Enable Kerberos You can use Ambari to enable Kerberos for your Cloudera Cybersecurity Platform (CCP) environment. Checklist: Installing and Configuring the KDCAmbari is able to configure Kerberos in the cluster to work with an existing MIT KDC, or existing Active Directory installation. This section describes the steps necessary to prepare for this integration.Optional: Install a new MIT KDCThe following gives a very high level description of the KDC installation process. Optional: Use an Existing IPAYou can use an existing FreeIPA setup with Kerberos.Install the JCE for KerberosBefore enabling Kerberos in the cluster, you must deploy the Java Cryptography Extension (JCE) security policy files on the Ambari Server and on all hosts in the cluster, including the Ambari Server. If you are using OpenJDK, some distributions of the OpenJDK (such as RHEL/CentOS and Ubuntu) come with unlimited strength JCE automatically and therefore, installation of JCE is not required.Launch the Kerberos Wizard (Automated Setup)Choose the Kerberos Wizard Automated Setup if you will use an existing MIT KDC or Active Directory, as opposed to managing Kerberos principals and keytabs manually.Set up TGT RenewalApache Storm does not handle automatic TGT renewal for running topologies. As a result, you must manage the TGT renewal process to ensure that your access does not expire. HCP includes a Python script you can use to manage the TGT renewal process. Run the script on an interval that is shorter than the renew_lifetime property configured for your TGT.
