Oracle Cloud Infrastructure Documentation

Configuring Kerberos Authentication for Active Directory

Configure Kerberos authentication for Active Directory on Big Data Service clusters.

Prerequisites

Before you configure an Active Directory as a KDC for the ODH cluster, the following prerequisites must be met:

  • The ODH cluster host must have network access to and can resolve the DNS names of the domain controllers.
  • Active Directory secure LDAP or LDAPS connectivity has been configured.
  • Active Directory bind user and bind password.

The following is required for configuring Kerberos authentication using the Active Directory only approach.

  • The Active Directory user container for the service principles has been created and is available. For example, OU=Hadoop,OU=People,DC=apache,DC=org. Active Directory administrative credentials with delegated control to create, delete, and manage user accounts on the user container are available.

Importing the Active Directory Certificate

The certificate chain must be imported to the Big Data Service cluster to update various configuration settings. For example, respective .crt file, key stores, and so on that are used by individual services. For example, Hue, Ranger, and Ambari.
  1. Sign in to the first master node (mn0) of the Big Data Service cluster.
  2. Obtain the LDAP certificate chain from the Active Directory administrator and store in the file. For example, /<path>/<manually_obtained_certifcate_chain>.crt.
  3. In Big Data Service 3.0.27 or later, validate the certificate chain to connect LDAP URL, otherwise skip this step. 
    sudo bds_cert_util -ot validateURLConnection -url <ldap_fqdn>:<port> -ca /<path>/<manually_obtained_certifcate_chain>.crt
  4. Edit the /home/opc/cloud/flask-microservice/cert_util/conf/bds-certs.conf file as follows:
    1. Set CUSTOM_CERTIFICATE to True.
    2. Set ROOT_CERT_PATH to /<path>/<manually_obtained_certifcate_chain>.crt
    3. Save the changes.
  5. Run the following command:
    sudo bds_cert_util --enable
  6. Sign in to Apache Ambari, and then restart all required services.

Manually Obtain Certificate from Active Directory (Windows)

  1. Login to the Active Directory server.
  2. Run mmc.
  3. Click File, and then select Add/Remove snapin.
  4. Click Certificates, and then select Service Account.
  5. Click Next.
  6. Click Local Computer, and then click Next.
  7. Click Active Directory Domain Services, and then click OK.
  8. To locate the certificate corresponding to the root certificate:
    1. Click Certificate - Service (Active Directory Domain Services) on Local Computer.
    2. Click NTDS\Personal.
    3. Click Certificates.

      To locate the certificate, the Issued to and Issued by are the same for the certificate.

  9. Export the certificate located in the previous step:
    1. Right click on the root certificate row.
    2. Click All Tasks, and then click Export.
      The Certificate export wizard opens.
    3. Click Next.
    4. Select Base-64 encoded X.509 for the File format.
    5. Click Next, and then enter the file name.
    6. Click Finish.
  10. The .cer file created in the previous step can be opened in Textpad to copy the base 64 encoded certificate content. Or, the .cer file itself can be copied.

Cleaning Up Kerberos Tokens

  1. Sign in to the first primary node (mn0) of the Big Data Service cluster.
  2. To be sure no stale Kerberos tokens are present, run:

    sudo dcli rm -rf /tmp/krb5cc*