You can use Kerberos authentication for vRealize Orchestrator plug-ins.

Configure the krb5.conf file

  1. Create or edit the krb5.conf file at /data/vco/usr/lib/vco/app-server/conf/.
    A krb5.conf file has the following structure: 
    [libdefaults] 
default_realm = YOURDOMAIN.COM
[realms] 
YOURDOMAIN.COM = { 
kdc = dc.yourdomain.com 
default_domain = yourdomain.com 
} 
[domain_realm] 
.yourdomain.com=YOURDOMAIN.COM
yourdomain.com=YOURDOMAIN.COM

    The krb5.conf must contain specific configuration parameters with their values.

    Kerberos configuration tags Details
    default_realm The default Kerberos realm that a client uses to authenticate against an Active Directory server. Must be in uppercase letters.
    kdc The domain controller that acts as a Key Distribution Center (KDC) and issues Kerberos tickets.
    default_domain The default domain that is used to produce a fully qualified domain name. This tag is used for Kerberos 4 compatibility.

    To allow ticket forwarding to other external systems, add the forwardable = true flag. For additional information, see the Oracle documentation on the krb5.conf file.

    By default, the Java Kerberos configuration uses the UDP protocol. To use only the TCP protocol, you must specify the udp_preference_limit parameter with a value 1.

    Note: The Kerberos authentication requires a Fully Qualified Domain Name (FQDN) host address.
    Important: When you add or modify the krb5.conf file, you must restart the vRealize Orchestrator server service.

    If you have a clustered vRealize Orchestrator environment, make sure that the krb5.conf file exists in all three appliances with the same configuration before you restart the vRealize Orchestrator pods.

  2. Change permissions. 
    chmod 644 krb5.conf
  3. Redeploy the vRealize Orchestrator pod. 
    kubectl -n prelude get pods

    Look for an entry similar to vco-app-<ID>.

  4. Destroy the pod. 
    kubectl -n prelude delete pod vco-app-<ID>

    A new pod is automatically deployed to replace the pod you destroyed.

Enable Kerberos debug logging

You can troubleshoot vRealize Orchestrator plug-in problems by modifying the Kerberos configuration file used by the plug-in.

The Kerberos configuration file is located in the /data/vco/usr/lib/vco/app-server/conf/ directory of the vRealize Orchestrator Appliance.

  1. Log in to the vRealize Orchestrator Appliance command line as root.
  2. Run the kubectl -n prelude edit deployment vco-app command.
  3. In the deployment file, locate and edit the -Djava.security.krb5.conf=/usr/lib/vco/app-server/conf/krb5.conf string.
    -Djava.security.krb5.conf=/usr/lib/vco/app-server/conf/krb5.conf -Dsun.security.krb5.debug=true
  4. Save the changes and exit the file editor.
  5. Run the kubectl -n prelude get pods command. Wait until all pods are running.
  6. To monitor the Kerberos login, run the following command.
    tail -f /services-logs/prelude/vco-app/console-logs/vco-server-app.log
  7. Alternatively, you can enable debug logging in the vRealize Orchestrator configurator by adding the sun.security.krb5.debug = true system property.