behaviour of the REALM-entries
i[libdefaults]
default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true
forwardable = yes
proxiable = true
rdns = false
permitted_enctypes = aes256-sha1 aes128-sha1
[domain_realm]
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = srv1.example.com
kdc = srv2.example.com
kdc = srv3.example.com
admin_server = srv1.example.com
}
Update Password
kpasswd powerfolderdbadmin@EXAMPLE.COM
Create Keytab-Files
The hash of the password is saved in this file. The password should be the same in the ADS.
Follow the steps:
ktutil add_entry -password -p powerfolderdbadmin@EXAMPLE.COM -k 1 -f list write_kt ~powerfolderdbadmin/powerfolderdbadmin.keytab quit
Check the Keytab-File
klist -keKCt ~powerfolderdbadmin/powerfolderdbadmin.keytab
Check the authentication
kinit -Vkt ~powerfolderdbadm/powerfolderdbadm.keytab powerfolderdbadmin@EXAMPLE.COM
Check the ticket
klist -CeA
Download JDBC Driver for SQL Server
For msSQL Server 2022: https://learn.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server?view=sql-server- ver16&viewFallbackFrom=sql-server-ver22
wget -O sqljdbc.tgz https://go.microsoft.com/fwlink/?linkid=2283563 tar -xvzf sqljdbc.tgz cp sqljdbc_12.8/enu/jars/mssql-jdbc-12.8.1.jre11.jar ~powerfolderdbadm chmod 755 ~powerfolderdbadm/mssql-jdbc-12.8.1.jre11.ja chown powerfolderdbadm:powerfolderdbadm ~powerfolderdbadm/mssql-jdbc-12.8.1.jre11.jar
Setup “Java Authentication and Authorization Service (JAAS)”
cat > ~powerfolderdbadm/jaas.conf
SQLJDBCDriver { com.sun.security.auth.module.Krb5LoginModule required debug=false
principal=powerfolderdbadmin@EXAMPLE.COM renewTGT="true"
useTicketCache="true" useKeyTab="true"
keyTab="/home/powerfolderdbadm/powerfolderdbadm.keytab" doNotPrompt="true";
};
Update PowerFolder.config
hibernate.connection.password= hibernate.connection.username= hibernate.connection.url=jdbc:sqlserver://sql.example.com:1433;databaseName=powerfolderdb;encrypt=true;integratedSecurity=true;trustServerCertificate=true;authenticationScheme=JavaKerberos;jaasConf igurationName=SQLJDBCDriver
Change PowerFolder.sh
Use the new variable “KERBEROS" in the PowerFolder.sh
KERBEROS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/home/powerfolderdbadm/jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false" RUN_CMD="$RUN_JAVA $JAVA_MEM $JAVA_ADD $JAVA_TMP $KERBEROS -Duser.home=$SERVER_HOME -Dpf.install.dir=$SERVER_INSTALL -cp $CP -server de.dal33t.Start“