Shared Infrastructure/Ticket Management

The Delphix Engine (DE) has a single Kerberos principal shared between all connections to the host (SSH, ASE JDBC, etc).

Overview of the Authentication Process

  1. The client acquires a ticket from the Kerberos Domain Controller (KDC) (e.g kinit <principal>) which it stores locally.

  2. The client uses a ticket from KDC to authenticate with the target (e.g., ssh- or JDBC authentication using gssapi to pass the cached ticket acquired in step 1).

Kerberos Master/Slave KDCs

Kerberos supports a master/slave system with multiple KDCs running on different hosts. This is used for High Availability (HA) or to provide faster service via a local node in dispersed network environments. Delphix supports a list of KDCs for the Kerberos realm to which it has been joined.

Delphix Infrastructure to Support the Authentication Process

Kerberized Environment User

Delphix has introduced a KerberosCredential type that indicates the global Kerberos principal to be used for authentication, rather than user-specific credentials.

Keytab Based Authentication

It is possible to use kinit with a keytab file instead of password-based authentication to acquire tickets. This is similar in principle to passwordless SSH authentication and allows Delphix to function in the customer’s environment without storing any passwords on the Delphix Engine. It does, however, put us at the mercy of the customer’s keytab expiration policy.

The Delphix Engine creates a background thread which periodically checks the expiration of the cached Kerberos credentials. If the credentials have expired, it calls kinit using the keytab that was provided.

Keytab File Storage

Keytab file data is sent via a web service API as a Base64 encoded string. This is then decoded back to the binary file and persisted on local storage on the Delphix Engine with root user ownership permissions.

Default Behavior

Default Kerberos ticket refresh configuration:

  • Delphix checks if the TGT-cached Kerberos ticket should be refreshed every hour.

  • The TGT-cached ticket for the global Delphix principal will be refreshed if it expires in less than two hours. The default values can be changed by Delphix Support.