Configuring the Kerberos authentication
by Daniel Langenhan
VMware vRealize Orchestrator Cookbook - Second Edition
- VMware vRealize Orchestrator Cookbook Second Edition
- VMware vRealize Orchestrator Cookbook Second Edition
- Credits
- About the Author
- About the Reviewers
- www.PacktPub.com
- Preface
- 1. Installing and Configuring Orchestrator
- 2. Optimizing Orchestrator Configuration
- Introduction
- Tuning the appliance
- Tuning Java
- Configuring the Kerberos authentication
- Configuring access to the local filesystem
- Configuring the Orchestrator service SSL certificate
- Orchestrator log files
- Redirecting Orchestrator logs to an external server
- Backup and recovery
- Control Center titbits
- 3. Distributed Design
- Introduction
- Building an Orchestrator cluster
- Load-balancing Orchestrator
- Upgrading a cluster
- Managing remote Orchestrators
- Synchronizing Orchestrator elements between Orchestrator servers
- 4. Programming Skills
- Introduction
- Version control
- Changing elements in a workflow
- Importing and exporting Orchestrator elements
- Working with packages
- Workflow auto documentation
- Resuming failed workflows
- Using the workflow debugging function
- Undelete workflows and actions
- Scheduling workflows
- Sync presentation settings
- Locking elements
- 5. Visual Programming
- 6. Advanced Programming
- Introduction
- JavaScript complex variables
- Working with JSON
- JavaScript special statements
- Turning strings into objects
- Working with the API
- Creating actions
- Waiting tasks
- Sending and waiting for custom events
- Using asynchronous workflows
- Scripting with workflow tokens
- Working with user interactions
- 7. Interacting with Orchestrator
- Introduction
- User management
- User preferences
- Using Orchestrator though the vSphere Web Client
- Accessing Orchestrator REST API
- Accessing the Control Center via the REST plugin
- Running Orchestrator workflows using PowerShell
- Using PHP to access the REST API
- 8. Better Workflows and Optimized Working
- 9. Essential Plugins
- 10. Built-in Plugins
- Introduction
- Working with XML
- Working with SQL (JDBC)
- Working with SQL (SQL plugin)
- Working with PowerShell
- Working with SOAP
- Working with Active Directory
- Working with SNMP
- Working with AMQP
- 11. Additional Plugins
- 12. Working with vSphere
- 13. Working with vRealize Automation
- Introduction
- Working with the vRA-integrated Orchestrator
- Automating a vRA instance in Orchestrator
- Configuring an external Orchestrator in vRA
- Adding Orchestrator as an infrastructure endpoint
- Adding an Orchestrator endpoint
- Integrating Orchestrator workflows as XaaS Blueprints
- Managing AD users with vRA
- Using the Event Manager to start workflows
This recipe shows how to configure the Kerberos authentication with Orchestrator. The Kerberos configuration is only needed for special plugins, such as PowerShell.
We just need administrative access to the Orchestrator operating system. You need to make sure that the clocks are in sync between Orchestrator and the KDC. See the Tuning the appliance recipe in this chapter. The domain in this example is called mylab.local and the AD server (KDC) is called central.mylab.local.
- Log in to the Orchestrator operating system with root.
- Edit the
/usr/java/jre-vmware/lib/security/krb5.conffile. You might have to create this file. - Add the following lines to the file. In the following example, replace
mylab.localwith your domain settings. Make sure that you use the same case as in the example:[libdefaults] default_realm = MYLAB.LOCAL udp_preference_limit = 1 [realms] MYLAB.LOCAL = { kdc = central.mylab.local default_domain = mylab.local } [domain_realm] .mylab.local= LAB.LOCAL mylab.local= MYLAB.LOCAL
- Make sure that the file is owned by root:root and has the rights
644. Execute thechmod 644 /usr/java/jre-vmware/lib/security/krb5.confcommand. - Save the file and then restart the Orchestrator service using either the Control Center or the Linux
service vco-server restartcommand.
Kerberos is an authentication protocol that uses tickets that allow systems to securely talk to each other.
Let's see how Kerberos works with a simple example. A client (Orchestrator) wants to communicate with a server (Windows host) securely. The client will communicate with a Key Distribution Center (KDC) to acquire a ticket. In Windows, the KDC is your AD controller, who then authenticates the login as a valid user and grants access. The KDC will then issue a ticket. This ticket is then used to login to the Windows server.
Configuration of the krb5.conf file is needed for Orchestrator in any version, as the connecting service is really the Java process and not the operating system underneath.
Since Windows 2000, Microsoft uses Kerberos as its main method for authentication. It is a secure method that uses encrypted communication and therefore the best choice for any production environment.
This recipe is especially important for the Working with PowerShell recipe in Chapter 10, Built in Plugins. The example workflow 02.03 Configure Kerberos.
-
No Comment