Document toolboxDocument toolbox

Configuring Security properties from Kyvos Manager

Applies to: Kyvos Enterprise  Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace   Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)


The Security configuration page enables you to configure the security for the Kyvos cluster.

Hadoop Authentication Configuration

Use the fields here to configure security configurations for the Hadoop cluster. 

Note

The fields displayed in the following figure are displayed ONLY if you select the KERBEROS option.

Hadoop Authentication Configuration area

In the Hadoop Authentication Configuration area, enter the following information.

  1. From the Hadoop Security Type list, select the option as configured on the Hadoop cluster. If no security is configured on Hadoop, select SIMPLE.

  2. If you select the KERBEROS option, then:

    1. Select the check boxes for Key Distribution Center (KDC) configurations.

    2. Enter Keytab User Name for Kerberos.

    3. Keytab available on all hosts: Select this check box if the keytab file is available on all host nodes. A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password.

    4. Enter the path of the Keytab File.

    5. Enter the name of the Keytab File.
      NOTE: If the keytab file is not available on host nodes, use the Change file button to upload the keytab file to connect to Hadoop.

    6. Click the Validate KeyTab to confirm if the file exists on the hosts.

    7. Upload the Local policy jar file from your computer network.

Important

Local policy or US export policy jars enable Kyvos to work with secure Hadoop.

Due to import control restrictions for some countries, the Java Cryptography Extension (JCE) policy files shipped with the Java SE Development Kit and the Java SE Runtime Environment allow strong but limited cryptography to be used. An unlimited strength version of these files indicating no restrictions on cryptographic strengths is available on the JDK website according to the jurisdiction of your country. Those living in eligible countries may download the unlimited strength version and replace the strong cryptography jar files with the unlimited strength files.

For this, download the Java Cryptography Extension (JCE) file.

Unzip the jce_policy-8.zip file, to access the US_export_policy.jar and local_policy.jar to upload to Kyvos Manager.

Kyvos Preferences 

From the Kyvos Preferences list, select any one of the following: 

  1. Keytab Principal User 

  2. Kyvos Logged in User
     You can specify Kyvos User preferences for Hadoop access as either Keytab Principal User with administrative rights or Kyvos Logged-in User with specific access rights to perform activities as per the user's privileges. This user is used for all activities requiring Hadoop access by Kyvos, such as Dataset Preview and the semantic model process.

Network Configuration

Kyvos supports TLS communication with Mutual Authentication for all internal communications and authentication-related information. Mutual authentication is used when the server wants to authenticate the client as a trusted partner. The server requests mutual authentication, and the client needs to present its certificate to the server while establishing the connection.

The following figure displays the Network Protocol Configurations area.

Note

You can also define HTTP2 configuration from the Network Protocol Configurations area. Further, you can specify HTTP2 configuration for the Kyvos Web portal even if TLS is not enabled.

Enter details as:

Parameter/Field

Comments/Description

Parameter/Field

Comments/Description

Enable TLS

Select to enable secure communication (TLS) between client and server.

HTTP Protocol Version

Select the HTTP Protocol to use. Before enabling HTTP2, ensure that the prerequisites are completed.

TLS Protocol

Select the version for SSL/TLS protocol to be used. For multiple versions, select the corresponding check boxes. 

TLS Certificate mode

Select the certificate mode. You can upload a file or provide the path.

Keystore

Provide the location of the keystore file. This file is used by the server when secure communication is enabled and required by the client when mutual authentication is enabled.
Example: /data/KM_SNI/Certificate/keystore.jks

Keystore Private Key

Enter the keystore password.

Truststore 

Provide the location (path) to read the trust store file. This file is required by the client when secure communication is enabled and required by the server when mutual authentication is enabled.
Example: /data/KM_SNI/Certificate/truststore.jks

Truststore Private Key

Enter the truststore password.

Cipher Suite

Enter the encryption algorithm to be used for communication over the TLS layer.

Enable Mutual Authentication

Select to enable mutual authentication. 
NOTE: This option is displayed only if you have installed the Kyvos cluster using the war bundle. For other modes, Mutual authentication is enabled automatically.

Kyvos Web Portal Configuration

Certificate

Use Same Certificate as TLS: Select to use the same certificate for TLS and Web portal authentication.
Use Different Certificate: Select to use a different certificate. In this case, you will have to upload or provide the path of the Certificate and enter the Keystore path and Keystore Private Key.

HTTP2 Configuration

APR Lib Path: Provide the absolute path for Apache Portable Runtime library.

Attributes for HTTP2 over TLS connector

Here, provide values for the following parameters:

  • Connector

  • Connector.UpgradeProtocol

  • Connector.SSLHostConfig

  • Connector.SSLHostConfig.Certificate

Next: Configure Kyvos properties

Copyright Kyvos, Inc. All rights reserved.