Release History
Requirements

Introduction

Quick onboard

Deployment

Data Modeling

Connecting

Write data

Migration

Query

Operations and Maintenance

Performance Tuning

Troubleshooting

Reference Guide

SQL Reference

FAQ

GSSAPI Authentication

GSSAPI-encrypted connections encrypt all data transmitted over the network, including queries and result sets (passwords are not sent over the network). This ensures data integrity and confidentiality during transmission.

Configuration Overview

In YMatrix, GSSAPI encryption is implemented using Kerberos. Kerberos provides a secure authentication mechanism, which can be configured in the pg_hba.conf file. It allows clients to authenticate using Kerberos tickets in coordination with the Kerberos Key Distribution Center (KDC), ensuring that only authorized users can access the database.

  • Example pg_hba.conf configuration:
hostgssenc  all    mxadmin   10.51.0.40/32    gss

Usage Example

Note!
Ensure that the YMatrix server is installed and running. If not yet installed, refer to Quick Installation for setup instructions.

  1. Install Kerberos client tools
  sudo yum install krb5-workstation
  1. Create a Kerberos service principal

On the Kerberos administration server, create a service principal for the YMatrix service. The service principal name typically follows the format servicename/hostname@realm, for example: postgres/[email protected].

  • Use the kadmin tool to create the service principal:
  kadmin
  • At the kadmin prompt, run the following command to create a service principal with a random key:
  addprinc -randkey postgres/[email protected]
  1. Export the service principal's key

Export the service principal's key into a keytab file. Run the following command:

Note!
Replace /path/to/postgresql.keytab with the desired path for storing the keytab file.

  ktadd -k /path/to/postgresql.keytab
  postgres/[email protected]
  1. Distribute the keytab file

Copy the generated keytab file to the host running the YMatrix server, and ensure the YMatrix server has read access to this file. For example:

  scp /path/to/postgresql.keytab
  [email protected]:/etc/postgresql.keytab
  1. Modify the pg_hba.conf file

In the pg_hba.conf file, add or modify the authentication method to gss.

  host all all 10.51.0.40/32 gss

This configuration allows clients from the 10.51.0.40/32 subnet to access all databases using GSSAPI (Kerberos) authentication.

  1. Modify the postgresql.conf file

Open the YMatrix main configuration file postgresql.conf, and set the krb_server_keyfile parameter to specify the path of the keytab file.

  krb_server_keyfile = '/etc/postgresql.keytab'
  1. Restart the YMatrix server

After saving changes to the configuration files, restart the YMatrix server to apply the new settings.

  mxstop -u
  1. Create a Kerberos user mapping

Map the Kerberos principal to a database user:

  CREATE USER "username@REALM";
  1. Obtain a Kerberos ticket

On the client system, use the kinit command to obtain a Kerberos ticket:

  kinit username@REALM

Replace username with the user's Kerberos username and REALM with the Kerberos realm.

  1. Connect to the YMatrix database

Use a YMatrix client tool that supports Kerberos authentication to connect to the database. If the client supports automatic Kerberos ticket acquisition, you do not need to manually specify a username or password.

  psql -h server.example.com -U username dbname
  -- Successful login message
  GSSAPI-encrypted connection
  1. Verify Kerberos authentication

Check the YMatrix server log files to confirm that Kerberos authentication was successful.

← Previous
Row and column Permissions
Next →
SSL Transmission