Version 188.8.131.52 or later recommended for Kerberos
Any Delphix Engine intending to leverage Kerberos credentials should be running version 184.108.40.206 or later. Versions 220.127.116.11-18.104.22.168 may encounter issues in authentication ticket renewal, causing Environment and Dataset job failures. More information can be found in this Delphix Knowledge Base article
Shared infrastructure/ticket management
The Delphix Engine (DE) has a single Kerberos principal shared between all connections to the host (SSH, ASE JDBC, etc).
Overview of the authentication process
The client acquires a ticket from the Kerberos Domain Controller (KDC) (e.g kinit <principal>) which it stores locally.
The client uses a ticket from KDC to authenticate with the target (e.g., ssh- or JDBC authentication using gssapi to pass the cached ticket acquired in step 1).
Kerberos master/replica KDCs
Kerberos supports a master/replica system with multiple KDCs running on different hosts. This is used for High Availability (HA) or to provide faster service via a local node in dispersed network environments. Delphix supports a list of KDCs for the Kerberos realm to which it has been joined.
Delphix infrastructure to support the authentication process
Kerberized environment user
Delphix has introduced a KerberosCredential type that indicates the global Kerberos principal to be used for authentication, rather than user-specific credentials.
Keytab based authentication
It is possible to use kinit with a keytab file instead of password-based authentication to acquire tickets. This is similar in principle to passwordless SSH authentication and allows Delphix to function in the customer’s environment without storing any passwords on the Delphix Engine. It does, however, put us at the mercy of the customer’s keytab expiration policy.
The Delphix Engine creates a background thread that periodically checks the expiration of the cached Kerberos credentials. If the credentials have expired, it calls kinit using the keytab that was provided.
Keytab file storage
Keytab file data is sent via a web service API as a Base64 encoded string. This is then decoded back to the binary file and persisted on local storage on the Delphix Engine with root user ownership permissions.
Default Kerberos ticket refresh configuration:
Delphix checks if the TGT-cached Kerberos ticket should be refreshed every hour.
The TGT-cached ticket for the global Delphix principal will be refreshed if it expires in less than two hours. The default values can be changed by Delphix Support.