Skip to main content

Using Kerberos authentication

Whether Qlik Replicate Server is running on Linux or Windows, you can configure it to authenticate itself against the Hadoop cluster using Kerberos. However, when using Kerberos libraries that are older than those installed with Replicate or when using Kerberos authentication on Windows, you need to perform the additional setup procedures outlined below.

This requires you to perform the following steps on the Qlik Replicate machine before starting the Qlik Replicate Server.

Using Kerberos authentication on Linux

To use Kerberos authentication on Linux:

Note:

The commands described below should be issued under the "Attunity" user or under the user that was selected during the Replicate installation.

  1. Obtain a valid TGT (Ticket-Granting Ticket) from the Kerberos KDC (Key Distribution Center) but save the TGT to a non-default cache file. Usually, a keytab file is used to perform non-interactive authentication to Kerberos.

    Command Syntax:

    kinit -kt [keytab_file] -c [cache_file_name] [principal_name]

  2. This step is only required for the global Kerberos ticket file. Set the Kerberos cache environment variable (for Replicate to use later on).

    To set the environment variable:

    1. Change the working directory to the Replicate "bin" directory by issuing the following command (assumes the default installation path):

      cd /opt/attunity/replicate/bin

    2. Stop the Qlik Replicate Server services on the Linux by running:

      /opt/attunity/replicate/bin/areplicate stop

  3. Create a file named site_arep_login.sh in the Qlik Replicate bin folder.

    1. Add the following command to the file:

      export KRB5CCNAME=cache_file_name

      Example:

      export KRB5CCNAME=/temp/kerberos/global.ticket

    2. Save the file and

    3. Start the Qlik Replicate Server services on the Linux by running:

      /opt/attunity/replicate/bin/areplicate start

Now, whenever Qlik Replicate needs to use Kerberos authentication, it will perform the following operations:

  • When Use global Kerberos ticket file is selected: Replicate will check whether the KRB5CCNAME environment variable is set and, if so, will use the ticket(s) inside the cache file specified by the environment variable.
  • When Use specific Kerberos ticket file is selected:

    • During design-time (e.g. when selecting tables, testing the connection, etc.), Replicate will use the ticket(s) inside the cache file specified by the KRB5CCNAME environment variable.
    • During runtime, Replicate will use the ticket file specified in the Hadoop endpoint settings.
    Note:

    If the ticket in the cache file expires or becomes invalid, repeating the kinit command shown in Step 1 above will write a new TGT to the cache file and allow Qlik Replicate to continue working. This can be done without restarting the Qlik Replicate Server.

Using Kerberos authentication on Linux when the Kerberos libraries installed with Replicate are older than those already installed on the machine

Using Kerberos Authentication on Linux when the Kerberos libraries installed with Replicate are older than those already installed on the machine, requires you to perform the procedure described below.

Note:
  • The commands described below should be issued under the "Attunity" user or under the user that was selected during the Replicate installation.

  • For all script files mentioned below, make sure to use the UNIX line separator "\n" and not "\r\n".
  • The instructions assume that Replicate has been installed in the default location: /opt/attunity/replicate/. If this is not the case, change the path accordingly.
  1. If Kerberos workstation is not installed, run this as root:

    yum install krb5-workstation krb5-libs krb5-auth-dialog

  2. Stop the Replicate service as described inStarting and stopping a Replicate instance Verify that the service has stopped by running the following command:

    ps axuw | grep repctl

  3. Edit /opt/attunity/replicate/bin/arep_login.sh as follows:

     

    Replace:

    # set LD_LIBRARY_PATH and alias

    if [ `echo ${LD_LIBRARY_PATH:-} | grep -c $AREPROOT` = 0 ]

    then

    export LD_LIBRARY_PATH=${AREPROOT}/lib:${LD_LIBRARY_PATH:-/usr/lib}

    fi

    alias repctl=$AREPROOT/bin/repctl

     

    With:

    # set LD_LIBRARY_PATH and alias

    if [ `echo ${LD_LIBRARY_PATH:-} | grep -c $AREPROOT` = 0 ]

    then

    export AT_ORIG_LD_LIBRARY_PATH=${LD_LIBRARY_PATH}

    export PATH=${AREPROOT}/bin:${PATH}

    export LD_LIBRARY_PATH=${AREPROOT}/lib:${LD_LIBRARY_PATH:-/usr/lib}

    fi

    alias repctl=$AREPROOT/bin/repctl

     

  4. Create a script file named kinit in /opt/attunity/replicate/bin as follows:

    #!/bin/sh

    LD_LIBRARY_PATH=$AT_ORIG_LD_LIBRARY_PATH

    export LD_LIBRARY_PATH

    /usr/bin/kinit $*

  5. Create a script file named klist in /opt/attunity/replicate/bin as follows:

    #!/bin/sh

    LD_LIBRARY_PATH=$AT_ORIG_LD_LIBRARY_PATH

    export LD_LIBRARY_PATH

    /usr/bin/klist $*

  6. Create a script file named kdestroy in /opt/attunity/replicate/bin as follows:

    #!/bin/sh

    LD_LIBRARY_PATH=$AT_ORIG_LD_LIBRARY_PATH

    export LD_LIBRARY_PATH

    /usr/bin/kdestroy $*

  7. Run the following commands:

    cd /opt/attunity/replicate/bin

    chmod 777 kinit klist kdestory

  8. Disconnect from the machine and then reconnect (or restart the putty session). This is required in order to clear the LD_LIBRARY_PATH environment variable, which is set by arep_login.sh script.

  9. Start the Replicate service as described inStarting and stopping a Replicate instance
  10. Add the following internal parameter in the endpoint's Advanced tab:

    krbMITBin

    Set the value to the Replicate bin directory (default /opt/attunity/replicate/bin).

Using Kerberos authentication on Windows

Before beginning, make sure that the impersonated user (principal) is granted read and write permissions on the Replicate Data directory (<product_dir>\Data by default) on the Qlik Replicate server. For Active Directory KDC, the impersonated user is the user configured in the user interface. For MIT KDC, this is the Windows user to which the MIT principal is mapped.

To set up Kerberos authentication on Windows:

Perform the following steps to ensure that the impersonated user (principal) has the Log on as a batch job privilege on the Qlik Replicate server.

  1. On the Qlik Replicate server, open the Local Security Settings (Control Panel > System Security > Administrative Tools > Local Security Policy).

    The Local Security Policy Settings with "Log on as a batch job" selected

  2. In the console tree, expand Local Policies and select User Rights Assignments.
  3. In the details pane, double-click Log on as a batch job.
  4. In the Log on as a batch job Properties dialog box, on the Local Security Settings tab, verify that the respective user is listed. If it is not listed, click Add User or Group, then add the user and click OK.

    The "Log on as a batch job" Properties window with "Administrators", "Backup Operators", and "Performance Log Users" available as Users and Groups.

    Your changes should take effect immediately.

MIT Kerberos

If MIT Kerberos is set in one of the endpoints, you need to perform the following steps to allow the Qlik Replicate server process to keep a specific privilege on startup. By default, Qlik Replicate server drops all privileges on startup. These steps are not required if you use Active Directory KDC.

  1. Open the Windows registry (regedit.exe).
  2. Browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Qlik\Qlik Replicate\Services\AttunityReplicateServer

  3. Modify the PrivilegesKeep string to include the value SeTcbPrivilege.
  4. Close the Registry Editor window.
  5. Start the Qlik Replicate Server service.