Skip to main content
Skip table of contents

Kerberos configuration

Introduction

As of 5.3.0.0, the Continuous Compliance Engine supports Kerberos authentication for Oracle, MSSQL Server, and Sybase connections. Utilizing this service requires the presence of a Kerberos Key Distribution Center (KDC) server, as well as additional configuration actions, to be done on both the Continuous Compliance Engine and the database.

This page presents configuration instructions for enabling and using Kerberos on the Continuous Compliance Engine, as well as reference configurations for enabling Kerberos on the Databases. Although other configurations are possible, the configurations exemplified in this page have been validated by Delphix.

Kerberos is not supported for containerized masking deployments at this time.

Terminology

Throughout this page, the following example values are used. To recreate these reference environments, these values must be replaced with real values appropriate for your network environment:

  • .bar.com – The DNS domain of the network

  • BAR.COM – The Kerberos domain

  • me-host – The hostname of the Continuous Compliance Engine

  • foo-kcd – The hostname KDC server

  • krbuser – The Kerberos principal to be granted access to the database for masking

Configuring Kerberos on the appliance

This section details the steps required to configure Kerberos on your appliance.

Launch the Delphix Server Setup UI and perform the following steps to enable Kerberos:

  1. From the Network Authorization widget, click Modify.

  2. Select the checkbox before Use Kerberos authentication to communicate with remote hosts field.

  1. Click the plus symbol to add record(s) for your KDCs, and populate other fields appropriately for your network environment. Upon pressing Save, your configuration will be tested. If the engine is able to authenticate to the KDC with the supplied configuration, the configuration is applied immediately.

Creating masking database connectors using Kerberos

Once the Continuous Compliance Engine is configured for Kerberos, creating Connectors using Kerberos authentication is simple:

  • Select a source type that supports Kerberos.

image-20240513-221147.png

Details step

  • In the Credentials step, under the Select Authentication Type dropdown, select Kerberos Authentication.

image-20240513-221518.png

The key tab is used if the same user principal configured in Server Setup is used, thus, it is not necessary to enter a password in the Connector definition.

For Sybase database Connectors, it is necessary to supply the service principal name as an additional configuration item. For Oracle DB, this value is determined automatically. For MSSQL Server it is determined based on the reverse DNS mapping of the Server Name (refer to the section on MSSQL Server below).

If any changes are made to the underlying krb5.conf configuration file, these changes will not be recognized by the engine until after the next database connection attempt. Therefore, expect to have to click Test Connection twice after making any changes to the krb5.conf file. It does not matter if the first connection attempt succeeds or fails.

Reference database configurations

The following pages are reference Kerberos configuration procedures and troubleshooting notes for the supported databases. These are meant to serve as examples to be further customized according to the user's specific network environment and security needs.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close