Oracle Cloud Infrastructure Documentation

Configure Web Browser

Configure Web browsers for Kerberos enabled Big Data Service clusters.

After completing all tasks, the secure WebUIs in the cluster are be accessible from the Windows client system.

Configuring the Web Browser to Access the Oozie Web Console or Any Other WebUIs

These steps apply to Windows OS and Mac with Mozilla Firefox to access WebUIs protected by Kerberos HTTP SPNEGO.
  1. Open the low level Firefox configuration page by loading the about:config page.
  2. Click the warranty warning to enter the Firefox configuration page.
  3. In the Search: box, enter network.negotiate-auth.trusted-uris.
  4. Double-click network.negotiate-auth.trusted-uris, and then enter the FQDN for the host supporting the role where the WebUI is launched.
    • If the NameNode WebUI is being launched, enter the FDQN of the servers with the NameNode role.
    • If the ResourceManger WebUI is being launched, enter the FQDN of the servers with the ResourceManager role.
    • If other hostnames are already in this field, create a comma separated list of FQDNs for the hosts.
    • Another option is to enter the domain name of the hosts with the roles supporting the WebUIs of interest. For example, .<DOMAIN>. For example .example.com. Separate multiple domains and hostnames with a comma.
  5. Click OK.
  6. Search for property network.auth.use-sspi in the search box.
    Note

    SSPI must be disabled when using MIT Kerberos because SSPI is native to Windows environments and it might not offer an equivalent authentication mechanism for MIT Kerberos environments.
  7. Double-click the property to toggle the value to False.
  8. The following optional updates might also be necessary in the Firefox configuration page. For example, the about:config page. Complete the previous steps 1-7 for each.
    • network.negotiate-auth.delegation-uris
      1. List the sites for which the browser might delegate user authorization to the server.
      2. Update with the domain (<DOMAIN>) of the sites that the browser might delegate user authorization to the server. (For example: .example.com)
    • network.negotiate-auth.using-native-gsslib
      1. To use the default GSSAPI library, set to False.
    • network.negotiate-auth.allow-non-fqdn

      To accept service domain names instead of FQDNs, set to True.

  9. When the changes are complete, restart the Firefox browser. You must restart all open Firefox windows. This completes setting up the Firefox for SPNEGO.

Installing a Kerberos Client

These steps apply to Windows only.
  1. Download the MIT Kerberos for Windows from:

    http://web.mit.edu/kerberos/dist/

  2. Download the msi install file and double-click the file to start setup wizard
  3. Click Next, and then accept the license-agreement.
  4. Click Next, and then select Typical Setup.
    We recommend this for most users.
  5. Click Next.
  6. To start the installation, click Install.
  7. When the installation completes, click Finish.

Setting up Kerberos Credential Cache File

These steps are for Windows only.
  1. Create C:\temp on the Windows machine.
  2. Navigate to Control Panel > All Control Panel Items > System.
  3. Select Advanced system settings, and on the Advanced tab, select Environment Variables.
  4. Create the new KRB5CCNAME environment variable under System variables if it doesn't exist.
    Example:
    Variable name : "KRB5CCNAME"
Variable Value : C:\temp\krb5cache
    Note

    An environment variable can be created under User variables or System variables. However, KRB5CCNAME must be created under System variables.
  5. To save the new variable and close all open windows, click OK.
    Note

    Don't restart the system at this point.

Setting up Kerberos Configuration File for Windows

  1. Copy /etc/krb5.conf from a cluster master host to the Windows system.
  2. Rename krb5.ini and copy it to C:\ProgramData\MIT\Kerberos5.
  3. Confirm the KRB5_CONFIG environment variable is defined correctly. Make updates as needed.

    KRB5_CONFIG must point to the location of krb5.ini.

    1. On the Windows system navigate to Control Panel > System.
    2. Click Advanced system settings, and then on the Advanced tab, select Environment Variables.
    3. Create the new KRB5_CONFIG environment variable under System variables if it doesn't exist.
      Example:
      Variable name : "KRB5_CONFIG"
Variable Value : C:\ProgramData\MIT\Kerberos5\krb5.ini
      Note

      An environment variable can be created under User variables or System variables. However, KRB5_CONFIG must be created under System variables.
    4. To save the new variable and close all open windows, click OK.
  4. Add all cluster master and utility nodes to the hosts file on the Windows client by updating C:\Windows\System32\Drivers\etc\hosts with the public IP addresses for the master nodes.
  5. To complete the environment variable updates, restart the Windows system.

Setting up Kerberos Configuration File on a Mac

  1. Copy /etc/krb5.conf from a cluster master host to the Mac system.
  2. Add all cluster master and utility nodes to /etc/hosts on the Mac client by updating /etc/hosts with the public IP addresses for the master nodes.

Obtaining Kerberos Ticket

Obtaining the Kerberos Ticket on the Windows Client (Option 1)

There are two ways to authenticate the Kerberos ticket on a Windows client. This is the first option. See Obtaining the Kerberos Ticket on the Windows Client (Option 2) for option 2.
  1. On a Windows system, click Start, and then open 'MIT Kerberos Ticket Manager' software for list of programs.
  2. Click Get Ticket.
  3. Enter the Kerberos principal name and password.
  4. Save the username and password.

    The ticket is visible in the Ticket Manager tool.

Obtaining the Kerberos Ticket on the Windows Client (Option 2)

There are two ways to authenticate the Kerberos ticket on a Windows client. This is the second option. See Obtaining the Kerberos Ticket on the Windows Client (Option 1) for option 1.
  1. Authenticate the Kerberos principal using the newly created keytab: 
    >C:\"Program Files\MIT\Kerberos\bin\kinit.exe -kt <PATH>\<KEREROS_PRINCIPAL>.keytab <KERBEROS_PRINCIPAL>
  2. Verify a valid ticket was created. Example of successful output: 
    >C:\"Program Files"\MIT\Kerberos\bin\klist.exe
Ticket cache: FILE:C\temp\krb5cache
Default principal: <KERBEROS_PRINCIPAL>@<REALM>

Valid starting Expires Service principal
11/01/22 08:26:58 11/02/22 08:26:58 krbtgt/<DOMAIN>@<REALM>
renew until 11/08/22 07:26:58

Obtaining the Kerberos Ticket on a Mac

  1. Get the principle name using: 
    # klist -kt <KEYTAB>
  2. Create a token on the client machine. 
    # kinit -kt <KEYTAB> <PRINCIPLE_NAME>

Enabling the Oozie Web Console

Enabling the Oozie Web Console in a Kerberos enabled ODH clustler requires additional steps.