01/09/2014
Securing BigInsights environments with kerberos
authentication using Microsoft Active Directory and
IBM WebSphere Application Server .
Authors:
Jeremy Langer
Laser Nahoom Kabakov
Roman Zeltser
Yifat Yulevich
Yu Gao
Table of Contents
Background:......................................................................................................................3
Topology Solution and hosts.................................................................................................5
Installation prerequisites:....................................................................................................6
Step 1: Setting up the Linux machines :................................................................................8
Step 2: Setting up IBM JDK and JCE:...................................................................................11
Step 3: Active Directory time synchronization.......................................................................12
Step 4: Configuring Kerberos client.....................................................................................13
Step 5: Setting up the Linux users......................................................................................14
Step 6: Create the SPN for WASService user........................................................................15
Step 7: Creating the Keytabs:.............................................................................................16
Step 8: Connecting the Linux machines to the Active Directory domain....................................21
Step 9: Deploying keytab files to each of the nodes in the cluster ..........................................29
Step 10: Running BigInsights installer prechecker.................................................................39
Step 11: Install BigInsights................................................................................................39
Step 12: Configure WebSphere Application server.................................................................55
Step 14: SSO Configurations..............................................................................................57
Step 15: Enabling Kerberos................................................................................................59
Step 16: Configuring the Browser (Internet Explorer)............................................................60
Step 17: Enable kerberos token delegation in WebSphere......................................................61
Step 18: Map authorization roles to snoop application............................................................62
Step 19 : Adding authentication support for your code (Servlet).............................................63
Step 20: Enable Hbase and HDFS access from your application...............................................64
Step 21: HDFS configuration in code...................................................................................65
Step 22: Hbase configuration in code...................................................................................65
Step 23: Enable webSphere to connect to your BigInsights installation....................................66
Step 24: Shared Library Definition:.....................................................................................67
Step 25: Troubleshooting...................................................................................................69
Background:
Big Data environments are characterized by a multiplicity of technologies, distributed data
repositories, and parallel computation systems with different deployment models. With all that
complexity, organizations want to maintain data privacy, to ensure that the data will not be
exposed to unauthorized parties. Organizations also need to provide a unified security mechanism
that allows Single Sign-On, ensuring that any service connected to the data cluster goes through
the authentication process to be permitted to access the data. Like other distributed systems, Big
Data clusters share the same security weaknesses. Distributed systems are demanding to ensure
that parties are who they claim to be, to verify client applications before they join the cluster and
access the data that resides on federated systems. t
This article describes the series of steps required to set up an IBM Big Data environment using
WebSphere Application Server(WAS) to enable Kerberos for host validation and authentication of
client applications such as Java applications running on WAS as well as MapReduce jobs. The
environment settings were based on the requirements of an IBM customer, as described in the
next section of this article.
Requirements
Following are the list of the system requirements:
The system must manage a large number of documents and the metadata for those
documents. The documents are classified into a variety of different topics and categories.
The system should handle many different document types (such as html, PDF,
spreadsheets etc.) that are originated by many different systems.
The system should provide a federated search that considers the documents as well as the
relevant topics that are associated with them.
The document categories are mapped to different authorization groups. Users belonging to
those groups will have access to the corresponding documents.
The documents metadata is added to throughout the document’s life cycle.
Architecture
The following are the main building blocks of the solution. The solution used
IBM BigInsights for the Hadoop based archive;
IBM InfoSphere Streams for real-time analytics and repositories loading;
IBM Watson Explorer for federated search;
IBM WebSphere Application Server for add-on services.
Figure 1 illustrates these building blocks, as well as provide a high level view of the components
functionalities.
The Proof Of Concept (PoC) documented in this article demonstrates the ability to apply a single
sign-on mechanism in a subset (market in figure 1) of the proposed environment while using a
Kerberos ticket to authenticate hosts, users and add-on services to the BigInsights Hadoop
cluster.
Figure 1. Solution building blocks
Topology Solution and hosts
#
Function
Hostname
OS
1
Domain controller (active directory)
bidom.iic.il.ibm.com
Windows 2008 R2
2
Windows desktop station connected to
domain
sdk-pc.iic.il.ibm.com
Windows 7
3
BigInsights 3.0 management node
bigcon.iic.il.ibm.com
Red-Hat 6.3 Server
4
BigInsights 3.0 Data node 1
bigmg1.iic.il.ibm.com
Red-Hat 6.3 Server
5
BigInsights 3.0 Data node 2
bigmg2.iic.il.ibm.com
Red-Hat 6.3 Server
6
BigInsights 3.0 Data node 3
bigmg3.iic.il.ibm.com
Red-Hat 6.3 Server
7
WebSphere Application Server 8.5.5
bigdn1.iic.il.ibm.com
Red-Hat 6.3 Server
8
Infosphere Streams 3.2.1
bigdn2.iic.il.ibm.com
Red-Hat 6.3 Server
9
Watson Explorer
bigdn3.iic.il.ibm.com
Red-Hat 6.3 Server
All host names should be all lower case as specified here:
http://www01.ibm.com/support/knowledgecenter/SSPT3X_3.0.0/com.ibm.swg.im.infosphere.biginsights.install.doc/doc
/bi_install_generate_keytabs.html
option 1: use dns (prefferd)
make sure that the short name and fqdn of each server can be resolved to the same IP
Option 2: use hosts file (if dns not available)
Hosts file for each of the computers in the solution:
127.0.0.1
localhost localhost.localdomain localhost4 localhost4.localdomain4
::1
localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.xxx.yyy
10.10.xxx.yyy
10.10.xxx.yyy
10.10.xxx.yyy
10.10.xxx.yyy
10.10.xxx.yyy
10.10.xxx.yyy
10.10.xxx.yyy
bidom.iic.il.ibm.com
bigcon.iic.il.ibm.com
bigmg1.iic.il.ibm.com
bigmg2.iic.il.ibm.com
bigmg3.iic.il.ibm.com
bigdn1.iic.il.ibm.com
bigdn2.iic.il.ibm.com
bigdn3.iic.il.ibm.com
bidom
bigcon
bigmg1
bigmg2
bigmg3
bigdn1
bigdn2
bigdn3
Installation prerequisites:
Part 1: Setting up users and groups in active directory :
1. Service groups for BigInsights
gbiadmin
gbidataadmin
gbiappadmin
gbisysadmin
gbiuser
2. Service users for BigInsights (all lower case) password for each user = abc#123:
biadmin: user in gbiadmin group * number of BigInsights nodes (biadmin1,biadmin2..)
alert : (user in gbiadmin group) * number of BigInsights nodes
bigsql : (user in gbiadmin group) * number of BigInsights nodes
catalog: (user in gbiadmin group) * number of BigInsights nodes
console : (user in gbiadmin group) * number of BigInsights nodes
hadoop: (user in gbiadmin group) * number of BigInsights nodes
hbase: (user in gbiadmin group) * number of BigInsights nodes
hdfs: (user in gbiadmin group) * number of BigInsights nodes
hive: (user in gbiadmin group) * number of BigInsights nodes
http: (user in gbiadmin group) * number of BigInsights nodes
httpfs: (user in gbiadmin group) * number of BigInsights nodes
mapred: (user in gbiadmin group) * number of BigInsights nodes
monitoring: (user in gbiadmin group) * number of BigInsights nodes
oozie: (user in gbiadmin group) * number of BigInsights nodes
orchestrator: (user in gbiadmin group) * number of BigInsights nodes
zookeeper: (user in gbiadmin group) * number of BigInsights nodes
Users defined
Please note that the logon name of each user on the active directory
should be username/<machine_host>.<fqdn>
In Active
Directory
Example for user
biadmin:
Example for user biadmin1 (note the differences):
3. Service Users for websphere,streams:
wasservice: group gbiadmin
streams: group gbiadmin
4. Applicative groups :
Group0: name = "gsubjects" (master group contains all of the groups below)
Group1: name = "gdevop"
Group2: name = "gprodop"
Group3: name = "gsellop"
5. Applicative users (password= abc#123)
User1: name= lazy , group memberships (gdevop + gsellop)
User2: name= roman, group memberships (gprodop)
User3: name= yifat, group memberships(gdevop + gf
attach+ gprodop)
User4: name= raul, group memberships (gdevop + gsellop)
User5: name= eli, group memberships (gprodop + gsellop)
User6, name= untrusted,group memberships (Empty)
User7, name=biguest,group memberships (Empty)
6. Editing wasservice:
wasservice (service user from previous section), group memberships (member of gsubjects
master group and gbiadmin group)
Step 1: Setting up the Linux machines :
In this guide we assume that the operating system is configured with local or any other repository
.
1. Install ldap client (on each Linux node)
yum -y install openldap-clients
2. Install DB2 prerequisites (on each Linux node)
yum -y install mksh.x86_64 libaio compat-libstdc++ pam.x86_64
3.Passwordless ssh for root
Configure passwordless ssh access to all machines in the cluster for the root
user.
make sure the authorized keys and the pub are holding the same value
test the configuration with: ssh <your_server_name> ,verify that no password is required
4. Disable IPV6 on all nodes
in /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.ip_local_port_range = 1024
64000
in /etc/sysconfig/network:
NETWORKING_IPV6=no
in /etc/sysconfig/network-scripts/ifcfg-eth0:
IPV6INIT=”no”
Disable firewall
chkconfig iptables off
service iptables stop
chkconfig ip6tables off
service ip6tables stop
reboot
Disable Selinux
setenforce 0
Modify selinux configuration file to disable selinux
vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#
enforcing - SELinux security policy is enforced.
#
permissive - SELinux prints warnings instead of enforcing.
#
disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#
targeted - Targeted processes are protected,
#
mls - Multi Level Security protection.
SELINUXTYPE=targeted
5. Create disks for data store
The BigInsights HDFS will use the internal disks for data store . Each server in the clustrer will
hold 6 disks , that would be mounted to /media as a JBOD configuration.
•
Create mount point
mkdir -p /media/disk1
The remaining mount points will be /media/disk2-/media/disk6
•
Create the partitions
Each disk /dev/sdb -- /dev/sdg
will have the entire disk partitioned using fdisk
fdisk /dev/sdb
Press
Press
Press
Press
Press
Press
Press
•
“d” to delete existing partition table
“n” to create new partition
“p” for primary Partition
1 for Partition Number
enter to default First cylinder
enter to default Last cylinder
“w” to save the partition created
Format the partitions
The partitions will be formatted with the ext4 file system
mkfs.ext4 /dev/sdb1
mkfs.ext4 /dev/sdc1
mkfs.ext4 /dev/sdd1
mkfs.ext4 /dev/sde1
mkfs.ext4 /dev/sdf1
mkfs.ext4 /dev/sdg1
•
Mount the partitions
Mount the partition to the /media mount points.
The first mount point will be:
mount /dev/sdb1 /media/disk1
The remaining mount points will be /dev/sdX - /media/diskX.
mount /dev/sdc1 /media/disk2
•
Update fstab
Make the mounts permanent by adding them to fstab.
vi /etc/fstab
Insert the mount points into the file:
/dev/sdb1
/dev/sdc1
/dev/sdd1
/dev/sde1
/dev/sdf1
/dev/sdg1
/media/disk1
/media/disk2
/media/disk3
/media/disk4
/media/disk5
/media/disk6
ext4
ext4
ext4
ext4
ext4
ext4
defaults
defaults
defaults
defaults
defaults
defaults
0
0
0
0
0
0
0
0
0
0
0
0
6. Configure Sudo permissions for admin user:
•
Edit /etc/sudoers, comment out the #Defaults requiretty line by removing the #
symbol.
•
Add the following line /etc/sudoers:
## Allows people in group wheel to run all commands
# %wheel
ALL=(ALL)
ALL
biadmin
ALL=(ALL)
NOPASSWORD: ALL
7. Configure limits.conf on each BI node:
vi /etc/security/limits.conf
biadmin
biadmin
biadmin
biadmin
root
root
root
root
hard
soft
hard
soft
hard
soft
hard
soft
nofile
nofile
nproc
nproc
nofile
nofile
nproc
nproc
65536
65536
65536
65536
65536
65536
65536
65536
8. Configure PermitRoot at /etc/ssh/sshd_config on each BI node
uncomment/enter the following values on /etc/ssh/sshd_config
PermitRootLogin yes
AllowUsers biadmin root bigsql catalog
Step 2: Setting up IBM JDK and JCE:
Download and Install IBM JDK and JCE on Linux servers :
http://www.ibm.com/developerworks/java/jdk/linux/download.html - JDK 6.0 SR 16
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
on each Linux node run the following command (based on the JDK version which was provided
with the product) :
•
Remove the openjdk and other jdk's which are not IBM JDK V6.0 SR 16
•
Run the JDK installer ./ibm-java-x86_64-sdk-6.0-16.0.bin
•
edit the /root/.bashrc file to contain the path to the IBM JDK
PATH=/opt/ibm/java-x86_64-60/jre/bin/:$PATH:$HOME/bin:
•
Make sure that the commands "which java" and "which kinit", go to the ibm jdk path.
•
Unzip the JCE zip file and copy the extracted files to /opt/ibm/java-x86_6460/jre/lib/security/
•
•
Compress the /opt/ibm/java-x86_64 with command tar -cvzf <filename><path.tgz>
which you have done changes too, to a file named /opt/ibm/ibm-java-sdk-6.0-16.0linux-x86_64.tar.gz and replace the JDK which is shipped with the BigInsights installation
binaries (file name might change based on your version of JDK).
Step 3: Active Directory time synchronization
Step 4: Configuring Kerberos client
1. Install Kerberos V5 client libraries on each of the Linux machines (7 total)
Kerberos packages may be installed by default, but make sure that the appropriate packages are
installed for the Kerberos server or client being configured.
To install packages for a Kerberos client packages:
$ yum -y install krb5-workstation krb5-libs krb5-auth-dialog
2. Configure /etc/krb5.conf on each of your Linux machines (7 total)
[root@hdtest147 ~]# cat /etc/krb5.conf (output below)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IIC.IL.IBM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
renew_lifetime = 7d
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
IIC.IL.IBM.COM = {
kdc = bidom.iic.il.ibm.com
admin_server = bidom.iic.il.ibm.com
default_domain = iic.il.ibm.com
}
[domain_realm]
.iic.il.ibm.com = IIC.IL.IBM.COM
iic.il.ibm.com = IIC.IL.IBM.COM
[login]
krb4_convert = true
krb4_get_tickets = false
3. Add Kerberos service definitions to each /etc/services (all Linux machines)
kerberos 88/udp kdc # Kerberos V5 KDC
kerberos 88/tcp kdc # Kerberos V5 KDC
klogin 543/tcp # Kerberos authenticated rlogin
kshell 544/tcp cmd # and remote shell
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
krb5_prop 754/tcp # Kerberos slave propagation
eklogin 2105/tcp # Kerberos auth. & encrypted rlogin
krb524 4444/tcp # Kerberos 5 to 4 ticket translator
Step 5: Setting up the Linux users
1. Create websphere user on websphere machine
useradd -u 215 -g gbiadmin -m -d /home/wasservice -s /bin/bash wasservice -p
abc#123
2. Create streamsadmin user on streams machine
useradd -u 217 -g gbiadmin -m -d /home/streams -s /bin/bash streams -p abc#123
Make sure the wasservice user and streamsadmin user are present on the active directory
machine as follows
3. Modify the logon names for wasservice and streamsadmin are as follows:
WebSphere: HTTP/bigdn1.iic.il.ibm.com
Streams: streamsadmin/bigdn2.iic.il.ibm.com
Example:
Step 6: Create the SPN for WASService user
On the Active directory machine run the following command:
Step1 (one with fqdn and one with name only):
c:\setspn -A HTTP/bigdn1.iic.il.ibm.com wasservice
C:\setspn -A HTTP/bigdn1 wasservice
Output:
Registering ServicePrincipalNames for CN=wasservice,OU=Service Users,OU=BigInsig
hts,DC=iic,DC=il,DC=ibm,DC=com wasservice/bigdn1.iic.il.ibm.com
Updated object
Step 2:
C:\Users\Administrator>setspn -U -l wasservice
Output:
Registered ServicePrincipalNames for CN=wasservice,OU=Service Users,OU=BigInsigh
ts,DC=iic,DC=il,DC=ibm,DC=com:wasservice/bigdn1.iic.il.ibm.com
Step 7: Creating the Keytabs:
The following steps must be done for all nodes dependent on where the services are. Keytab
generation must be done on the active directory server bidom.iic.il.ibm.com .
full ktpass file (can be scripted as batch)
------------------------------------------ktpass -princ biadmin/[email protected] -out
c:\keytabs\biadmin.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ biadmin/[email protected] -out
c:\keytabs\biadmin.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ biadmin/[email protected] -out
c:\keytabs\biadmin.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ biadmin/[email protected] -out
c:\keytabs\biadmin.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ biadmin/[email protected] -out
c:\keytabs\biadmin.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ alert/[email protected] -out
c:\keytabs\alert.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ alert/[email protected] -out
c:\keytabs\alert.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ alert/[email protected] -out
c:\keytabs\alert.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ alert/[email protected] -out
c:\keytabs\alert.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ alert/[email protected] -out
c:\keytabs\alert.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
-mapop
-mapop
-mapop
-mapop
-mapop
ktpass -princ bigsql/[email protected] -out
c:\keytabs\bigsql.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ bigsql/[email protected] -out
c:\keytabs\bigsql.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ bigsql/[email protected] -out
c:\keytabs\bigsql.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ bigsql/[email protected] -out
c:\keytabs\bigsql.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ bigsql/[email protected] -out
c:\keytabs\bigsql.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ catalog/[email protected] -out
c:\keytabs\catalog.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ catalog/[email protected] -out
c:\keytabs\catalog.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ catalog/[email protected] -out
c:\keytabs\catalog.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ catalog/[email protected] -out
c:\keytabs\catalog.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ catalog/[email protected] -out
c:\keytabs\catalog.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ console/[email protected] -out
c:\keytabs\console.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ console/[email protected] -out
c:\keytabs\console.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ console/[email protected] -out
c:\keytabs\console.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ console/[email protected] -out
c:\keytabs\console.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ console/[email protected] -out
c:\keytabs\console.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hadoop/[email protected] -out
c:\keytabs\hadoop.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hadoop/[email protected] -out
c:\keytabs\hadoop.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hadoop/[email protected] -out
c:\keytabs\hadoop.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hadoop/[email protected] -out
c:\keytabs\hadoop.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hadoop/[email protected] -out
c:\keytabs\hadoop.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hbase/[email protected] -out
c:\keytabs\hbase.bigcon.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hbase/[email protected] -out
c:\keytabs\hbase.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hbase/[email protected] -out
c:\keytabs\hbase.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hbase/[email protected] -out
c:\keytabs\hbase.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hbase/[email protected] -out
c:\keytabs\hbase.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hdfs/[email protected] -out
c:\keytabs\hdfs.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hdfs/[email protected] -out
c:\keytabs\hdfs.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hdfs/[email protected] -out
c:\keytabs\hdfs.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hdfs/[email protected] -out
c:\keytabs\hdfs.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hdfs/[email protected] -out
c:\keytabs\hdfs.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected]
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
-mapop
-mapop
-mapop
-mapop
-mapop
ktpass -princ hive/[email protected] -out
c:\keytabs\hive.bigcon.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hive/[email protected] -out
c:\keytabs\hive.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hive/[email protected] -out
c:\keytabs\hive.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hive/[email protected] -out
c:\keytabs\hive.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ hive/[email protected] -out
c:\keytabs\hive.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ httpfs/[email protected] -out
c:\keytabs\httpfs.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ httpfs/[email protected] -out
c:\keytabs\httpfs.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ httpfs/[email protected] -out
c:\keytabs\httpfs.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ httpfs/[email protected] -out
c:\keytabs\httpfs.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ httpfs/[email protected] -out
c:\keytabs\httpfs.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ HTTP/[email protected] -out
c:\keytabs\http.bigcon.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ HTTP/[email protected] -out
c:\keytabs\http.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ HTTP/[email protected] -out
c:\keytabs\http.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ HTTP/[email protected] -out
c:\keytabs\http.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
//not createing HTTP for BIGDN1 to avoid principal collision with WAS .
ktpass -princ mapred/[email protected] -out
c:\keytabs\mapred.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ mapred/[email protected] -out
c:\keytabs\mapred.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ mapred/[email protected] -out
c:\keytabs\mapred.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ mapred/[email protected] -out
c:\keytabs\mapred.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ mapred/[email protected] -out
c:\keytabs\mapred.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ monitoring/[email protected] -out
c:\keytabs\monitoring.bigcon.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
RC4-HMAC-NT
ktpass -princ monitoring/[email protected] -out
c:\keytabs\monitoring.bigmg1.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
RC4-HMAC-NT
ktpass -princ monitoring/[email protected] -out
c:\keytabs\monitoring.bigmg2.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
RC4-HMAC-NT
ktpass -princ monitoring/[email protected] -out
c:\keytabs\monitoring.bigmg3.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
RC4-HMAC-NT
ktpass -princ monitoring/[email protected] -out
c:\keytabs\monitoring.bigcon.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
RC4-HMAC-NT
/crypto
/crypto
/crypto
/crypto
/crypto
ktpass -princ oozie/[email protected] -out
c:\keytabs\oozie.bigcon.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ oozie/[email protected] -out
c:\keytabs\oozie.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ oozie/[email protected] -out
c:\keytabs\oozie.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ oozie/[email protected] -out
c:\keytabs\oozie.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ oozie/[email protected] -out
c:\keytabs\oozie.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected] -mapop
set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ orchestrator/[email protected] -out
c:\keytabs\orchestrator.bigcon.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
/crypto RC4-HMAC-NT
ktpass -princ orchestrator/[email protected] -out
c:\keytabs\orchestrator.bigmg1.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
/crypto RC4-HMAC-NT
ktpass -princ orchestrator/[email protected] -out
c:\keytabs\orchestrator.bigmg2.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
/crypto RC4-HMAC-NT
ktpass -princ orchestrator/[email protected] -out
c:\keytabs\orchestrator.bigmg3.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
/crypto RC4-HMAC-NT
ktpass -princ orchestrator/[email protected] -out
c:\keytabs\orchestrator.bigdn1.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
/crypto RC4-HMAC-NT
ktpass -princ zookeeper/[email protected] -out
c:\keytabs\zookeeper.bigcon.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ zookeeper/[email protected] -out
c:\keytabs\zookeeper.bigmg1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ zookeeper/[email protected] -out
c:\keytabs\zookeeper.bigmg2.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ zookeeper/[email protected] -out
c:\keytabs\zookeeper.bigmg3.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
ktpass -princ zookeeper/[email protected] -out
c:\keytabs\zookeeper.bigdn1.iic.il.ibm.com.keytab -mapuser [email protected]
-mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
--Principal for WebSphere---------------------------------------------------------ktpass -princ HTTP/[email protected] -out
c:\keytabs\wasservice.bigdn1.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto
RC4-HMAC-NT
--Principal for Streams---------------------------------------------------------ktpass -princ streamsadmin/[email protected] -out
c:\keytabs\streamsadmin.bigdn2.iic.il.ibm.com.keytab -mapuser
[email protected] -mapop set -pass abc#123 -ptype KRB5_NT_PRINCIPAL
/crypto RC4-HMAC-NT
--Principal for Watson explorer--------------------------------------------------ktpass -princ wex/[email protected] -out
c:\keytabs\wex.bigdn3.iic.il.ibm.com.keytab -mapuser [email protected] -mapop set
-pass abc#123 -ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
----------------end ktpass file
Step 8: Connecting the Linux machines to the Active
Directory domain
1. Configure system authentication for Linux on all of the machines running Linux
• Run the system-config-authentication command
• Enter the following values :
2. Create a new computer object in Windows Active directory for each of the linux servers by performing the
following steps on the Windows Server 2008 R2 server:
• Open the Active Directory Users and Computers snap-in:
Start -> Administrative Tools -> Active Directory Users and Computers
• Create a new computer object:
Expand 'iic.il.ibm.com'
Right-click Computers, select New -> Computer
Computer name: bigcon
• Select OK
Specify the NIS Domain and IP address for the new computer object:
• Select Computers
• Right-click 'bigcon', select Properties
Under the UNIX Attributes tab:
NIS Domain: iic
IP Address: 10.10.190.60
• Select OK
3. Create the principal names in the Active Directory for the BigInsights services and Linux nodes
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-A
host/[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
biadmin/bigcon.iic.il.ibm.com
biadmin/bigmg1.iic.il.ibm.com
biadmin/bigmg2.iic.il.ibm.com
biadmin/bigmg3.iic.il.ibm.com
-l biadmin
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
alert/bigcon.iic.il.ibm.com
alert/bigmg1.iic.il.ibm.com
alert/bigmg2.iic.il.ibm.com
alert/bigmg3.iic.il.ibm.com
-l alert
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
bigsql/bigcon.iic.il.ibm.com
bigsql/bigmg1.iic.il.ibm.com
bigsql/bigmg2.iic.il.ibm.com
bigsql/bigmg3.iic.il.ibm.com
-l bigsql
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
catalog/bigcon.iic.il.ibm.com
catalog/bigmg1.iic.il.ibm.com
catalog/bigmg2.iic.il.ibm.com
catalog/bigmg3.iic.il.ibm.com
-l catalog
catalog
catalog
catalog
catalog
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
console/bigcon.iic.il.ibm.com
console/bigmg1.iic.il.ibm.com
console/bigmg2.iic.il.ibm.com
console/bigmg3.iic.il.ibm.com
-l console
console
console
console
console
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
hadoop/bigcon.iic.il.ibm.com
hadoop/bigmg1.iic.il.ibm.com
hadoop/bigmg2.iic.il.ibm.com
hadoop/bigmg3.iic.il.ibm.com
-l hadoop
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
hbase/bigcon.iic.il.ibm.com
hbase/bigmg1.iic.il.ibm.com
hbase/bigmg2.iic.il.ibm.com
hbase/bigmg3.iic.il.ibm.com
-l hbase
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
hive/bigcon.iic.il.ibm.com
hive/bigmg1.iic.il.ibm.com
hive/bigmg2.iic.il.ibm.com
hive/bigmg3.iic.il.ibm.com
-l hive
biadmin
biadmin
biadmin
biadmin
alert
alert
alert
alert
bigsql
bigsql
bigsql
bigsql
hadoop
hadoop
hadoop
hadoop
hbase
hbase
hbase
hbase
hive
hive
hive
hive
bigcon
bigmg1
bigmg2
bigmg3
bigmg4
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
httpfs/bigcon.iic.il.ibm.com
httpfs/bigmg1.iic.il.ibm.com
httpfs/bigmg2.iic.il.ibm.com
httpfs/bigmg3.iic.il.ibm.com
-l httpfs
httpfs
httpfs
httpfs
httpfs
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
hdfs/bigcon.iic.il.ibm.com
hdfs/bigmg1.iic.il.ibm.com
hdfs/bigmg2.iic.il.ibm.com
hdfs/bigmg3.iic.il.ibm.com
-l hdfs
hdfs
hdfs
hdfs
hdfs
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
HTTP/bigcon.iic.il.ibm.com
HTTP/bigmg1.iic.il.ibm.com
HTTP/bigmg2.iic.il.ibm.com
HTTP/bigmg3.iic.il.ibm.com
-l http
http
http
http
http
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
mapred/bigcon.iic.il.ibm.com
mapred/bigmg1.iic.il.ibm.com
mapred/bigmg2.iic.il.ibm.com
mapred/bigmg3.iic.il.ibm.com
-l mapred
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
monitoring/bigcon.iic.il.ibm.com
monitoring/bigmg1.iic.il.ibm.com
monitoring/bigmg2.iic.il.ibm.com
monitoring/bigmg3.iic.il.ibm.com
-l monitoring
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
oozie/bigcon.iic.il.ibm.com
oozie/bigmg1.iic.il.ibm.com
oozie/bigmg2.iic.il.ibm.com
oozie/bigmg3.iic.il.ibm.com
-l oozie
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
orchestrator/bigcon.iic.il.ibm.com
orchestrator/bigmg1.iic.il.ibm.com
orchestrator/bigmg2.iic.il.ibm.com
orchestrator/bigmg3.iic.il.ibm.com
-l orchestrator
setspn
setspn
setspn
setspn
setspn
-A
-A
-A
-A
-u
zookeeper/bigcon.iic.il.ibm.com
zookeeper/bigmg1.iic.il.ibm.com
zookeeper/bigmg2.iic.il.ibm.com
zookeeper/bigmg3.iic.il.ibm.com
-l zookeeper
mapred
mapred
mapred
mapred
monitoring
monitoring
monitoring
monitoring
oozie
oozie
oozie
oozie
orchestrator
orchestrator
orchestrator
orchestrator
zookeeper
zookeeper
zookeeper
zookeeper
4. Create the server keytabs
ktpass -princ host/[email protected] -out
c:/keytabs/bigcon.keytab -crypto all -ptype KRB5_NT_PRINCIPAL
IIC\bigcon$ -pass abc#123
ktpass -princ host/[email protected] -out
c:/keytabs/bigmg1.keytab -crypto all -ptype KRB5_NT_PRINCIPAL
IIC\bigmg1$ -pass abc#123
ktpass -princ host/[email protected] -out
c:/keytabs/bigmg2.keytab -crypto all -ptype KRB5_NT_PRINCIPAL
IIC\bigmg2$ -pass abc#123
ktpass -princ host/[email protected] -out
c:/keytabs/bigmg3.keytab -crypto all -ptype KRB5_NT_PRINCIPAL
IIC\bigmg3$ -pass abc#123
ktpass -princ host/[email protected] -out
c:/keytabs/bigmg4.keytab -crypto all -ptype KRB5_NT_PRINCIPAL
IIC\bigmg4$ -pass abc#123
ktpass -princ host/[email protected] -out
c:/keytabs/bigdn2.keytab -crypto all -ptype KRB5_NT_PRINCIPAL
IIC\bigdn2$ -pass abc#123
-desonly -mapuser
-desonly -mapuser
-desonly -mapuser
-desonly -mapuser
-desonly -mapuser
-desonly -mapuser
5. Copy the server keytabs into the /etc/ directory for each host (copy only its own keytab), each server only
its co-related keytab
Run the following commands on each of the BI servers .
chown root:root /etc/<servername>.keytab
chmod 0600 /etc/<servername>.keytab
mv /etc/<servername>.keytab /etc/krb5.keytab
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t /etc/krb5.keytab
host/<servername>[email protected]
klist
usr/bin/ldapsearch -H ldap://bidom.iic.il.ibm.com -Y GSSAPI - N -b
DC=iic,DC=il,DC=ibm,DC=com "(&(objectClass=user)(sAMAccountName=biadmin))"
example output:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/[email protected]
Valid starting
Expires
07/29/14 10:57:03 07/29/14 20:56:57
renew until 08/05/14 10:57:03
following example file :
Service principal
krbtgt/[email protected]
bigcon
========
• chown root:root /root/bigcon.keytab
• chmod 0600 /root/bigcon.keytab
• mv /root/bigcon.keytab /etc/krb5.keytab
• /opt/ibm/java-x86_64-60/jre/bin/kinit -k -t /etc/krb5.keytab
host/[email protected]
• klist
• usr/bin/ldapsearch -H ldap://bidom.iic.il.ibm.com -Y GSSAPI -N -b
DC=iic,DC=il,DC=ibm,DC=com "(&(objectClass=user)(sAMAccountName=biadmin))"
bigmg1
========
• chown root:root /root/bigmg1.keytab
• chmod 0600 /root/bigmg1.keytab
• mv /root/bigmg1.keytab /etc/krb5.keytab
• /opt/ibm/java-x86_64-60/jre/bin/kinit -k -t /etc/krb5.keytab
host/[email protected]
• klist
• usr/bin/ldapsearch -H ldap://bidom.iic.il.ibm.com -Y GSSAPI -N -b
DC=iic,DC=il,DC=ibm,DC=com "(&(objectClass=user)(sAMAccountName=biadmin))"
bigmg2
========
• chown root:root /root/bigmg2.keytab
• chmod 0600 /root/bigmg2.keytab
• mv /root/bigmg2.keytab /etc/krb5.keytab
• /opt/ibm/java-x86_64-60/jre/bin/kinit -k -t /etc/krb5.keytab
host/[email protected]
• klist
• usr/bin/ldapsearch -H ldap://bidom.iic.il.ibm.com -Y GSSAPI -N -b
DC=iic,DC=il,DC=ibm,DC=com "(&(objectClass=user)(sAMAccountName=biadmin))"
bigmg3
========
• chown root:root /root/bigmg3.keytab
• chmod 0600 /root/bigmg3.keytab
• mv /root/bigmg3.keytab /etc/krb5.keytab
• /opt/ibm/java-x86_64-60/jre/bin/kinit -k -t /etc/krb5.keytab
host/[email protected]
• klist
• usr/bin/ldapsearch -H ldap://bidom.iic.il.ibm.com -Y GSSAPI -N -b
DC=iic,DC=il,DC=ibm,DC=com "(&(objectClass=user)(sAMAccountName=biadmin))"
end example file
6. Configure sssd (security deamon) file
•
•
Backup the ssd file: cp -p /etc/sssd/sssd.conf /etc/sssd/sssd.conf.back
Edit the /etc/sssd/sssd.conf to look like following (on each of the BI
servers )
File should look like the following:
[sssd]
config_file_version = 2
domains = default
services = nss, pam
debug level = 0
[nss]
[pam]
[domain/default]
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/[email protected]
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
krb5_realm = IIC.IL.IBM.COM
7. In our case we used configuration of AD+Kerberos+SSSD caching capability , therefore in addition to previous
file ,the db2.pam.rhel from $BIGINSIGHTS_INSTALLER_DIR/installer/hdm/components/db2/conf/ should be
modified as follows :
[root@bigcon ~]# more /install/biginsights-3.0.0.0-SNAPSHOT-enterprise-production-Linux-amd64b20140616_1652/installer/hdm/components/db2/conf/db2.pam.rhel
#%PAM-1.0
auth
auth
auth
auth
required
sufficient
sufficient
required
pam_env.so
pam_unix.so likeauth nullok
pam_sss.so use_first_pass
pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so retry=3 dcredit=-1 ucredit=-1
password sufficient pam_unix.so nullok use_authtok md5 shadowremember=3
password sufficient pam_sss.so use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
The pam_ldap.so should be replaced with pam_sss.so , /etc/pam.d/db2 will be replaced with this file during
BigInsights installation, and will be used by BigSQL3.0 for end user authentication as well.
Step 9: Deploying keytab files to each of the nodes in the
cluster .
The example below is a 4 node cluster (One management “bigcon.iic.il.ibm.com” and three data nodes
“bigmg1.iic.il.ibm.com,bigmg2.iic.il.ibm.com and bigmg3.iic.il.ibm.com”) where services are using the default
BigInsights configuration.
1. Merging the principals for BI services
Adding HTTP principals to hdfs keytab:
==================
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/hdfs.bigcon.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/hdfs.bigmg1.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/hdfs.bigmg2.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/hdfs.bigmg3.iic.il.ibm.com.keytab
HTTP/[email protected]
-a
-a
-a
-a
Adding HTTP principals to mapred keytab:
========================
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/mapred.bigcon.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/mapred.bigmg1.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/mapred.bigmg2.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/mapred.bigmg3.iic.il.ibm.com.keytab
HTTP/[email protected]
-a
-a
-a
-a
Adding HTTP principals to httpfs keytab:
========================
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/httpfs.bigcon.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/httpfs.bigmg1.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/httpfs.bigmg2.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/httpfs.bigmg3.iic.il.ibm.com.keytab
HTTP/[email protected]
-a
-a
-a
-a
Adding HTTP principals to console keytab:
========================
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/console.bigcon.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/console.bigmg1.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/console.bigmg2.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/console.bigmg3.iic.il.ibm.com.keytab
HTTP/[email protected]
-a
-a
-a
-a
Adding HTTP principals to oozie keytab:
========================
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/oozie.bigcon.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/oozie.bigmg1.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/oozie.bigmg2.iic.il.ibm.com.keytab
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/ktab -k
/etc/keytabs/oozie.bigmg3.iic.il.ibm.com.keytab
HTTP/[email protected]
-a
-a
-a
-a
Initializing the keytabs
For each user run the following commands on each node ! Make sure to run kinit from IBM JDK
path the kinit step is only optional to validate your keytabs .
1. /opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_UID
[email protected]
2. /opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/username.machine.domain.keytab -c FILE:/tmp/krb5cc_UID
[email protected]
example:
1. /opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_200
[email protected]
2. /opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/biadmin.bigdom.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_200
[email protected]
//--- full kinit file for biginsights V3.0-------------------------------------------------------------------//
bigcon
-----/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/biadmin.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_201
alert/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/alert.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_201
alert/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_202
bigsql/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/bigsql.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_202
bigsql/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_203
catalog/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/catalog.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_203
catalog/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_204
console/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/console.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_204
console/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_205
hadoop/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hadoop.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_205
hadoop/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hbase.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_207
hdfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hdfs.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_207
hdfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_208
hive/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hive.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_208
hive/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_209
httpfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/httpfs.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_209
httpfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_210
mapred/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/mapred.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_210
mapred/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_211
monitoring/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/monitoring.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_211
monitoring/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_212
oozie/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/oozie.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_212
oozie/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_213
orchestrator/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/oozie.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_213
orchestrator/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_214
zookeeper/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/zookeeper.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_214
zookeeper/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_215
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/http.bigcon.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_215
HTTP/[email protected]
bigmg1
-----/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/biadmin.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_201
alert/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/alert.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_201
alert/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_202
bigsql/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/bigsql.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_202
bigsql/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_203
catalog/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/catalog.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_203
catalog/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_204
console/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/console.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_204
console/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_205
hadoop/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hadoop.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_205
hadoop/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hbase.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_207
hdfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hdfs.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_207
hdfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_208
hive/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hive.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_208
hive/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_209
httpfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/httpfs.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_209
httpfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_210
mapred/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/mapred.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_210
mapred/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_211
monitoring/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/monitoring.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_211
monitoring/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_212
oozie/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/oozie.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_212
oozie/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_213
orchestrator/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/oozie.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_213
orchestrator/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_214
zookeeper/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/zookeeper.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_214
zookeeper/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_215
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/http.bigmg1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_215
HTTP/[email protected]
bigmg2
-----/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/biadmin.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_201
alert/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/alert.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_201
alert/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_202
bigsql/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/bigsql.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_202
bigsql/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_203
catalog/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/catalog.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_203
catalog/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_204
console/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/console.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_204
console/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_205
hadoop/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hadoop.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_205
hadoop/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hbase.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_207
hdfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hdfs.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_207
hdfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_208
hive/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hive.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_208
hive/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_209
httpfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/httpfs.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_209
httpfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_210
mapred/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/mapred.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_210
mapred/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_211
monitoring/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/monitoring.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_211
monitoring/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_212
oozie/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/oozie.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_212
oozie/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_213
orchestrator/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/oozie.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_213
orchestrator/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_214
zookeeper/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/zookeeper.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_214
zookeeper/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_215
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/http.bigmg2.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_215
HTTP/[email protected]
bigmg3
-----/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/biadmin.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_201
alert/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/alert.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_201
alert/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_202
bigsql/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/bigsql.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_202
bigsql/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_203
catalog/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/catalog.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_203
catalog/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_204
console/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/console.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_204
console/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_205
hadoop/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hadoop.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_205
hadoop/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hbase.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_207
hdfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hdfs.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_207
hdfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_208
hive/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/hive.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_208
hive/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_209
httpfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/httpfs.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_209
httpfs/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_210
mapred/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/mapred.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_210
mapred/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_211
monitoring/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/monitoring.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_211
monitoring/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_212
oozie/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/oozie.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_212
oozie/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_213
orchestrator/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/oozie.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_213
orchestrator/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_214
zookeeper/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/zookeeper.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_214
zookeeper/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -c FILE:/tmp/krb5cc_215
HTTP/[email protected]
/opt/ibm/java-x86_64-60/jre/bin/kinit -k -t
/etc/keytabs/http.bigmg3.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_215
HTTP/[email protected]
bigdn1
-------/opt/ibm/WebSphere/AppServer/java/jre/bin/kinit -c FILE:/tmp/krb5cc_1016
HTTP/[email protected]
/opt/ibm/WebSphere/AppServer/java/jre/bin/kinit -k -t
/etc/keytabs/wasservice.bigdn1.iic.il.ibm.com.keytab -c FILE:/tmp/krb5cc_1016
HTTP/[email protected]
biadmin on websphere machine (bigdn1):
-------------------------------------/opt/ibm//WebSphere/AppServer/java/jre/bin/kinit -c FILE:/tmp/krb5cc_200
biadmin/[email protected]
/opt/ibm//WebSphere/AppServer/java/jre/bin/kinit -k -t
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/etc/biadmin.bigcon.iic.il.ibm.co
m.keytab -c FILE:/tmp/krb5cc_200 biadmin/[email protected]
hbase on websphere machine (bigdn1):
-------------------------------------/opt/ibm//WebSphere/AppServer/java/jre/bin/kinit -c FILE:/tmp/krb5cc_206
hbase/[email protected]
/opt/ibm//WebSphere/AppServer/java/jre/bin/kinit -k -t
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/etc/hbase.bigcon.iic.il.ibm.com.
keytab -c FILE:/tmp/krb5cc_206 hbase/[email protected]
//--- end file
-------------------------------------------------------------------//
Step 10: Running BigInsights installer prechecker
installer/hdm/bin/bi-prechecker.sh -u root -m ENTERPRISE -g
Make sure everything is green before proceeding
Step 11: Install BigInsights
Run installer server :
[root@bigcon biginsights-3.0.0.0-SNAPSHOT-enterprise-production-Linux-amd64b20140616_1652]# ./start.sh
artifacts/ibm-java-sdk-6.0-16.0-linux-x86_64.tgz
Running local precheck script ...
================================================
BigInsights Pre-Installation Check Script v1.2.2
================================================
Machine: bigcon.iic.il.ibm.com
Architecture: xSeries
OS: Red Hat v6.3
================================================
[INFO] (CDYIN0017I) Running in INSTALL_PRE_UI mode.
Verify there is no install process in the background
Verify install ports not in use
[
[
OK
OK
]
]
Extracting Java ....
Java extraction complete, using JAVA_HOME=/install/biginsights-3.0.0.0-SNAPSHOTenterprise-production-Linux-amd64-b20140616_1652/_jvm/ibm-java-x86_64-60
Verifying port 8300 availability
port 8300 available
Starting BigInsights Installer .....
Application server is up and running...
BigInsights Installer started, please use a browser to access one of the following
URL(s):
http://10.10.190.60:8300/Install
After you are finished, run the following command to stop the installer web server:
start.sh shutdown
Open browser and go to the following link :
http://10.10.190.60:8300/Install
Click on the "Next" button.
Accept the license agreement and click on the "Next" button.
The installation type is displayed. You can choose new installation or upgrade existing installation. There is an
option to create a response file and run the installation process later or run the process silently.
Choose Install InfoSphere BigInsights and click next button.
Accept the default cluster name or provide your own name. Specify a file system for your installation. We will
accept the default to Install Hadoop Distributed File System. Click next to continue to the Secure Shell pageWe
choose installation with root privileges . The installation will configure password-less ssh for biginsights admin
user (biadmin). Click next to continue to the Nodes page.
Add nodes to the cluster. Click next to continue to the Component 1 page.
Click on "Advanced settings" to change defaults for node resources percentage.
Since our installation does not include HA feature, on the components 2 page we specified Data Nodes and data
directories and accepted all other default options.
There are no required changes on the Components 3 page, click next to move to the security page.
The installation based on PAM with LDAP authentication using Kerberos authentication. Enter your Realm in to
Realm field, in our case it's "IIC.IL.IBM.COM", specify local keytabs directory , for example “/etc/keytabs”. In the
JDBC authentication for Hive choose Kerberos.
Click next to display the Summary Page.
Click through the tabs on the top of the screen to verify the settings, nodes and components. If the list is not
correct, then cancel the installation, shutdown and restart the installation. If the list is correct then, click Install
to begin the Installation.
Following is the fullinstall.xml:
<?xml version="1.0" encoding="UTF-8"?>
<cluster-configuration>
<xml-version>2.1</xml-version>
<vendor>ibm</vendor>
<operation>install</operation>
<type>Enterprise</type>
<current-version>3.0.0.0</current-version>
<general>
<biginsights-cluster-name>BICluster</biginsights-cluster-name>
<biginsights-install-directory>opt/ibm/biginsights</biginsights-installdirectory>
<biginsights-data-log-directory>var/ibm/biginsights</biginsights-data-logdirectory>
<directory-prefix>/</directory-prefix>
<overwrite>true</overwrite>
<file-system>hdfs</file-system>
<shared-directory/>
</general>
<ssh>
<configure>configure_ssh</configure>
<auth-method/>
<password>{xor}Nj0ybjgrKm0=</password>
<public-key/>
<administrator-user>
<username>biadmin</username>
<uid>200</uid>
</administrator-user>
<administrator-group>
<groupname>gbiadmin</groupname>
<gid>123</gid>
</administrator-group>
<biadmin-password>{xor}Pj08fG5tbA==</biadmin-password>
<current-user-password>{xor}</current-user-password>
</ssh>
<security>
<authentication>ldap</authentication>
<enable-kerberos>true</enable-kerberos>
<biginsightssystemadministrator>
<group>gbiadmin</group>
</biginsightssystemadministrator>
<biginsightsdataadministrator>
<group>gbiadmin</group>
</biginsightsdataadministrator>
<biginsightsapplicationadministrator>
<group>gbiadmin</group>
</biginsightsapplicationadministrator>
<biginsightsuser>
<group>gbiadmin</group>
</biginsightsuser>
<service-security>
<hadoop>
<hdfs-username>hdfs</hdfs-username>
<hdfs-uid>201</hdfs-uid>
<mapred-username>mapred</mapred-username>
<mapred-uid>202</mapred-uid>
</hadoop>
<Zookeeper>
<username>zookeeper</username>
<uid>203</uid>
</Zookeeper>
<HBase>
<username>hbase</username>
<uid>204</uid>
</HBase>
<Hive>
<username>hive</username>
<uid>208</uid>
</Hive>
<Oozie>
<username>oozie</username>
<uid>206</uid>
</Oozie>
<Monitoring>
<username>monitoring</username>
<uid>220</uid>
</Monitoring>
<HttpFS>
<username>httpfs</username>
<uid>221</uid>
</HttpFS>
<BigSQL>
<username>bigsql</username>
<uid>222</uid>
</BigSQL>
<Console>
<username>console</username>
<uid>223</uid>
</Console>
<Catalog>
<username>catalog</username>
<uid>224</uid>
<password>{xor}Pj08fG5tbA==</password>
</Catalog>
<alert>
<username>alert</username>
<uid>225</uid>
</alert>
<Orchestrator>
<username>orchestrator</username>
<uid>226</uid>
</Orchestrator>
</service-security>
<kerberos>
<realm>IIC.IL.IBM.COM</realm>
<keytab-directory>/etc/keytabs/</keytab-directory>
<hive-authentication-option>kerberos</hive-authentication-option>
</kerberos>
</security>
<hdm>
<port>8800</port>
</hdm>
<Console>
<node>bigcon.iic.il.ibm.com</node>
<sso-domain-name>iic.il.ibm.com</sso-domain-name>
<copy-hosts-file>false</copy-hosts-file>
<web-protocol>HTTP</web-protocol>
<management-console-port>8080</management-console-port>
<management-jmx-port>9180</management-jmx-port>
</Console>
<Jaql-server>
<configure>false</configure>
<node/>
<jaql-server-port>8200</jaql-server-port>
</Jaql-server>
<Jaql>
<configure>true</configure>
<log-directory>var/ibm/biginsights/jaql/logs</log-directory>
</Jaql>
<Catalog>
<configure>true</configure>
<catalog-type>db2</catalog-type>
<node>bigcon.iic.il.ibm.com</node>
<port>50000</port>
</Catalog>
<hadoop>
<general>
<cache-directory>hadoop/mapred/local</cache-directory>
<log-directory>var/ibm/biginsights/hadoop/logs</log-directory>
<mapred-system-directory>/hadoop/mapred/system</mapred-systemdirectory>
<apache-mapred>true</apache-mapred>
</general>
<hdfs>
<configure>true</configure>
</hdfs>
<namenode>
<node>bigcon.iic.il.ibm.com</node>
<namenode-port>9000</namenode-port>
<namenode-http-port>50070</namenode-http-port>
<name-directory>hadoop/hdfs/name</name-directory>
<jmx-port>51170</jmx-port>
</namenode>
<jobtracker>
<node>bigcon.iic.il.ibm.com</node>
<jobtracker-port>9001</jobtracker-port>
<jobtracker-http-port>50030</jobtracker-http-port>
<jmx-port>51130</jmx-port>
</jobtracker>
<secondarynamenode>
<node>bigcon.iic.il.ibm.com</node>
<secondarynamenode-http-port>50090</secondarynamenode-http-port>
<data-directory-2nn>hadoop/hdfs/namesecondary</data-directory-2nn>
</secondarynamenode>
<datanode>
<selection-type>Specified</selection-type>
<nodes>bigmg3.iic.il.ibm.com, bigmg2.iic.il.ibm.com,
bigmg1.iic.il.ibm.com</nodes>
<datanode-port>50010</datanode-port>
<datanode-ipc-port>50020</datanode-ipc-port>
<datanode-http-port>50075</datanode-http-port>
<tasktracker-http-port>50060</tasktracker-http-port>
<data-directory>/media/disk1/hdfs/data,
/media/disk2/hdfs/data,/media/disk3/hdfs/data,/media/disk4/hdfs/data,/media/disk5/h
dfs/data,/media/disk6/hdfs/data</data-directory>
<datanode-jmx-port>51110</datanode-jmx-port>
</datanode>
</hadoop>
<Avro>
<configure>false</configure>
</Avro>
<Hive>
<configure>true</configure>
<hwi-node>bigcon.iic.il.ibm.com</hwi-node>
<query-directory>var/ibm/biginsights/hive/query</query-directory>
<log-directory>var/ibm/biginsights/hive/logs</log-directory>
<hwi-port>9999</hwi-port>
<server-port>10000</server-port>
</Hive>
<Lucene>
<configure>true</configure>
</Lucene>
<Pig>
<configure>true</configure>
<log-directory>var/ibm/biginsights/pig/logs</log-directory>
</Pig>
<Oozie>
<configure>true</configure>
<node>bigcon.iic.il.ibm.com</node>
<oozie-port>8280</oozie-port>
</Oozie>
<Zookeeper>
<configure>true</configure>
<nodes>bigcon.iic.il.ibm.com</nodes>
<data-directory>/var/ibm/biginsights/zookeeper/data</data-directory>
<log-directory>var/ibm/biginsights/zookeeper/logs</log-directory>
<client-port>2181</client-port>
<time-interval>2000</time-interval>
<init-limit>5</init-limit>
<sync-limit>2</sync-limit>
<jmx-port>3281</jmx-port>
</Zookeeper>
<HBase>
<configure>true</configure>
<zookeeper-mode>shared</zookeeper-mode>
<master-nodes>bigcon.iic.il.ibm.com</master-nodes>
<install-mode>fully</install-mode>
<region-nodes-install-option>All</region-nodes-install-option>
<region-nodes/>
<root-directory>/hbase</root-directory>
<log-directory>var/ibm/biginsights/hbase/logs</log-directory>
<master-port>60000</master-port>
<master-ui-port>60010</master-ui-port>
<regionserver-port>60020</regionserver-port>
<regionserver-ui-port>60030</regionserver-ui-port>
<master-jmx-port>61100</master-jmx-port>
<regional-jmx-port>61120</regional-jmx-port>
</HBase>
<Flume>
<configure>true</configure>
<pid-directory>var/ibm/biginsights/flume/pids</pid-directory>
<log-directory>var/ibm/biginsights/flume/logs</log-directory>
</Flume>
<node-list>
<node>
<name-or-ip>bigcon.iic.il.ibm.com</name-or-ip>
<password>{xor}</password>
<rack/>
<hdfs-data-directory>/media/disk1/hdfs/data,
/media/disk2/hdfs/data,/media/disk3/hdfs/data,/media/disk4/hdfs/data,/media/disk5/h
dfs/data,/media/disk6/hdfs/data</hdfs-data-directory>
<gpfs-node-designation/>
<gpfs-admin-node/>
<gpfs-rawdisk-list/>
<gpfs-datapool-disk-list/>
<bigsql-data-directory/>
<node-type>public</node-type>
</node>
<node>
<name-or-ip>bigmg1.iic.il.ibm.com</name-or-ip>
<password>{xor}</password>
<rack/>
<hdfs-data-directory>/media/disk1/hdfs/data,
/media/disk2/hdfs/data,/media/disk3/hdfs/data,/media/disk4/hdfs/data,/media/disk5/h
dfs/data,/media/disk6/hdfs/data</hdfs-data-directory>
<gpfs-node-designation/>
<gpfs-admin-node/>
<gpfs-rawdisk-list/>
<gpfs-datapool-disk-list/>
<bigsql-data-directory/>
<node-type>private</node-type>
</node>
<node>
<name-or-ip>bigmg2.iic.il.ibm.com</name-or-ip>
<password>{xor}</password>
<rack/>
<hdfs-data-directory>/media/disk1/hdfs/data,
/media/disk2/hdfs/data,/media/disk3/hdfs/data,/media/disk4/hdfs/data,/media/disk5/h
dfs/data,/media/disk6/hdfs/data</hdfs-data-directory>
<gpfs-node-designation/>
<gpfs-admin-node/>
<gpfs-rawdisk-list/>
<gpfs-datapool-disk-list/>
<bigsql-data-directory/>
<node-type>private</node-type>
</node>
<node>
<name-or-ip>bigmg3.iic.il.ibm.com</name-or-ip>
<password>{xor}</password>
<rack/>
<hdfs-data-directory>/media/disk1/hdfs/data,
/media/disk2/hdfs/data,/media/disk3/hdfs/data,/media/disk4/hdfs/data,/media/disk5/h
dfs/data,/media/disk6/hdfs/data</hdfs-data-directory>
<gpfs-node-designation/>
<gpfs-admin-node/>
<gpfs-rawdisk-list/>
<gpfs-datapool-disk-list/>
<bigsql-data-directory/>
<node-type>private</node-type>
</node>
</node-list>
<GPFS>
<install>false</install>
<cluster>
<cluster-name>bigpfs</cluster-name>
<primary-configuration-server/>
<secondary-configuration-server/>
<use-privileged-port>false</use-privileged-port>
<tsc-tcp-port>null</tsc-tcp-port>
</cluster>
<file-system>
<default-metadata-replication>1</default-metadata-replication>
<max-metadata-replication>3</max-metadata-replication>
<default-data-replication>1</default-data-replication>
<max-data-replication>3</max-data-replication>
<block-allocation>cluster</block-allocation>
<block-group-factor>128</block-group-factor>
<write-affinity-depth>1</write-affinity-depth>
<estimated-cluster-size>32</estimated-cluster-size>
<mount-point/>
<tmp-fileset/>
<log-fileset/>
<use-local-cache-directory>true</use-local-cache-directory>
<generate-cache-path>true</generate-cache-path>
</file-system>
<monitoring>
<socket/>
<retries/>
<timeout/>
</monitoring>
</GPFS>
<enterprise>
<Orchestrator>
<configure>false</configure>
<node>bigcon.iic.il.ibm.com</node>
<port>8888</port>
</Orchestrator>
<GuardiumProxy>
<configure>false</configure>
<proxy-node/>
<proxy-port>16015</proxy-port>
<collector-host/>
<collector-port>16016</collector-port>
</GuardiumProxy>
<BigSQL>
<configure>true</configure>
<node>bigcon.iic.il.ibm.com</node>
<NIC>0.0.0.0</NIC>
<port>7052</port>
<head-node>bigcon.iic.il.ibm.com</head-node>
<scheduler-nodes>bigcon.iic.il.ibm.com</scheduler-nodes>
<work-nodes-selection-type>All</work-nodes-selection-type>
<work-nodes/>
<partitions>1</partitions>
<admin-user-password>{xor}Pj08fG5tbA==</admin-user-password>
<scheduler-service-port>7053</scheduler-service-port>
<scheduler-admin-port>7054</scheduler-admin-port>
<fcm-start-port>62000</fcm-start-port>
<server-port>51000</server-port>
<node-resources-percentage>40</node-resources-percentage>
<data-directory>var/ibm/biginsights/database/bigsql/data</datadirectory>
</BigSQL>
<high-availability>
<hadoop-ha>
<ha-option/>
</hadoop-ha>
<jobtracker-ha>
<ha-option/>
</jobtracker-ha>
</high-availability>
<alert>
<nodes>bigcon.iic.il.ibm.com</nodes>
<port>8380</port>
<config-smtp>false</config-smtp>
<smtp-node/>
<smtp-port/>
<smtp-user/>
<smtp-password>{xor}</smtp-password>
<smtp-connection-type/>
<alert-notification-recipients/>
</alert>
</enterprise>
<TaskController>
<directory>/var/bi-task-controller-conf</directory>
<groups>*</groups>
<hosts>*</hosts>
</TaskController>
<Monitoring>
<control-port>9093</control-port>
<rest-port>9099</rest-port>
</Monitoring>
<HttpFS>
<configure>true</configure>
<nodes-install-option>Specified</nodes-install-option>
<nodes>bigcon.iic.il.ibm.com</nodes>
<log-directory>var/ibm/biginsights/httpfs/logs</log-directory>
<port>14000</port>
</HttpFS>
</cluster-configuration>
Run the following command to install BigInsights
silent-install/silent-install.sh fullinstall.xml –uninstall
example output:
In addition, in order to log on BigInsights web console, post-install we need to change /etc/pam.d/net-sfjpam on BigInsights management node to use pam_sss.so, cause BI installer sets it to pam_ldap.so for
LDAP authentication:
auth
auth
auth
sufficient
sufficient
required
/lib64/security/pam_unix.so
/lib64/security/pam_sss.so minimum_uid=100 use_first_pass
/lib64/security/pam_deny.so
account
account
account
sufficient
sufficient
required
/lib64/security/pam_unix.so
/lib64/security/pam_sss.so minimum_uid=100
/lib64/security/pam_permit.so
session
session
required
optional
/lib64/security/pam_unix.so
/lib64/security/pam_sss.so minimum_uid=100
password
password
password
sufficient
sufficient
required
/lib64/security/pam_unix.so nullok md5 shadow use_authtok
/lib64/security/pam_sss.so minimum_uid=100 try_first_pass
/lib64/security/pam_deny.so
Step 12: Configure WebSphere Application server
1. Install WebSphere Application Server
2. Configure Active directory as a repository in WAS :
Bind Distinguished name =
CN=wasservice,OU=Service Users,OU=BigInsights,DC=iic,DC=il,DC=ibm,DC=com
Password=abc#123
3. Add the newly created repository to the federated repositories
4. After adding the Active directory to the realm , restart the WebSphere application server
5. Check and verify that searching for users works well in admin console.
6. Add wasservice as an administrator and security admin to the application server
Step 14: SSO Configurations
1. Make sure krb5.conf exists on /etc/krb5.conf
2. Make sure wasservice.keytab exists on
/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/etc/wasservice.keytab
3. Go to Security --> Global security --> Web and SIP Security --> Single Sign On
Enter the details below:
4: Create a SPNEGO filter
5: Enable SPNEGO web Authentication:
Step 15: Enabling Kerberos
1. Configure Kerberos
2. Enable LTPA authentication
3. Restart the server
Step 16: Configuring the Browser (Internet Explorer)
1. Enable integrated authentication
2. Add application server's URL's (HTTP and HTTPS) to the trusted sites
Step 17: Enable kerberos token delegation in WebSphere
1. Enable kerberos delegation on general level
2. Enable kerberos delegation on SPNEGO filter level
Step 18: Map authorization roles to snoop application
1. Make sure that only "lazy" user can access the snoop application:
Step 19 : Adding authentication support for your code
(Servlet)
Add the following content to your web.xml file
<servlet id="Servlet_1">
<servlet-name>Create Table Servlet</servlet-name>
<servlet-class>servlets.CreateTableServlet</servlet-class>
</servlet>
<servlet-mapping id="ServletMapping_1">
<servlet-name>Create Table Servlet</servlet-name>
<url-pattern>/create</url-pattern>
</servlet-mapping>
<security-constraint id="SecurityConstraint_1">
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>Create Table Servlet</web-resource-name>
<description>Protection area for Athena POC</description>
<url-pattern>/create</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>All Authenticated users for Athena
application</description>
<role-name>All Role</role-name>
</auth-constraint>
<user-data-constraint id="UserDataConstraint_1">
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role id="SecurityRole_1">
<description>All Authenticated Users Role.</description>
<role-name>All Role</role-name>
</security-role>
Step 20: Enable Hbase and HDFS access from your
application
1. Copy the following files from the deployment to your application in the following manner
, make sure the directory structure is the same
WebContent
----------------hadoop
------------------conf
core-site.xml
hdfs-site.xml
mapred-site.xml
----------------hbase
------------------conf
hbase-site.xml
Step 21: HDFS configuration in code
//building the configuration
config = new org.apache.hadoop.conf.Configuration();
config.addResource("hadoop/conf/core-site.xml");
config.addResource("hadoop/conf/hdfs-site.xml");
config.addResource("hadoop/conf/mapred-site.xml");
UserGroupInformation.setConfiguration(config);
//and in a lter time login with the keytav and configuration
String loginAsPrincipal = "biadmin/[email protected]";
String keytabPath =
"/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/etc/biadmin.bigcon.iic.il.ibm
.com.keytab"
UserGroupInformation.loginUserFromKeytab(loginAsPrincipal, keytabPath);
Path path = new Path(fullyQualifiedFileName) ;
fs = FileSystem.get(config); //we get this config from the snippet above
FSDataInputStream fsInStream = fs.open(path);
Step 22: Hbase configuration in code
config = HBaseConfiguration.create();
config.addResource("/hbase/conf/hbase-site.xml");
UserGroupInformation.setConfiguration(config);
//and in a lter time login with the keytav and configuration
String loginAsPrincipal = "biadmin/[email protected]";
String keytabPath =
"/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/etc/biadmin.bigcon.iic.il.ibm
.com.keytab"
UserGroupInformation.loginUserFromKeytab(loginAsPrincipal, keytabPath);
HBaseAdmin admin = new HbaseAdmin(config); //we get this config from the
snippet above
HTableDescriptor htd = new HtableDescriptor(tableName);
Step 23: Enable webSphere to connect to your
BigInsights installation
•
Create a shared library on your websphere installation and which will contain the following
libraries
commons-cli-1.2.jar
commons-codec-1.4.jar
commons-configuration-1.6.jar
commons-io-2.1.jar
commons-lang-2.5.jar
commons-logging-1.1.1.jar
guardium-proxy.jar
guava-11.0.2.jar
hadoop-core-2.2.0-mr1.jar
hadoop-hdfs-2.2.0.jar
hbase.jar
htrace-core-2.01.jar
jackson-core-asl-1.8.8.jar
jackson-mapper-asl-1.8.8.jar
netty-3.6.6.Final.jar
slf4j-api-1.7.5.jar
slf4j-log4j12-1.7.5.jar
zookeeper-3.4.5.jar
Step 24: Shared Library Definition:
•
Map your application(s) to use the shared libaray
it to your shared library .
, or either create a classloader and map
•
Map the users which are allowed to enter the application
Step 25: Troubleshooting
1. SPN Listing and Deletion:
Delete and spn
delete spn: setspn -D biadmin/bigdn1.iic.il.ibm.com biadmin
List all spn’s for a user name biadmin
list spns: setspn -l biadmin
2. Listing of keytab contents:
/opt/ibm/java-x86_64-60/jre/bin/klist -t -k <keytab_name>
3. Deleting users
located users and groups are in, if needed delete them from these files:
/etc/passwd & /etc/passwd/etc/groups & /etc/groups3. uninstalling the product (as biadmin)
at the installation directory