The management stack uses sshj+gssapi to pass already-generated Kerberos tickets to the Kerberized sshd on the source/target side if prompted to do so by the end-user passing a Kerberized environment user to existing wrapper functions.

The only thing changing from password-based or regular passwordless SSH authentication is the authentication step. Command execution remains unchanged.

SAP ASE, Oracle, and DB2 Connections

Delphix connects to SAP ASE, Oracle, and DB2 instances using the two listed mechanisms below. This example configuration uses an SAP ASE instance.

  • via isql process

  • via the jConnect JDBC driver

When connecting via isql Delphix uses the “-V” parameter rather than specifying a username/password. The “-V” option uses the Kerberos principal in the current user’s cached credentials file. Delphix relies on the end customer to configure this appropriately for their environment (for example, the cached credentials could be populated by a PAM module during login). Delphix also expects that the KRB5CCNAME is set appropriately or the credential cache is in the host default location.

When connecting via JDBC, Delphix uses additional connection options: REQUEST_KERBEROS_SESSION=true&SERVICE_PRINCIPAL_NAME=<ASE Instance SPN>. By default, the instance Service Principal Name (SPN) is identical to the instance name for authentication. Delphix allows the instance SPN to be manually set on a per-repository basis to allow for non-default values. The jConnect JDBC driver connects using the cached credentials that were obtained as described in the Shared infrastructure/Ticket Management section.

For example, if the instance name is ASE_INSTANCE_1 and has been configured to use REALM.COM, then the instance will attempt to authenticate with the KDC using ASE_INSTANCE_1@REALM.COM. However, this is configurable and can be specified either via an environment variable or a command-line option to the data server process. If an environment variable is used to configure the SPN, the instance must be manually discovered via web service APIs or the Delphix CLI.

Related Topics