diff --git a/product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png b/product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png index 3a5c2931a32..4449bf03cc8 100644 --- a/product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png +++ b/product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8a14b58dcac9c570be212ee20d7032c531abc0746e31f9322f564c9786a3ddb6 -size 212427 +oid sha256:cb48d5a010005454d9ee76f6b2a1aff7b7fe9108b98f75232649230ae0ee744c +size 184881 diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx index 6d99ebffc24..c047fc11a8a 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx @@ -89,7 +89,26 @@ chown enterprisedb /.keytab - `DATA_DIRECTORY_OF_POSTGRES` is the path of the data directory of the installed postgres (PostgreSQL/EDB Postgres Advanced Server. -- Restart the database server to have the effect of changes +- Edit the krb5.conf file + + ```text + $ sudo vim /etc/krb5.conf + [libdefaults] + default_realm = EDBPEM.ORG + Forwardable = True + + [domain_realm] + .edbpem.org = EDBPEM.ORG + edbpem.org = EDBPEM.ORG + + [realms] + EDBPEM.ORG = { + kdc = krb5server.edbpem.org + admin_server = krb5server.edbpem.org + } + ``` + +- Restart the database server to reflect the changes ```text systemctl restart @@ -99,7 +118,26 @@ chown enterprisedb /.keytab - `POSTGRES_SERVICE_NAME` is the service name of Postgres (PostgreSQL/EDB Postgres Advanced Server) database. For eg: postgresql-13 for PostgreSQL 13 database on CentOS or RHEL platforms. -## 5. Configure the PEM Server +## 5. Obtain and view the initial ticket + +- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache. + +- You can view the details of the ticket using `klist` utility. + +!!! Note + The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`. + +```text +$ kinit +$ klist +``` + +It will display the principal along with the Kerberos ticket. + +!!! Note + The `USERNAME@REALM` specified here must be a database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. + +## 6. Configure the PEM Server - Run the PEM configure script on the PEM Server to use Kerberos Authentication @@ -150,24 +188,6 @@ chown enterprisedb /.keytab !!! Note If you are using PostgreSQL OR EDB Postgres Advanced Server 12 or later then you can specify connection type as `hostgssenc` to allow only gss encrypted connection. -## 6. Obtain and view the initial ticket - -- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache. - -- You can view the details of the ticket using `klist` utility. - -!!! Note - The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`. - -```text -$ kinit -$ klist -``` - -It will display the principal along with the kerberos ticket. - -!!! Note - The `USERNAME@REALM` specified here must be the database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. ## 7. Browser Settings @@ -195,3 +215,12 @@ Configure the Browser on the Client machine to access the PEM Web Client to use ```text https://:8443/pem ``` + +!!! Note + If you run into the following error while connecting to your Postgres cluster: + + `psql -h hostname template1` + `psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information` + `GSSAPI continuation error: Key version is not available` + + The resolution is to add the additional encryption types to the keytab using `ktutil` or recreating the Postgres keytab with all crypto systems from AD. \ No newline at end of file diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx index f8c2fc1b202..416a2bc6aae 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx @@ -39,12 +39,7 @@ Follow the steps to configure the Kerberos Authentication for the PEM Server: ![Active Directory Users and Computers User Details](../../images/active_directory_users_and_computers_user_details.png) - e. On the `PEMServer Web Properties`, add the Users as member of the following groups: - - - Domain Admins - - Domain Users - - Enterprise Admins - - Schema Admins + e. On the `PEMServer Web Properties`, add the Users as member of the `Domain Users` group: ![PEM Server Web Properties](../../images/pem_server_web_properties_member_of.png) @@ -59,13 +54,13 @@ Follow the steps to configure the Kerberos Authentication for the PEM Server: a. Open `Windows PowerShell` as an `Administrator` user, create a Key Table for HTTP Service Principal mapping with user `pemserverweb` and a Key Table for Postgres Service Principal mappping with user `pemserverdb`. ```text -> ktpass /out pemserver.keytab /princ HTTP/pem.edbpem.internal@EDBPEM.INTERNAL /mapuser pemserverweb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL -> ktpass /out pemdb.keytab /princ postgres/pem.edbpem.internal@EDBPEM.INTERNAL /mapuser pemserverdb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL +ktpass /out pemserver.keytab /princ HTTP/pem.edbpem.internal@EDBPEM.INTERNAL /mapuser pemserverweb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL +ktpass /out pemdb.keytab /princ postgres/pem.edbpem.internal@EDBPEM.INTERNAL /mapuser pemserverdb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL ``` Where, -- `pemserver.keytab` is the name of the Key Table for the PEM Web Apllication +- `pemserver.keytab` is the name of the Key Table for the PEM Web Application - `pemdb.keytab` is the name of the key Table for the PEM Backend Database Server - `pem.edbpem.internal@EDBPEM.INTERNAL` is the hostname of the PEM Server (here @EDBPEM.INTERNAL means @REALM) - `pemserverweb` is the user for the PEM Web Application @@ -90,7 +85,7 @@ c. Select `Trust this user for delegation to any service (Kerberos only)` option d. Copy both the Key Tables to the PEM Server Host (or respectively to PEM Web Server and PEM Backend Database Server hosts if installed on different hosts.) -e. On the PEM Server, move the Key Tables to required location and change the ownership as following: +e. On the PEM Server, move the Key Tables to the required location and change the ownership as following: ```text mv /tmp/pemserver.keytab /share @@ -119,7 +114,26 @@ chown enterprisedb /pemdb.keytab - `DATA_DIRECTORY_OF_POSTGRES` is the path of the data directory of the installed postgres (PostgreSQL/EDB Postgres Advanced Server. -- Restart the database server to have the effect of changes +- Edit the `krb5.conf` file: + + ```text + $ sudo vim /etc/krb5.conf + [libdefaults] + default_realm = EDBPEM.INTERNAL + Forwardable = True + + [domain_realm] + .edbpem.org = EDBPEM.INTERNAL + edbpem.org = EDBPEM.INTERNAL + + [realms] + EDBPEM.INTERNAL = { + kdc = krb5server.edbpem.internal + admin_server = krb5server.edbpem.internal + } + ``` + +- Restart the database server to reflect the changes ```text systemctl restart @@ -129,7 +143,26 @@ chown enterprisedb /pemdb.keytab - `POSTGRES_SERVICE_NAME` is the service name of Postgres (PostgreSQL/EDB Postgres Advanced Server) database. For eg: postgresql-13 for PostgreSQL 13 database on CentOS or RHEL platforms. -## 5. Configure the PEM Server +## 5. Obtain and view the initial ticket + +- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache. + +- You can view the details of the ticket using `klist` utility. + +!!! Note + The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`. + +```text +$ kinit +$ klist +``` + +It will display the principal along with the kerberos ticket. + +!!! Note + The `USERNAME@REALM` specified here must be a database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. + +## 6. Configure the PEM Server - Run the PEM configure script on the PEM Server to use Kerberos Authentication @@ -180,7 +213,7 @@ chown enterprisedb /pemdb.keytab !!! Note You cannot specify connection type as `hostgssenc` as windows does not support gss encrypted connection. -## 6. Browser Settings +## 7. Browser Settings Configure the Browser on the Client machine to access the PEM Web Client to use the `Spnego/Kerberos`. @@ -206,3 +239,12 @@ Configure the Browser on the Client machine to access the PEM Web Client to use ```text https://:8443/pem ``` + +!!! Note + If you run into the following error while connecting to your Postgres cluster: + + `psql -h hostname template1` + `psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information` + `GSSAPI continuation error: Key version is not available` + + The resolution is to add the additional encryption types to the keytab using `ktutil` or recreating the Postgres keytab with all crypto systems from AD.