Introduction

When using Kerberos to authenticate to a MarkLogic server the user must first obtain a Kerberos ticket by either authenticating to a directory server such as Active:Directory or directly to the Kerberos Domain server using the kinit utility.

For interactive use, this does not pose a problem but for unattended application use such as an XCC/J application, problems can ensue if a previously generated Kerberos ticket has expired.

This article will outline the steps needed to use a "client-side" Kerberos Keytab that can authenticate an XCC/J application without requiring manual intervention to regenerate Kerberos tickets.

Prerequisites

• MarkLogic Server and XCC/J 8.0.5 or later
• Java 1.7 or later

Configuration steps

1. Create or update the existing services.keytab and add the User Principal that you want to use with XCC, e.g. ml1@MLKRB.LOCAL  

[kadnin@mwca1 Data]# kadmin.local
Authenticating as principal mluser1/admin@MLKRB.LOCAL with password. 

kadmin.local: listprincs
ml1@MLKRB.LOCAL

kadmin.local: ktadd -k services.keytab ml1@MLKRB.LOCAL

2.  Copy the services.keytab file to path on the Java XCC client machine.

Note: For security reasons ensure that the keytab is only readable by the XCC application userid.

3.  Create a Java Authentication and Authorization Service (JAAS) login.conf file with the following contents; change “principal” and “keyTab” entries accordingly

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="ml1@MLKRB.LOCAL"
useKeyTab=true
keyTab="/home/ml1/Data/services.keytab"
storeKey=true
debug=true;
};

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="ml1@MLKRB.LOCAL"
useKeyTab=true
keyTab="/home/ml1/Data/services.keytab"
storeKey=true
debug=true;
};

4.  Set the following Java System properties either within the XCC Java application or from the command line, changing login.conf and krb5.conf entries as required.

javax.security.auth.useSubjectCredsOnly=false
java.security.auth.login.config=login.conf
java.security.krb5.conf=/etc/krb5.conf

5.  Run the XCC Java application and it should use the Kerberos credentials from the services.keytab to authenticate to the MarkLogic XDBC Server

Example

A simple query to return the current timestamp from an MarkLogic XDBC server.

[ml1@mwca1 ~]$ java -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=login.conf -Djava.security.krb5.conf=/etc/krb5.conf com.marklogic.xcc.examples.SimpleQueryRunner xcc://ml1.dyndns.org:8050 query

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /home/ml1/Data/services.keytab refreshKrb5Config is false principal is ml1@MLKRB.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is ml1@MLKRB.LOCAL
Will use keytab
Commit Succeeded

2016-11-23T18:03:59.457055Z

6.  In the MarkLogic AccessLogs you should see the following entries to show a successful Kerberos authentication from the Java XCC Client.

External User(ml1@MLKRB.LOCAL) is Mapped to User(krbuser1)
192.168.0.50 - - [23/Nov/2016:18:03:59 +0000] "POST /eval XDBC/1.0" 200 128 - "Java/1.8.0_66 MarkLogicXCC/8.0-6"

7.  When authentication is successfully established "debug=false" can be set in the JAAS login.conf to reduce the verbose logging messages.

Additional Reading

• Authenticating MarkLogic users with Kerberos
• XCC for MarkLogic