Configuring the agent to work with Kerberos

With the Kerberos integration, you can communicate securely over an insecure network by leveraging the Kerberos Authentication Protocol for submitting jobs on dynamic agents.

To configure Kerberos, you can use the Kerberos.ini template file available on dynamic agents in TWS/integrations/bin, as follows:
  1. Copy libKerberos<version_number>.so library file to <installation_directory>/TWS/bin using the same user which installed the agent. On UNIX systems, set file permissions to 755.
  2. Create a copy of the template file to one of the following paths, depending on your operating system:
    On Windows operating systems
    installation_directory\ITA\cpa\config
    On UNIX operating systems
    TWA_DATA_DIR/ITA/cpa/config
  3. Fill in the parameters listed in Configuring the integration using the Kerberos.ini file as required.
  4. Browse to the JobManager.ini file, located in one of the following paths, depending on your operating system:
    On Windows operating systems
    installation_directory\ITA\cpa\config
    On UNIX operating systems
    TWA_DATA_DIR/ITA/cpa/config
  5. Add the following keys to the NativeJobLauncher section in the JobManager.ini file:
    AuthMethod
    The full path to the libKerberos<version_number>.so library file.
    IsAuthMethodMandatory
    The behavior in case the authentication fails. The default value is false: if Kerberos authentication fails, the job continues with the authentication methods provided by the service in use, for example, by requesting the user and password required by SSH. If you set this key to true and Kerberos authentication fails, the job fails.
  6. Start all processes on the dynamic agent by running the StartUpLwa command.

Configuring the integration using the Kerberos.ini file

The Kerberos.ini file is located in TWS/integrations/bin.

You can configure the following properties in the Kerberos.ini file:

Kerberos.Config section
UseDefaultCCache
The credentials cache to be used for storing intermediate objects. The default value is false: a cache file is automatically assigned by the libKerberos.so library for each job. If you set it to true, Kerberos defines the cache location.
KDCConnectionRetryAttempts
The number of times HCL Workload Automation retries to authenticate with Kerberos, in case the first attempt fails. The default value is 0, which means the integrations tries to authenticate a single time and performs no further attempts.
KDCConnectionRetryInterval
The time interval in seconds HCL Workload Automation waits before sending a new authentication request to Kerberos. The default value is 5 seconds.

Kerberos.InitCredsOpts section

The following properties are internal Kerberos properties. If you specify a value, it overrides the corresponding setting on Kerberos. If you leave the property blank, the value defined on Kerberos applies. For more information about these properties, see Kerberos documentation.
Proxiable
Whether credentials should be proxiable.
Forwardable
Whether the credentials should be forwardable.
TicketLifetime
The default lifetime for initial ticket requests.

Kerberos.Logging.cclog section

Most of the properties in this section are reserved for internal use and should not be changed. You can configure the following properties:
Kerberos.trfl.level
Determines the type of trace messages that are logged. Change this value to trace more or fewer events, as appropriate, or on request from Software Support. The default value is 3000, which means minimum trace information is captured. To enable maximum level of tracing, set this property to 1000.
Kerberos.trhd.maxFileBytes
The maximum size that the trace file can reach. The default value is 10240000 bytes.
Kerberos.trhd.maxFiles
The maximum number of trace files that can be stored. The default value is 5.

User management

The integration supports two authentication modes:
  • You can specify the same user for authenticating to Kerberos and running the job.
  • You can specify a user for authenticating to Kerberos and a different user for running the job. In this case, when you create the job definition from the Workload Designer or Graphical Designer, specify both users in the Credentials tab of the job definition with the following syntax:
    job_user/kerberos_user
    where
    job_user
    Is the user running the job
    kerberos_user
    Is the user authenticating to Kerberos

What to do next

After configuring Kerberos, you can proceed to create job definitions as usual. When you specify a user in the job definition, the Kerberos Authentication Protocol is applied.

The job can run only on the dynamic agent on which you have configured Kerberos.