I'm trying to connect to hiveserver2 (v1.2) via Jmeter (v3.0). We're using Kerberos as authentication protocol on our cluster. I couldn't find proper configuration for Jmeter authentication parameters (which I beleive it's only jaas.conf).
Any suggestion would be greatly appreciated.
Related
I using quarkus with Panache + Agroal.
I need to setup a DB connection(postgres) with SSL enabled. So I need to somehow configure the server-cert, client-cert and client-key.
I only see this available for the reactive client.
Can this be achieved for non-reactive one? I find it very hard to believe that nobody needed this.
You can specify it via JDBC url. Different database would have its own way to config ssl. For postgres, it would be sslcert and sslkey, ref https://jdbc.postgresql.org/documentation/head/connect.html#ssl
I am using ActiveMQ 5.16.2 and try to secure the ActiveMQ Web console with LDAP. I have followed this guide.
Because I am not that familiar with LDAP I used ldapsearch from openldap-clients to perform some initial queries to check if my roleFilter and userFilter within LdapRoleAuthorizationModule have the correct settings.
When using ldapsearch I have received the following error:
ldap_bind: Strong(er) authentication required (8)
Ldap_bind: additional info:00002028:ldapERR:DSID-0C09027F,comment: The server requires binds to turn on the integrity checking if SSL/TLS are not already active on the connection, data 0, v3839
I tried to search how I can configure a secured ldaps connection from my ActiveMQ VM to solve this error but was not able to find a good solution.
Could someone give advice / help please?
We have IIB 10.0.0.12 running on Windows Server 2012 R2. We are looking to setup Kerberos -Token based authentication for SOAP services that are exposed to internal/external consumers.
We have around 4 System test servers running on a Same domain. The test servers are not load balanced; can we create a Single User account (Say "IIBTestPrincipal") in Active Directory and map multiple SPN's to this user account and setup the test environments like below.
setspn -A HTTP/server3.somedomain.co.uk#SOMEDOMAIN.CO.UK IIBADPrincipal
setspn -A HTTP/server5.somedomain.co.uk#SOMEDOMAIN.CO.UK IIBADPrincipal
Can somebody please advice/ guide on process for setting the same in load balanced environment.?
We have 4 broker servers load balanced via Netscalar. Can the load balancer perform a kerberos passthrough and broker perform all the kerberos authentication work ? If so should we be creating a SPN on Load balancer Host name and map all the prod servers as alias to that SPN ?
Couldn't find much info from Info center,Any thoughts on the above are much appreciated.
Netscaler supports Kerberos impersonation and Kerberos contrained delegation. I'm not that familiar with Kerberos, take a look in their documentation
https://support.citrix.com/article/CTX222453
I'm trying to implement a reverse proxy in our system, for a micro-services architecture.
The proxy server is HAProxy that works with SSL Termination and needs to proxy requests to a backend server with Https and Kerberos authentication.
I succeeded to terminate the ssl on the proxy server and pass the request to the https server (I need the termination in order to route requests by their body, to specific backend services) , but failing to authenticate with kerberos on the backend server.
Is it possible to implement Kerberos auth on the proxy server and then pass the TGT to the different backend services?
I have successfully done this and it took some work.
At the time I was using HDP so I used ambari to setup a hive server on the HAproxy node. (This was done solely for the purpose of having Ambari manage the kerberos principle. The hive server itself never ran)
Then I merged the keytab for my hive server (on the proxy) with my Hive server keytabs so that the principle could be used on the hive servers. I think I also allowed it as a principle to work with hive. I'm sure there is another path that would allow you to use delegation but this was the past of least resistance and made it so hive managed mostly managed the keytab. I did have to re-merge the keytab when they where regenerated but it wasn't as bad as manually managing keytabs.
here is my problem:
Context: kerberos authentication for two kinds of webapps, one using Apache mod_auth_kerb and the other using SPNEGO (GSSAPI) for Tomcat. I use mod_jk for connecting Tomcat to Apache.
Problem: kerberos headers from client Tomcat seem to be modified by Apache, which leads to authentication failures (Mechanism level: Checksum failed).
Question: How can I configure/disable mod_auth_kerb (or mod_jk) for SPNEGO webapps and keep it working for the others? Is there any other solution?
Thank you!
mod_auth_gss_krb5 might be of useful. Its available in this link http://modgssapache.sourceforge.net/