IBM Streams 4.3.0

Configuring the Streams Console to use Kerberos authentication

Use this procedure to configure Kerberos authentication for Streams Console users.

Before you begin

Configure Kerberos for IBM® Streams.

Procedure

Configure the Mozilla Firefox browser on Linux or the Microsoft Internet Explorer browser on Windows.
Restriction: The Google Chrome browser is not supported.

The Streams Console uses the Simple and Protected GSS-API Negotiation (SPNEGO) protocol to authenticate users with Kerberos credentials. To use Kerberos authentication, you must configure your browser to use SPNEGO.
- To configure the Firefox browser on Linux to use SPNEGO, complete the following steps:
  1. Start Firefox.
  2. In the address field, type about:config and press Enter.
  3. In the Search field, type network.n and press Enter.
  4. Double-click network.negotiate-auth.trusted-uris, enter the host name of the web management service, and click OK. For example, if the URL for accessing the Streams Console is https://streamshost.ibm.com:8443/streams/domain/console, you enter https://streamshost.ibm.com in the network.negotiate-auth.trusted-uris field.
  5. Double-click network.negotiate-auth.delegation-uris, enter the host name of the web management service, and click OK. This is the same value that you entered in the previous step.
  6. Restart your Firefox browser to activate this configuration.
- To configure the Internet Explorer browser on Windows to use SPNEGO, complete the following steps:
  1. Start Internet Explorer.
  2. Click Tools > Internet Options > Security.
  3. Select the Trusted Site icon and click Sites. In the Trusted sites window, add the host name, for example: https://streamshost.ibm.com.
  4. Select the Local intranet icon and click Sites.
  5. In the Local intranet window, complete the following steps:
    - Select the Include all local (intranet) sites not listed in other zones check box and click Advanced.
    - In the Add this web site to the zone field, enter the host name of the web management service. For example, if the URL for accessing the Streams Console is https://streamshost.ibm.com:8443/streams/domain/console, you enter https://streamshost.ibm.com in this field.
    - Click Close and then OK to return to the Internet Options window.
  6. In the Internet Options window, complete the following steps:
    - Click the Advanced tab and scroll to the Security settings.
    - Ensure that the Enable Integrated Windows Authentication check box is selected.
    - Click OK.
  7. Restart Internet Explorer to activate this configuration.
On all resources that are running the IBM Streams web management service, set up the service as a service principal for Kerberos.
The following values are used in the examples:
- HTTP: The Kerberos service principal name for the web management service. This is the name that browsers use by default.
- domain1.ibm.com: The fully qualified name of the IBM Streams resource that is running the web management service.
- IBM.COM: The name of the Kerberos realm.
Complete the following steps on all resources that are running the web management service:
1. Create a service principal for the web management service as shown in the following examples.
  - MIT Kerberos example:
```
kadmin: addprinc -randkey HTTP/domain1.ibm.com@IBM.COM
```
  - Microsoft Active Directory example:
    - Create a user in Active Directory for the Kerberos service principal, for example: HTTP.
    - Enable encryption in the user account, for example: AES256-SHA1.
    - Create a service principal, for example:
```
setspn -A HTTP/domain1.ibm.com HTTP
```
2. Create a .keytab file for the web management service as shown in the following examples. The keytab encryption keys must be compatible with the supported user encryption types.
  - MIT Kerberos example:
```
kadmin: ktadd -norandkey -k streams-sws.keytab HTTP/domain1.ibm.com@IBM.COM
```
  - Microsoft Active Directory example:
```
 ktpass -out .\streams-sws.keytab -princ HTTP/domain1.ibm.com@IBM.COM
 -mapUser streams\HTTP
 -mapOp set
 -pass password 
 -crypto AES256-SHA1
 -pType KRB5_NT_PRINCIPAL
```
3. Copy the .keytab file that you created in the previous step to the following directory on the resource that is running the web management service:
```
user-home-directory/.streams/var/security/keytabs/streams-sws.keytab
```
  Notes:
  - The user and group owner of the .keytab file is the user:group that runs the web management service on the resource. For example, if your username is streamsadmin and your group is streamsgroup, enter the following command:
```
chown streamsadmin:streamsgroup streams-sws.keytab
```
  - Because the .keytab file contains encrypted passwords, anyone with read permission on the file can run a command in the Kerberos realm for the principals in the realm. Restrict and monitor permissions on this file so that only the principal whose credentials the application is authenticating with has read access to the file. For example:
```
chmod 400 streams-sws.keytab
```
  - You can configure permissions for a Kerberos user by using roles or by setting access permissions for the user. Groups do not apply to Kerberos users. To configure permissions, see Configuring user access to IBM Streams domains and instances.
4. Verify that you are able to log in using the .keytab file.
  Important: You must verify the .keytab file by using the MIT Kerberos kinit program, not the kinit program that is installed with IBM Streams.
  
  Example:
```
/usr/bin/kinit -f -k -t ˜/.streams/var/security/keytabs/streams-sws.keytab HTTP/domain1.ibm.com@IBM.COM
```
  If your krb5.conf file is not found in the default location of /etc/krb5.conf, set the KRB5_CONFIG environment variable to the correct path and then run the kinit command.
  After the .keytab file is verified, remove the credential cache file by running the following command:
```
/usr/bin/kdestroy
```
5. Repeat Steps 2(a-d) on all resources that are running the web management service.
Update IBM Streams security properties that are used for Kerberos.
You can update the property settings by using the Domain Manager or the streamtool setdomainproperty command. For more information about each property, see the Domain Manager help information or use the streamtool man domainproperties command.
1. Update the sws.kerberosServicePrincipal property, if needed.
  This property specifies the service principal name for the IBM Streams web management service. This name is registered with the Kerberos KDC.
  
  The default value for this property is HTTP/%STREAMS_RESOURCE%, where %STREAMS_RESOURCE% resolves to the host name for the web management service. For example, if the URL for accessing the Streams Console is https://streamshost.ibm.com:8443/streams/domain/console, the host name for the web management service is streamshost.ibm.com in this field.
2. Update the sws.kerberosKeytabFile property on all resources that run the IBM Streams web management service.
  This property specifies the location of the Kerberos .keytab file for the web management service.
  Example:
```
streamtool setdomainproperty sws.kerberosKeytabFile=%STREAMS_USER_HOME%/.streams/var/security/keytabs/streams-sws.keytab  
```
Obtain and cache Kerberos ticket-granting tickets. These tickets are used by IBM Streams to authenticate users with the web management service.
Note: Before running the kinit command, a user must be registered as a user principal with the Kerberos KDC.

To obtain and cache a Kerberos ticket-granting ticket, enter the following command:
```
/usr/bin/kinit -f
```
To list the ticket-granting tickets in the ticket cache, enter the following command:
```
/usr/bin/klist
```