Skip to content

Commit

Permalink
Merge pull request #2115 from EnterpriseDB/content/docs/pem/8/kereber…
Browse files Browse the repository at this point in the history 
…os_doc_update

Done the edits as per the PEM-4235
  • Loading branch information
@nidhibhammar
nidhibhammar authored Dec 13, 2021
2 parents 597f6b3 + c813739 commit 5fefbdf
Show file tree
Hide file tree
Showing 3 changed files with 106 additions and 35 deletions.
4 changes: 2 additions & 2 deletions product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
69 changes: 49 additions & 20 deletions ...rprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,26 @@ chown enterprisedb <DATA_DIRECTORY_OF_POSTGRES>/<NAME_OF_PEM_DB_FILE>.keytab

- `DATA_DIRECTORY_OF_POSTGRES` is the path of the data directory of the installed postgres (PostgreSQL/EDB Postgres Advanced Server.

- Restart the database server to have the effect of changes
- Edit the krb5.conf file

```text
$ sudo vim /etc/krb5.conf
[libdefaults]
default_realm = EDBPEM.ORG
Forwardable = True
[domain_realm]
.edbpem.org = EDBPEM.ORG
edbpem.org = EDBPEM.ORG
[realms]
EDBPEM.ORG = {
kdc = krb5server.edbpem.org
admin_server = krb5server.edbpem.org
}
```

- Restart the database server to reflect the changes

```text
systemctl restart <POSTGRES_SERVICE_NAME>
Expand All @@ -99,7 +118,26 @@ chown enterprisedb <DATA_DIRECTORY_OF_POSTGRES>/<NAME_OF_PEM_DB_FILE>.keytab

- `POSTGRES_SERVICE_NAME` is the service name of Postgres (PostgreSQL/EDB Postgres Advanced Server) database. For eg: postgresql-13 for PostgreSQL 13 database on CentOS or RHEL platforms.

## 5. Configure the PEM Server
## 5. Obtain and view the initial ticket

- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache.

- You can view the details of the ticket using `klist` utility.

!!! Note
The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`.

```text
$ kinit <USERNAME@REALM>
$ klist
```

It will display the principal along with the Kerberos ticket.

!!! Note
The `USERNAME@REALM` specified here must be a database user having the `pem_admin` role and `CONNECT` privilege on `pem` database.

## 6. Configure the PEM Server

- Run the PEM configure script on the PEM Server to use Kerberos Authentication

Expand Down Expand Up @@ -150,24 +188,6 @@ chown enterprisedb <DATA_DIRECTORY_OF_POSTGRES>/<NAME_OF_PEM_DB_FILE>.keytab
!!! Note
If you are using PostgreSQL OR EDB Postgres Advanced Server 12 or later then you can specify connection type as `hostgssenc` to allow only gss encrypted connection.

## 6. Obtain and view the initial ticket

- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache.

- You can view the details of the ticket using `klist` utility.

!!! Note
The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`.

```text
$ kinit <USERNAME@REALM>
$ klist
```

It will display the principal along with the kerberos ticket.

!!! Note
The `USERNAME@REALM` specified here must be the database user having the `pem_admin` role and `CONNECT` privilege on `pem` database.

## 7. Browser Settings

Expand Down Expand Up @@ -195,3 +215,12 @@ Configure the Browser on the Client machine to access the PEM Web Client to use
```text
https://<ip_address_of_PEM_server>:8443/pem
```

!!! Note
If you run into the following error while connecting to your Postgres cluster:

`psql -h hostname template1`
`psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information`
`GSSAPI continuation error: Key version is not available`

The resolution is to add the additional encryption types to the keytab using `ktutil` or recreating the Postgres keytab with all crypto systems from AD.
68 changes: 55 additions & 13 deletions ...rprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,7 @@ Follow the steps to configure the Kerberos Authentication for the PEM Server:

![Active Directory Users and Computers User Details](../../images/active_directory_users_and_computers_user_details.png)

e. On the `PEMServer Web Properties`, add the Users as member of the following groups:

- Domain Admins
- Domain Users
- Enterprise Admins
- Schema Admins
e. On the `PEMServer Web Properties`, add the Users as member of the `Domain Users` group:

![PEM Server Web Properties](../../images/pem_server_web_properties_member_of.png)

Expand All @@ -59,13 +54,13 @@ Follow the steps to configure the Kerberos Authentication for the PEM Server:
a. Open `Windows PowerShell` as an `Administrator` user, create a Key Table for HTTP Service Principal mapping with user `pemserverweb` and a Key Table for Postgres Service Principal mappping with user `pemserverdb`.

```text
> ktpass /out pemserver.keytab /princ HTTP/[email protected] /mapuser pemserverweb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL
> ktpass /out pemdb.keytab /princ postgres/[email protected] /mapuser pemserverdb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL
ktpass /out pemserver.keytab /princ HTTP/[email protected] /mapuser pemserverweb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL
ktpass /out pemdb.keytab /princ postgres/[email protected] /mapuser pemserverdb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL
```

Where,

- `pemserver.keytab` is the name of the Key Table for the PEM Web Apllication
- `pemserver.keytab` is the name of the Key Table for the PEM Web Application
- `pemdb.keytab` is the name of the key Table for the PEM Backend Database Server
- `[email protected]` is the hostname of the PEM Server (here @EDBPEM.INTERNAL means @REALM)
- `pemserverweb` is the user for the PEM Web Application
Expand All @@ -90,7 +85,7 @@ c. Select `Trust this user for delegation to any service (Kerberos only)` option

d. Copy both the Key Tables to the PEM Server Host (or respectively to PEM Web Server and PEM Backend Database Server hosts if installed on different hosts.)

e. On the PEM Server, move the Key Tables to required location and change the ownership as following:
e. On the PEM Server, move the Key Tables to the required location and change the ownership as following:

```text
mv /tmp/pemserver.keytab <PEM_INSTALLATION_DIRECTORY>/share
Expand Down Expand Up @@ -119,7 +114,26 @@ chown enterprisedb <DATA_DIRECTORY_OF_POSTGRES>/pemdb.keytab

- `DATA_DIRECTORY_OF_POSTGRES` is the path of the data directory of the installed postgres (PostgreSQL/EDB Postgres Advanced Server.

- Restart the database server to have the effect of changes
- Edit the `krb5.conf` file:

```text
$ sudo vim /etc/krb5.conf
[libdefaults]
default_realm = EDBPEM.INTERNAL
Forwardable = True
[domain_realm]
.edbpem.org = EDBPEM.INTERNAL
edbpem.org = EDBPEM.INTERNAL
[realms]
EDBPEM.INTERNAL = {
kdc = krb5server.edbpem.internal
admin_server = krb5server.edbpem.internal
}
```

- Restart the database server to reflect the changes

```text
systemctl restart <POSTGRES_SERVICE_NAME>
Expand All @@ -129,7 +143,26 @@ chown enterprisedb <DATA_DIRECTORY_OF_POSTGRES>/pemdb.keytab

- `POSTGRES_SERVICE_NAME` is the service name of Postgres (PostgreSQL/EDB Postgres Advanced Server) database. For eg: postgresql-13 for PostgreSQL 13 database on CentOS or RHEL platforms.

## 5. Configure the PEM Server
## 5. Obtain and view the initial ticket

- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache.

- You can view the details of the ticket using `klist` utility.

!!! Note
The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`.

```text
$ kinit <USERNAME@REALM>
$ klist
```

It will display the principal along with the kerberos ticket.

!!! Note
The `USERNAME@REALM` specified here must be a database user having the `pem_admin` role and `CONNECT` privilege on `pem` database.

## 6. Configure the PEM Server

- Run the PEM configure script on the PEM Server to use Kerberos Authentication

Expand Down Expand Up @@ -180,7 +213,7 @@ chown enterprisedb <DATA_DIRECTORY_OF_POSTGRES>/pemdb.keytab
!!! Note
You cannot specify connection type as `hostgssenc` as windows does not support gss encrypted connection.

## 6. Browser Settings
## 7. Browser Settings

Configure the Browser on the Client machine to access the PEM Web Client to use the `Spnego/Kerberos`.

Expand All @@ -206,3 +239,12 @@ Configure the Browser on the Client machine to access the PEM Web Client to use
```text
https://<ip_address_of_PEM_server>:8443/pem
```

!!! Note
If you run into the following error while connecting to your Postgres cluster:

`psql -h hostname template1`
`psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information`
`GSSAPI continuation error: Key version is not available`

The resolution is to add the additional encryption types to the keytab using `ktutil` or recreating the Postgres keytab with all crypto systems from AD.

0 comments on commit 5fefbdf

Please sign in to comment.