Enable Kerberos authentication for Oracle and PostgreSQL
Note
In this release, Kerberos authentication is supported only for Oracle using Database Reader, Oracle Reader, and Database Writer and for PostgreSQL using Database Reader, PostgreSQL Reader, and Database Writer.
Prerequisites for using Kerberos authentication:
a working Kerberos 5 environment
the source or target database is configured to use Kerberos authentication
To enable Kerberos authentication, you must update Striim's Java environment with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8, as follows:
Download
jce_policy-8.zip
from Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Download, extract it, and follow the instructions in the includedREADME.txt
to install it on each server in your Striim cluster that will run a source or target that uses Kerberos authenticaion.Place Kerberos's
krb5.conf
file in a directory accessible by Striim.If using a credential cache (also known as a ticket cache), cache the ticket for the service principal to be used by Striim on the Striim server.
For PostgreSQL, create a keytab file for the Kerberos principal (see GSSAPI Authentication) in a directory accessible by Striim.
For PostgreSQL, create a
login.conf
JAAS configuration file containing the following in a directory accessible by Striim. Specify the keytab file and Kerberos realm for your environment.<application name> { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true renewTGT=true useKeyTab=true keyTab="<fully qualified name of keytab file>" principal="postgres@<Kerberos realm>" };
For example:
myJAASApp { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true renewTGT=true useKeyTab=true keyTab="/etc/krb5.keytab" principal="postgres@MYDOMAIN.COM" };
If you read from or write to multiple instances of PostgreSQL, specify one such property set for each in
login.conf
. Give each a different application name, which must be specified in the JAAS Configuration string in Database Reader, PostgreSQL Reader, or Database Writer. If you have only one instance of PostgreSQL, you must still provide an application name here and in the JAAS Configuration string.Restart Striim.
Once these steps are complete, configure Kerberos authentication using the JAAS Configuration property in Database Reader, Oracle Reader, PostgreSQL Reader, or Database Writer.