Skip to main content
Skip table of contents

Delphix kerberos implementation

Version 6.0.7.0 or later recommended for Kerberos

Any Delphix Engine intending to leverage Kerberos credentials should be running version 6.0.7.0 or later. Versions 6.0.0.0-6.0.6.1 may encounter issues in authentication ticket renewal, causing Environment and Dataset job failures. More information can be found in this Delphix Knowledge Base article

Shared infrastructure/ticket management

The Delphix Engine (DE) has a single Kerberos principal shared between all connections to the host (SSH, ASE JDBC, etc).

Overview of the authentication process

  1. The client acquires a ticket from the Kerberos Domain Controller (KDC) (e.g kinit <principal>) which it stores locally.

  2. The client uses a ticket from KDC to authenticate with the target (e.g., ssh- or JDBC authentication using gssapi to pass the cached ticket acquired in step 1).

Kerberos master/replica KDCs

Kerberos supports a master/replica system with multiple KDCs running on different hosts. This is used for High Availability (HA) or to provide faster service via a local node in dispersed network environments. Delphix supports a list of KDCs for the Kerberos realm to which it has been joined.

Delphix infrastructure to support the authentication process

Kerberized environment user

Delphix has introduced a KerberosCredential type that indicates the global Kerberos principal to be used for authentication, rather than user-specific credentials.

Keytab based authentication

It is possible to use kinit with a keytab file instead of password-based authentication to acquire tickets. This is similar in principle to passwordless SSH authentication and allows Delphix to function in the customer’s environment without storing any passwords on the Delphix Engine. It does, however, put us at the mercy of the customer’s keytab expiration policy.

The Delphix Engine creates a background thread that periodically checks the expiration of the cached Kerberos credentials. If the credentials have expired, it calls kinit using the keytab that was provided.

Keytab file storage

Keytab file data is sent via a web service API as a Base64 encoded string. This is then decoded back to the binary file and persisted on local storage on the Delphix Engine with root user ownership permissions.

Default behavior

Default Kerberos ticket refresh configuration:

  • Delphix checks if the TGT-cached Kerberos ticket should be refreshed every hour.

  • The TGT-cached ticket for the global Delphix principal will be refreshed if it expires in less than two hours. The default values can be changed by Delphix Support.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close