I have a spring boot war (microservices) deployed in tomcat (v8). The microservices endpoint is exposed as an API in an API gateway.
The microservices will call the underlying HBase data source to retrieve a dataset and it needs the kerberos authentication before calling the HBase.
My query is: do we need to explicitly handle from the microservice code to enable this kerberos authentication? or placing the jass.conf in the tomcat conf directory where the microservices war is deployed will suffice?. jass.conf configuration is as specified in: https://examples.javacodegeeks.com/enterprise-java/tomcat/apache-tomcat-kerberos-authentication-tutorial/
my jass.conf file contents:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=”HTTP/MYDOMAIN.COM” useKeyTab=true
keyTab=”/opt/tomcat_server/tomcat_server/tomcat/conf/krb5.keytab”
doNotPrompt=true storeKey=true debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=”HTTP/MYDOMAIN.COM” useKeyTab=true
keyTab=”/opt/tomcat_server/tomcat_server/tomcat/conf/krb5.keytab”
doNotPrompt=true storeKey=true debug=true;
};
getting the below error in tomcat when i just placed my jass.conf in tomcat/conf dir without any changes to the microservices code:
INFO org.apache.zookeeper.ClientCnxn- Opening socket connection to server
<server name>. Will not attempt to authenticate using SASL (unknown error)
I took the approach of handling the kerberos authentication using a service account and handled the same in the application (java) code. Also, created a keytab for that service account for a valid kerberos ticket.