Enable Kerberos Authentication v8
PEM 8.1 onwards supports Kerberos Authentication
. So you need to set up the Kerberos authentication at the time of configuring the PEM Server. For more details, see PEM Installation docs.
Principal and Keytab file for PEM Webserver (apache/HTTP) and PEM Backend Database
- Add the
principal
and generate thekeytab
file forPEM webserver
(apache/HTTP) and copy it to the machine where the PEM webserver resides. Ensure that the operating system user owning thePEM Webserver
is the owner of this file and accessible by that user. - Add the
principal
and generate thekeytab
file for thePEM backend database
server and copy it to the machine where the PEM backend database resides. Ensure that the operating system user owning thePEM backend database
server data directory is the owner of this file and accessible by that user.
Configuration settings
To enable Kerberos authentication for PEM, you must configure the following parameters in config_setup.py
on the system where the PEM Server is installed.
PEM_APP_HOST
- Specify the name of thePEM Webserver Hostname
. Please note that if it is not set, then it will take the value of thedefault_server
parameter.PEM_AUTH_METHOD
- Set the value tokerberos
to use kerberos authentication.
Browser settings to configure Kerberos Authentication
You need to do the browser settings on the client machine to use the Spnego/Kerberos
.
For Mozilla Firefox
- Open the low level Firefox configuration page by loading the
about:config
page. - In the Search text box, enter:
network.negotiate-auth.trusted-uris
- Double-click the
network.negotiate-auth.trusted-uris
preference and enter the hostname or the domain of the web server that is protected by Kerberos HTTP SPNEGO. Separate multiple domains and hostnames with a comma. - Click OK.
- Open the low level Firefox configuration page by loading the
For Google Chrome
For Windows:
- Open the Control Panel to access the Internet Options dialog.
- Select the Security tab.
- Select the Local Intranet zone and click the Sites button.
- Make sure that the first two options, Include all local (intranet) sites not listed in other zones and Include all sites that bypass the proxy server are checked.
- Click Advanced and add the names of the domains that are protected by Kerberos HTTP SPNEGO, one at a time, to the list of websites. For example, myhost.example.com. Click Close.
- Click OK to save your configuration changes.
For Linux or MacOS:
- Add the
--auth-server-whitelist
parameter to the google-chrome command. For example, to run Chrome from a Linux prompt, run the google-chrome command as follows:
- Add the