From ce99f15c860266ae9e6d86a2ab17bda4624ad008 Mon Sep 17 00:00:00 2001 From: nidhibhammar <59045594+nidhibhammar@users.noreply.github.com> Date: Mon, 13 Dec 2021 14:38:06 +0530 Subject: [PATCH 1/6] Done the edits as per the PEM-4235 Done the edits to PEM Installation on Linux guide as per the https://enterprisedb.atlassian.net/browse/PEM-4235 --- .../pem_server_web_properties_member_of.png | 4 +- ..._server_to_use_kerberos_authentication.mdx | 69 +++++++++++++------ ..._server_to_use_windows_kerberos_server.mdx | 68 ++++++++++++++---- 3 files changed, 106 insertions(+), 35 deletions(-) diff --git a/product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png b/product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png index 3a5c2931a32..4449bf03cc8 100644 --- a/product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png +++ b/product_docs/docs/pem/8/images/pem_server_web_properties_member_of.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8a14b58dcac9c570be212ee20d7032c531abc0746e31f9322f564c9786a3ddb6 -size 212427 +oid sha256:cb48d5a010005454d9ee76f6b2a1aff7b7fe9108b98f75232649230ae0ee744c +size 184881 diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx index 6d99ebffc24..e40622cf0da 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx @@ -89,7 +89,26 @@ chown enterprisedb /.keytab - `DATA_DIRECTORY_OF_POSTGRES` is the path of the data directory of the installed postgres (PostgreSQL/EDB Postgres Advanced Server. -- Restart the database server to have the effect of changes +- Edit the krb5.conf file + + ```text + $ sudo vim /etc/krb5.conf + [libdefaults] + default_realm = EDBPEM.ORG + Forwardable = True + + [domain_realm] + .edbpem.org = EDBPEM.ORG + edbpem.org = EDBPEM.ORG + + [realms] + EDBPEM.ORG = { + kdc = krb5server.edbpem.org + admin_server = krb5server.edbpem.org + } + ``` + +- Restart the database server to reflect the changes ```text systemctl restart @@ -99,7 +118,26 @@ chown enterprisedb /.keytab - `POSTGRES_SERVICE_NAME` is the service name of Postgres (PostgreSQL/EDB Postgres Advanced Server) database. For eg: postgresql-13 for PostgreSQL 13 database on CentOS or RHEL platforms. -## 5. Configure the PEM Server +## 5. Obtain and view the initial ticket + +- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache. + +- You can view the details of the ticket using `klist` utility. + +!!! Note + The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`. + +```text +$ kinit +$ klist +``` + +It will display the principal along with the kerberos ticket. + +!!! Note + The `USERNAME@REALM` specified here must be the database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. + +## 6. Configure the PEM Server - Run the PEM configure script on the PEM Server to use Kerberos Authentication @@ -150,24 +188,6 @@ chown enterprisedb /.keytab !!! Note If you are using PostgreSQL OR EDB Postgres Advanced Server 12 or later then you can specify connection type as `hostgssenc` to allow only gss encrypted connection. -## 6. Obtain and view the initial ticket - -- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache. - -- You can view the details of the ticket using `klist` utility. - -!!! Note - The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`. - -```text -$ kinit -$ klist -``` - -It will display the principal along with the kerberos ticket. - -!!! Note - The `USERNAME@REALM` specified here must be the database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. ## 7. Browser Settings @@ -195,3 +215,12 @@ Configure the Browser on the Client machine to access the PEM Web Client to use ```text https://:8443/pem ``` + +!!! Note + If you run into the following error while connecting to your Postgres Cluster: + + `psql -h hostname template1` + `psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information` + `GSSAPI continuation error: Key version is not available` + + The resolution is to add the additional encryption types to the keytab using ktutil or recreating the postgres keytab with all crypto systems from AD. \ No newline at end of file diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx index f8c2fc1b202..4fcf58fd947 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx @@ -39,12 +39,7 @@ Follow the steps to configure the Kerberos Authentication for the PEM Server: ![Active Directory Users and Computers User Details](../../images/active_directory_users_and_computers_user_details.png) - e. On the `PEMServer Web Properties`, add the Users as member of the following groups: - - - Domain Admins - - Domain Users - - Enterprise Admins - - Schema Admins + e. On the `PEMServer Web Properties`, add the Users as member of the `Domain Users` group: ![PEM Server Web Properties](../../images/pem_server_web_properties_member_of.png) @@ -59,13 +54,13 @@ Follow the steps to configure the Kerberos Authentication for the PEM Server: a. Open `Windows PowerShell` as an `Administrator` user, create a Key Table for HTTP Service Principal mapping with user `pemserverweb` and a Key Table for Postgres Service Principal mappping with user `pemserverdb`. ```text -> ktpass /out pemserver.keytab /princ HTTP/pem.edbpem.internal@EDBPEM.INTERNAL /mapuser pemserverweb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL -> ktpass /out pemdb.keytab /princ postgres/pem.edbpem.internal@EDBPEM.INTERNAL /mapuser pemserverdb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL +ktpass /out pemserver.keytab /princ HTTP/pem.edbpem.internal@EDBPEM.INTERNAL /mapuser pemserverweb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL +ktpass /out pemdb.keytab /princ postgres/pem.edbpem.internal@EDBPEM.INTERNAL /mapuser pemserverdb /crypto AES256-SHA1 +rndpass /target EDBPEM.INTERNAL -ptype KRB5_NT_PRINCIPAL ``` Where, -- `pemserver.keytab` is the name of the Key Table for the PEM Web Apllication +- `pemserver.keytab` is the name of the Key Table for the PEM Web Application - `pemdb.keytab` is the name of the key Table for the PEM Backend Database Server - `pem.edbpem.internal@EDBPEM.INTERNAL` is the hostname of the PEM Server (here @EDBPEM.INTERNAL means @REALM) - `pemserverweb` is the user for the PEM Web Application @@ -90,7 +85,7 @@ c. Select `Trust this user for delegation to any service (Kerberos only)` option d. Copy both the Key Tables to the PEM Server Host (or respectively to PEM Web Server and PEM Backend Database Server hosts if installed on different hosts.) -e. On the PEM Server, move the Key Tables to required location and change the ownership as following: +e. On the PEM Server, move the Key Tables to the required location and change the ownership as following: ```text mv /tmp/pemserver.keytab /share @@ -119,7 +114,26 @@ chown enterprisedb /pemdb.keytab - `DATA_DIRECTORY_OF_POSTGRES` is the path of the data directory of the installed postgres (PostgreSQL/EDB Postgres Advanced Server. -- Restart the database server to have the effect of changes +- Edit the `krb5.conf` file: + + ```text + $ sudo vim /etc/krb5.conf + [libdefaults] + default_realm = EDBPEM.INTERNAL + Forwardable = True + + [domain_realm] + .edbpem.org = EDBPEM.INTERNAL + edbpem.org = EDBPEM.INTERNAL + + [realms] + EDBPEM.INTERNAL = { + kdc = krb5server.edbpem.internal + admin_server = krb5server.edbpem.internal + } + ``` + +- Restart the database server to reflect the changes ```text systemctl restart @@ -129,7 +143,26 @@ chown enterprisedb /pemdb.keytab - `POSTGRES_SERVICE_NAME` is the service name of Postgres (PostgreSQL/EDB Postgres Advanced Server) database. For eg: postgresql-13 for PostgreSQL 13 database on CentOS or RHEL platforms. -## 5. Configure the PEM Server +## 5. Obtain and view the initial ticket + +- The `kinit` utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache. + +- You can view the details of the ticket using `klist` utility. + +!!! Note + The `Kerberos Client` must be installed on the PEM Server and the Client machine to use `kinit` and `klist`. + +```text +$ kinit +$ klist +``` + +It will display the principal along with the kerberos ticket. + +!!! Note + The `USERNAME@REALM` specified here must be the database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. + +## 6. Configure the PEM Server - Run the PEM configure script on the PEM Server to use Kerberos Authentication @@ -180,7 +213,7 @@ chown enterprisedb /pemdb.keytab !!! Note You cannot specify connection type as `hostgssenc` as windows does not support gss encrypted connection. -## 6. Browser Settings +## 7. Browser Settings Configure the Browser on the Client machine to access the PEM Web Client to use the `Spnego/Kerberos`. @@ -206,3 +239,12 @@ Configure the Browser on the Client machine to access the PEM Web Client to use ```text https://:8443/pem ``` + +!!! Note + If you run into the following error while connecting to your Postgres Cluster: + + `psql -h hostname template1` + `psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information` + `GSSAPI continuation error: Key version is not available` + + The resolution is to add the additional encryption types to the keytab using ktutil or recreating the postgres keytab with all crypto systems from AD. \ No newline at end of file From cc0be2c70b16ddab7daa16bd6148c217c6a04308 Mon Sep 17 00:00:00 2001 From: nidhibhammar <59045594+nidhibhammar@users.noreply.github.com> Date: Mon, 13 Dec 2021 18:18:52 +0530 Subject: [PATCH 2/6] Update product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx Co-authored-by: Dee Dee Rothery <83650384+drothery-edb@users.noreply.github.com> --- ...onfiguring_the_pem_server_to_use_kerberos_authentication.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx index e40622cf0da..7e01dec1977 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx @@ -132,7 +132,7 @@ $ kinit $ klist ``` -It will display the principal along with the kerberos ticket. +It will display the principal along with the Kerberos ticket. !!! Note The `USERNAME@REALM` specified here must be the database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. From ff70786a87d23a78921551d2f344b0e64bba9c2b Mon Sep 17 00:00:00 2001 From: nidhibhammar <59045594+nidhibhammar@users.noreply.github.com> Date: Mon, 13 Dec 2021 18:19:57 +0530 Subject: [PATCH 3/6] Update product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx Co-authored-by: Dee Dee Rothery <83650384+drothery-edb@users.noreply.github.com> --- ...onfiguring_the_pem_server_to_use_kerberos_authentication.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx index 7e01dec1977..5533380ef11 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx @@ -217,7 +217,7 @@ Configure the Browser on the Client machine to access the PEM Web Client to use ``` !!! Note - If you run into the following error while connecting to your Postgres Cluster: + If you run into the following error while connecting to your Postgres cluster: `psql -h hostname template1` `psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information` From 76b7189bb5a0ad99eddaae5d40a2446294551d24 Mon Sep 17 00:00:00 2001 From: nidhibhammar <59045594+nidhibhammar@users.noreply.github.com> Date: Mon, 13 Dec 2021 18:20:20 +0530 Subject: [PATCH 4/6] Update product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx Co-authored-by: Dee Dee Rothery <83650384+drothery-edb@users.noreply.github.com> --- ...onfiguring_the_pem_server_to_use_kerberos_authentication.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx index 5533380ef11..79dfbc35d8d 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx @@ -223,4 +223,4 @@ Configure the Browser on the Client machine to access the PEM Web Client to use `psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information` `GSSAPI continuation error: Key version is not available` - The resolution is to add the additional encryption types to the keytab using ktutil or recreating the postgres keytab with all crypto systems from AD. \ No newline at end of file + The resolution is to add the additional encryption types to the keytab using `ktutil` or recreating the Postgres keytab with all crypto systems from AD. \ No newline at end of file From a312f2722144613259f9b6ef933b60cb039ed94e Mon Sep 17 00:00:00 2001 From: nidhibhammar <59045594+nidhibhammar@users.noreply.github.com> Date: Mon, 13 Dec 2021 18:21:21 +0530 Subject: [PATCH 5/6] Update product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx Co-authored-by: Dee Dee Rothery <83650384+drothery-edb@users.noreply.github.com> --- ...onfiguring_the_pem_server_to_use_kerberos_authentication.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx index 79dfbc35d8d..c047fc11a8a 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/06_configuring_the_pem_server_to_use_kerberos_authentication.mdx @@ -135,7 +135,7 @@ $ klist It will display the principal along with the Kerberos ticket. !!! Note - The `USERNAME@REALM` specified here must be the database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. + The `USERNAME@REALM` specified here must be a database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. ## 6. Configure the PEM Server From c813739d056144263b8e8c12ba3ddcf52b480e93 Mon Sep 17 00:00:00 2001 From: nidhibhammar <59045594+nidhibhammar@users.noreply.github.com> Date: Mon, 13 Dec 2021 18:26:17 +0530 Subject: [PATCH 6/6] Update 07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx --- ...guring_the_pem_server_to_use_windows_kerberos_server.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx index 4fcf58fd947..416a2bc6aae 100644 --- a/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx +++ b/product_docs/docs/pem/8/pem_inst_guide_linux/04_installing_postgres_enterprise_manager/07_configuring_the_pem_server_to_use_windows_kerberos_server.mdx @@ -160,7 +160,7 @@ $ klist It will display the principal along with the kerberos ticket. !!! Note - The `USERNAME@REALM` specified here must be the database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. + The `USERNAME@REALM` specified here must be a database user having the `pem_admin` role and `CONNECT` privilege on `pem` database. ## 6. Configure the PEM Server @@ -241,10 +241,10 @@ Configure the Browser on the Client machine to access the PEM Web Client to use ``` !!! Note - If you run into the following error while connecting to your Postgres Cluster: + If you run into the following error while connecting to your Postgres cluster: `psql -h hostname template1` `psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information` `GSSAPI continuation error: Key version is not available` - The resolution is to add the additional encryption types to the keytab using ktutil or recreating the postgres keytab with all crypto systems from AD. \ No newline at end of file + The resolution is to add the additional encryption types to the keytab using `ktutil` or recreating the Postgres keytab with all crypto systems from AD.