WORKLOAD AUTOMATION COMMUNITY
  • Home
  • Blogs
  • Forum
  • Resources
  • Events
    • IWA 9.5 Roadshows
  • About
  • Contact
  • What's new

Leverage Kerberos Authentication Protocol for submitting jobs with Workload Automation

7/11/2022

0 Comments

 
Picture
​From Greek mythology, Kerberos is the ferocious three-headed guard dog of Hades to prevent the dead from leaving.
In computer science, it is a computer-network strong authentication protocol that works on the basis of tickets to  allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It  provides a mutual authentication fro client and services. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric-key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication. Kerberos uses UDP port 88 by default.
HOW IT WORKS
Picture
The client authenticates itself to the Authentication Server which forwards the username to a Key Distribution  Center. This issues a Ticket-Granting Ticket, which is time stamped and encrypts it using the Ticket-Granting Server's secret key and returns the encrypted result to the user's workstation. This is done infrequently, typically at user logon; the Ticket-Granting Ticket expires at some point although it may be transparently renewed by the user's session manager while they are logged in.

When the client needs to communicate with a service on another node (a "principal", in Kerberos parlance), the client sends the Ticket-Granting Ticket to the Ticket-Granting Server, which usually shares the same host as the Key Distribution  Center. The service must have already been registered with the Ticket-Granting Server with a Service Principal Name (SPN). The client uses the SPN to request access to this service. After verifying that the Ticket-Granting Ticket is valid and that the user is permitted to access the requested service, the Ticket-Granting Server issues ticket and session keys to the client. The client then sends the ticket to the Service Server along with its service request.

INSTALLING THE INTEGRATION
Picture
  1. Stop the Dynamic Agent
  2. Copy the Kerberos library into <inst_dir>/TWS/bin folder and check file owner and permission
  3. Copy the Kerberos.ini file into <data_dir>/ITA/cpa/config folder and check file owner and permission
  4. Edit the JobManager.ini file and add, in [NativeJobLauncher] section, the AuthMethod and IsAuthMethodMandatory keywords
  5. Restart the Dynamic Agent

If IsAuthMethodMandatory = true then the job will fail as soon as the Kerberos authentication fails. Otherwise if IsAuthMethodMandatory = false then it will continue with other Auth Method provided by the service in use.

CONFIGURE THE INTEGRATION
Picture
If UseDefaultCache = false then an isolated cache for each job will be used. Otherwise with UseDefaultCache = true then Kerberos defined cache will be used.
 
If first authentication attempt fails, then Workload Automation can retry 2 times, after 10 seconds. The default is set to 0 attempts at 5 seconds of interval.
 
The [Kerberos.InitCredsOpts] section are internal Kerberos properties. It will overrides the corresponding Kerberos settings. Please refer to Kerberos documentation.

SAME USER FOR AUTHENTICATING TO KERBEROS AND RUNNING THE JOB
Picture
DIFFERENT USER FOR AUTHENTICATING TO KERBEROS AND RUNNING THE JOB
Picture
JOB EXECUTION
Picture
Submitting the 2 types of job (with same and different user), once they are in EXEC state, both ssh processes are launched with the respective user used in the job.

Author's Bio
Picture
A​ndrea Fiore, Workload Automation Senior Software Engineer, HCL Technologies

Andrea joined HCL in April 2017 in the Verification&Validation Test team. He works as verification tester for Workload Automation suite both on L3 Support team (in distributed and cloud-native environments) and in Test Team for new releases developing.

He has a master's degree in Computer Science Engineering, with specialization in Automatic and System Engineer.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    January 2020
    December 2019
    November 2019
    October 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017

    Categories

    All
    Analytics
    Azure
    Business Applications
    Cloud
    Data Storage
    DevOps
    Monitoring & Reporting

    RSS Feed

www.hcltechsw.com
About HCL Software 
HCL Software is a division of HCL Technologies (HCL) that operates its primary software business. It develops, markets, sells, and supports over 20 product families in the areas of DevSecOps, Automation, Digital Solutions, Data Management, Marketing and Commerce, and Mainframes. HCL Software has offices and labs around the world to serve thousands of customers. Its mission is to drive ultimate customer success with their IT investments through relentless innovation of its products. For more information, To know more  please visit www.hcltechsw.com.  Copyright © 2019 HCL Technologies Limited
  • Home
  • Blogs
  • Forum
  • Resources
  • Events
    • IWA 9.5 Roadshows
  • About
  • Contact
  • What's new