Configuring Kerberos Authentication

If you are connecting to a Datastax Enterprise (DSE) server, you can use Kerberos authentication.

To use Kerberos authentication, your application must must be configured to use a JAAS config file. You may need to see your application's documentation for instructions.

One way to configure your application to use a JAAS config file might be to use the following argument when you launch the JVM for your application:

-Djava.security.auth.login.config=jaas.conf

The specified JAAS config file must contain an entry for DseClient with the Krb5LoginModule required. The examples below show two different means of obtaining the user's credentials.

For example, you can use a ticket cache:

DseClient {

com.sun.security.auth.module.Krb5LoginModule required

doNotPrompt=true

useTicketCache=true;

};

As another example, you can specify the credentials in the JAAS config file (replace the values for principal and keyTab with your system's values):

DseClient {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

doNotPrompt=true

principal="client@DSE"

keyTab="dse-client.keytab";

};

To configure Kerberos authentication:

  1. Create a JAAS config file as described above.
  2. Configure your application to use that JAAS config file.
  3. In the connection URL, set the AuthMech property to 3. For more information about the syntax of the connection URL, see Building the Connection URL.

For example:

jdbc:cassandra://;AuthMech=3;