> For the complete documentation index, see [llms.txt](https://docs.pentaho.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.pentaho.com/pdia-admin/9.3-administer/secure-the-pentaho-system/big-data-security/how-to-enable-kerberos-authentication/set-up-kerberos-for-pentaho.md). # Set Up Kerberos for Pentaho How you can set up Kerberos on a machine that the Pentaho Server can access to connect to Big Data clusters depends on your operating system. ## Configure Kerberos * [Configure Kerberos on Linux](#configure-kerberos-on-linux) * [Configure Kerberos for Windows](#configure-kerberos-for-windows) ### Configure Kerberos on Linux To configure Linux computers, complete these tasks. #### Configure JCE The KDC configuration uses an “unlimited” AES-256 encryption setting by default for the Java Cryptographic Extension (JCE) files. However, the import and export control rules about cryptographic software vary by country. If you must change this encryption to remain in compliance, then you can adjust the strength by updating the security property. **Note:** You may need to consult your export/import control counsel to determine the exact cryptographic policy for your location. Perform the following steps if you must configure JCE: 1. Open the `pentaho/java/conf/security/java.security` file in any text editor. 2. Locate the # Cryptographic Jurisdiction Policy defaults section and set the `crypto.policy` as shown: `crypto.policy=limited` 3. Save the file and close the text editor. #### Modify the Kerberos configuration file Perform the following steps to modify your Kerberos configuration file: 1. Open the `krb5.conf` file with any text editor. The default location is the `/etc` directory. 2. Add your realm, KDC, and Admin Server information as shown in the following example: ``` [libdefaults] default_realm = ... [realms] = { kdc= admin_server= ... } [domain_realm] <.your_realm.com> = = ``` 3. Save and close the configuration file. 4. Restart the computer. #### Synchronize clocks Synchronize the clock on the Linux client with the clock on the Hadoop cluster. If the timestamp on the client requests differs too much from the clock on the cluster, Kerberos will not authenticate the user. Consult your operating system's documentation for information on setting your systems clock. #### Obtain Kerberos ticket To obtain a Kerberos ticket, complete these steps. 1. Open a Terminal window and type `kinit` at the prompt. 2. Enter a password when prompted. 3. Make sure that the Kerberos ticket was granted by typing `klist` at the prompt. The authentication information appears. ### Configure Kerberos for Windows To configure Kerberos on Windows computers, complete these tasks. #### Configure JCE The KDC configuration uses an “unlimited” AES-256 encryption setting by default for the Java Cryptographic Extension (JCE) files. However, the import and export control rules about cryptographic software vary by country. If you must change this encryption to remain in compliance, then you can adjust the strength by updating the security property. **Note:** You may need to consult your export/import control counsel to determine the exact cryptographic policy for your location. Perform the following steps if you must configure JCE: 1. Open the `pentaho\java\conf\security\java.security` file in any text editor. 2. Locate the # Cryptographic Jurisdiction Policy defaults section and set the `crypto.policy` as shown: `crypto.policy=limited` 3. Save the file and close the text editor. #### Download and install Kerberos Download and install a Kerberos server. We recommend that you use the Heimdal implementation of Kerberos, which can be found here: . #### Modify the Kerberos configuration file Perform the following steps to modify your Kerberos configuration file: 1. Open the `krb5.conf` file with any text editor. The default location is the `C:\ProgramData\Kerberos` directory. 2. Add your realm, KDC, and Admin Server information as shown in the following example: ``` [libdefaults] default_realm = ... [realms] = { kdc= admin_server= ... } [domain_realm] <.your_realm.com> = = ``` 3. Save and close the configuration file. 4. Make a copy of the configuration file and place it in the `c:\Windows` directory. Rename the file `krb5.ini`. 5. Restart the computer. #### Synchronize clocks Synchronize the clock on the Windows client with the clock on the Hadoop cluster. If the timestamp on the client requests differs too much from the clock on the cluster, Kerberos will not authenticate the user. Consult your operating system's documentation for information on setting your systems clock. The times on the Windows clock and the Hadoop cluster clock must not be greater than the range you entered for the clockskew variable in `krb5.conf` file. Consult your operating system's documentation for information on setting your systems clock. ## Obtain Kerberos ticket To obtain a Kerberos ticket, complete these steps. 1. Open a Command Prompt window and type `kinit` at the prompt. 2. Enter a password when prompted. 3. Make sure that the Kerberos ticket was granted by typing `klist` at the prompt. The authentication information appears. **Note:** If you are using the Heimdal version of Kerberos, the `klist` command output should not have the `Current LoginId is ...` prompt. ## Set up user accounts and network access for all OS Ensure that user accounts and network access has been granted. Specific tasks include: * Ensure the ports you plan to use are open between the cluster and computers running Pentaho components, like the Pentaho Server, Spoon, PRD, and PME. * Make sure each server can use a hostname to access each computer on the cluster. Test to ensure that IP addresses resolve to hostnames using both forward and reverse lookups. * Add user account credentials for each Pentaho user needing access to the cluster through the Kerberos database. * Make sure the UID and GID for the user that you are running your jobs as on the matches the user UID and GID of that user for every computer of the cluster. ## Next step See the **Install Pentaho Data Integration and Analytics** document to continue configurating your cluster connection with Pentaho. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.pentaho.com/pdia-admin/9.3-administer/secure-the-pentaho-system/big-data-security/how-to-enable-kerberos-authentication/set-up-kerberos-for-pentaho.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.