VMware Aria Automation 8.16

8.18 8.17 8.16 8.14 8.13 all
Português (Brasil) 简体中文 Deutsch Español Français Italiano 日本語 한국어 Nederlands Русский 繁體中文 English

Configure Kerberos authentication for
Automation Orchestrator
 plug-ins

You can use Kerberos authentication for
Automation Orchestrator
 plug-ins.

Configure the
krb5.conf
 file

  1. Create or edit the
    krb5.conf
     file at
    /data/vco/usr/lib/vco/app-server/conf/
    .
    A
    krb5.conf
     file has the following structure: 
    [libdefaults]
default_realm = YOURDOMAIN.COM
[realms]
YOURDOMAIN.COM = {
kdc = dc.yourdomain.com
default_domain = yourdomain.com
}
[domain_realm]
.yourdomain.com=YOURDOMAIN.COM
yourdomain.com=YOURDOMAIN.COM
    The
    krb5.conf
     must contain specific configuration parameters with their values.
    Kerberos configuration tags
    Details
    default_realm
    The default Kerberos realm that a client uses to authenticate against an Active Directory server. Must be in uppercase letters.
    kdc
    The domain controller that acts as a Key Distribution Center (KDC) and issues Kerberos tickets.
    default_domain
    The default domain that is used to produce a fully qualified domain name. This tag is used for Kerberos 4 compatibility.
    To allow ticket forwarding to other external systems, add the
    forwardable = true
     flag. For additional information, see the Oracle documentation on the krb5.conf file.
    By default, the Java Kerberos configuration uses the UDP protocol. To use only the TCP protocol, you must specify the
    udp_preference_limit
     parameter with a value
    1
    .
    The Kerberos authentication requires a Fully Qualified Domain Name (FQDN) host address.
    When you add or modify the
    krb5.conf
     file, you must restart the
    Automation Orchestrator
     server service.
    If you have a clustered
    Automation Orchestrator
     environment, make sure that the
    krb5.conf
     file exists in all three appliances with the same configuration before you restart the
    Automation Orchestrator
     pods.
  2. Change permissions. 
    chmod 644 krb5.conf
  3. Redeploy the
    Automation Orchestrator
     pod. 
    kubectl -n prelude get pods
    Look for an entry similar to
    vco-app-
    <ID>
    .
  4. Destroy the pod. 
    kubectl -n prelude delete pod vco-app-<ID>
    A new pod is automatically deployed to replace the pod you destroyed.

Enable Kerberos debug logging

You can troubleshoot
Automation Orchestrator
 plug-in problems by modifying the Kerberos configuration file used by the plug-in.
The Kerberos configuration file is located in the
/data/vco/usr/lib/vco/app-server/conf/
 directory of the
Automation Orchestrator
 Appliance.
  1. Log in to the
    Automation Orchestrator
     Appliance command line as
    root
    .
  2. Run the
    kubectl -n prelude edit deployment vco-app
     command.
  3. In the deployment file, locate and edit the
    -Djava.security.krb5.conf=/usr/lib/vco/app-server/conf/krb5.conf
     string. 
    -Djava.security.krb5.conf=/usr/lib/vco/app-server/conf/krb5.conf -Dsun.security.krb5.debug=true
  4. Save the changes and exit the file editor.
  5. Run the
    kubectl -n prelude get pods
     command. Wait until all pods are running.
  6. To monitor the Kerberos login, run the following command. 
    tail -f /services-logs/prelude/vco-app/console-logs/vco-server-app.log
  7. Alternatively, you can enable debug logging in the
    Automation Orchestrator
     configurator by adding the
    sun.security.krb5.debug = true
     system property.

Content feedback and comments