Authenticating XCC/J applications using a Kerberos keytab
24 November 2016 09:22 AM
When using Kerberos to authenticate to a MarkLogic server the user must first obtain a Kerberos ticket by either authenticating to a directory server such as Active:Directory or directly to the Kerberos Domain server using the kinit utility.
For interactive use, this does not pose a problem but for unattended application use such as an XCC/J application, problems can ensue if a previously generated Kerberos ticket has expired.
This article will outline the steps needed to use a "client-side" Kerberos Keytab that can authenticate an XCC/J application without requiring manual intervention to regenerate Kerberos tickets.
1. Create or update the existing services.keytab and add the User Principal that you want to use with XCC, e.g. ml1@MLKRB.LOCAL
[kadnin@mwca1 Data]# kadmin.local
2. Copy the services.
Note: For security reasons ensure that the
3. Create a Java Authentication and Authorization Service (JAAS) login.conf file with the following contents; change “principal” and “keyTab” entries accordingly
4. Set the following Java System properties either within the XCC Java application or from the command line, changing login.conf and krb5.conf entries as required.
5. Run the XCC Java application and it should use the Kerberos credentials from the services.
A simple query to return the current timestamp from an MarkLogic XDBC server.
[ml1@mwca1 ~]$ java -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=login.conf -Djava.security.krb5.conf=/etc/krb5.conf com.marklogic.xcc.examples.SimpleQueryRunner xcc://ml1.dyndns.org:8050 query
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /home/ml1/Data/services.keytab refreshKrb5Config is false principal is ml1@MLKRB.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
6. In the MarkLogic AccessLogs you should see the following entries to show a successful Kerberos authentication from the Java XCC Client.
External User(ml1@MLKRB.LOCAL) is Mapped to User(krbuser1)
7. When authentication is successfully established "debug=false" can be set in the JAAS login.conf to reduce the verbose logging messages.