Kerberos Authentication

Overview

Enov8 TDM runs on a Linux architecture (RHEL or Ubuntu). Because of this, direct Windows Authentication is not possible. Instead, we use Kerberos to authenticate to the database using ticket-based authentication. This works similarly to how you would SSH into a Linux server via Active Directory (AD) credentials.

Kerberos authentication is preferred over traditional username/password (SQL authentication) because:

Security: Credentials are never sent over the network in plaintext, reducing the risk of interception.
Single Sign-On (SSO): Users can authenticate once and access multiple services without needing to re-enter credentials.
Centralized Management: Authentication policies are managed through Active Directory, simplifying user management.
Stronger Authentication: It supports mutual authentication, ensuring both the client and server verify each other's identity.

By leveraging Kerberos, Enov8 TDM can securely connect to MSSQL databases without relying on stored passwords, enhancing security and integration in enterprise environments.

Kerberos Configuration for Enov8 TDM

Enov8 TDM does not bundle Kerberos by default. Before configuring authentication, ensure that Kerberos is installed on your system.

Step 1: Verify Kerberos Installation

To confirm that Kerberos is installed, run:

kinit --version

If this command does not return a version number, check if the required Kerberos packages are installed:

For RHEL-based systems:

rpm -qa | grep krb5

For Ubuntu/Debian-based systems:

dpkg -l | grep krb5

If Kerberos is missing, install it from your internal package repository or verify with your system administrator.

Global Service Account Setup (One-Time Setup)

This setup configures Kerberos authentication using a service account. Enov8 TDM will use this account by default unless overridden per database connection.

Step 2: Define Service Account Variables

Before setting up Kerberos authentication, configure the service account credentials.

Edit /etc/security/kerberos_env.conf (create this file if it doesn’t exist):

# Kerberos Service Account Configuration
SERVICE_ACCOUNT="service_account@EXAMPLE.COM"
KEYTAB_PATH="/etc/security/enov8_service.keytab"
KRB5CCNAME="/enov8/kerberos/krb5cc_enov8"

Ensure that the keytab file is in place (provided by your IT team):

ls -l /etc/security/enov8_service.keytab

If the file is missing, you will need to request it.

Step 3: Configure Kerberos Ticket Management for the Service Account

Since Windows authentication does not use stored usernames and passwords, Kerberos must be configured to automatically obtain and renew tickets for the service account.

Create a Systemd Service for Ticket Renewal

Create the script for Kerberos renewal

Save the following script as /usr/local/bin/enov8_kinit_renew.sh and make it executable:

#!/bin/bash
# Load environment variables
source /etc/security/kerberos_env.conf
# Obtain a new Kerberos ticket
/usr/bin/kinit -kt ${KEYTAB_PATH} ${SERVICE_ACCOUNT}

Set the appropriate permissions:

chmod 700 /usr/local/bin/enov8_kinit_renew.sh

Create a systemd service to renew tickets

Save the following as /etc/systemd/system/enov8_kinit.service:

[Unit]
Description=Kerberos Ticket Renewal for Enov8 TDM
After=network.target

[Service]
Type=oneshot
EnvironmentFile=/etc/security/kerberos_env.conf
ExecStart=/usr/local/bin/enov8_kinit_renew.sh

[Install]
WantedBy=multi-user.target

Reload systemd and enable the service:

systemctl daemon-reload
systemctl enable enov8_kinit.service
systemctl start enov8_kinit.service

Verify Ticket Renewal

Run:

systemctl status enov8_kinit.service
klist  # Confirm ticket validity

Step 4: Set Default Kerberos Ticket Cache Path in Apache

If Enov8 TDM runs under Apache, you must configure the environment variable for Kerberos ticket caching.

Configure Apache to Use the Default Ticket Cache

Create a systemd override for Apache:

#!/bin/bash
# Load Kerberos environment variables
source /etc/security/kerberos_env.conf
# Create the service override file with the environment variable
echo -e "[Service]
Environment="KRB5CCNAME=$KRB5CCNAME"" | sudo tee /etc/systemd/system/httpd.service.d/override.conf
# Reload systemd configuration
sudo systemctl daemon-reload
# Restart Apache to apply the changes
sudo systemctl restart httpd
# Verify that Apache has the correct environment variable set
sudo systemctl show httpd --property=Environment

Using the Enov8 TDM UI for Custom Configurations

For databases requiring Kerberos authentication, users can pass the necessary values directly in the Enov8 TDM UI instead of configuring them manually in the system. Users need to select either "Windows Authentication" or "GSSAPI" from the "Authentication Mechanism" field to make Kerberos-related fields available.

Below is a guide on how to determine the correct values for each field.

UI Field Mapping for Kerberos Authentication

UI Field	Description & How to Determine the Value
Server *	The MSSQL server hostname or IP address (e.g., `mssql.example.com`)
Database *	The name of the database you are connecting to (e.g., `SalesDB`)
Port *	The port MSSQL is running on (default: `1433`)
Schema *	The database schema being accessed (e.g., `dbo`)
Server SPN	The Service Principal Name (SPN) for the database service. Format: `MSSQLSvc/server.example.com:port` (Only needed if required by the database)
Keytab Path	The absolute path to the Kerberos keytab file for authentication (e.g., `/etc/krb5/krb5.keytab`)
Kinit Path	The path to the kinit binary (default: `kinit`)
Username	The Kerberos service account username (e.g., `svc_finance`)
Realm	The Kerberos realm name, typically uppercase (e.g., `EXAMPLE.COM`)
Password	If not using a keytab file, the Kerberos password must be provided manually

Example: Filling Out the UI Based on Use Cases

Use Case 1: Authentication Using a Keytab File

Field	Example Value
Server	dbserver.example.com
Database	FinanceDB
Port	1433
Schema	dbo
Keytab Path	`/etc/security/finance.keytab`
Kinit Path	`kinit`
Username	svc_finance
Realm	EXAMPLE.COM
Password	(Leave blank as keytab is used)

Use Case 2: Authentication Using a Password

Field	Example Value
Keytab Path	(Leave blank as keytab is not used)
Username	svc_hr
Password	SuperSecretPassword123

By correctly setting up these values in the UI, you ensure secure, passwordless authentication to MSSQL databases using Kerberos.

Kerberos Authentication

Overview​

Kerberos Configuration for Enov8 TDM

Step 1: Verify Kerberos Installation​

Global Service Account Setup (One-Time Setup)

Step 2: Define Service Account Variables​

Step 3: Configure Kerberos Ticket Management for the Service Account​

Create a Systemd Service for Ticket Renewal​

Create the script for Kerberos renewal​

Create a systemd service to renew tickets​

Verify Ticket Renewal​

Step 4: Set Default Kerberos Ticket Cache Path in Apache​

Configure Apache to Use the Default Ticket Cache​

Create a systemd override for Apache:​

Using the Enov8 TDM UI for Custom Configurations​

UI Field Mapping for Kerberos Authentication​

Example: Filling Out the UI Based on Use Cases​

Use Case 1: Authentication Using a Keytab File​

Use Case 2: Authentication Using a Password​