Skip to main content

Illumio Core Administration Guide 24.2.20 and 24.2.10

How to Create Kerberos-Authenticated Workloads

This tutorial describes how to create workloads that use Kerberos for authentication. The tutorial makes the following assumptions:

  • This tutorial assumes that you already have your Kerberos implementation in place.

  • As Kerberos requires, the Kerberos realm name is shown in all capital letters as MYREALM.

  • VEN environment variables must be set before VEN installation. Environment variables for Linux are detailed in the VEN Installation and Upgrade Guide.

Goals

  • Create two workloads on Linux that are authenticated by Kerberos.

  • Set the workloads' modes to idle and illuminated.

Setup

The key data for using the ilo command to create these workloads are the name of the Kerberos realm and the Service Principle Name (SPN).

Steps

The workflow is authenticate, run two workload create commands that set the workloads' modes, set the VEN environment variables, install the VEN, and run two Kerberos kinit commands to get Kerberos tickets for the workloads.

  1. Authenticate to the PCE via API key or explicit login.

  2. Create Kerberos-authenticated myWorkload1 and set its mode to idle:

    ilo workload create --hostname myPCE.BigCo.com --name myWorkload1 --service-principal-name host/myKerberosTicketGrantingServer@MYREALM --agent/config/mode idle

    For information about how the mode is a nested field, see Nested Resource Fields and Wildcards.

  3. Create Kerberos-authenticated myWorkload2 and set its mode to illuminated:

    ilo workload create --hostname myPCE.BigCo.com --name myWorkload2 --service-principal-name host/myKerberosTicketGrantingServer@MYREALM --agent/config/mode illuminated

  4. Before installation, set VEN environment variables:

    # Activate on installation
VEN_INSTALL_ACTION=activate
# FQDN and port PCE to pair with
VEN_MANAGEMENT_SERVER=myPCE.BigCo.com:8443
# Kerberos Service Principal Name
VEN_KERBEROS_MANAGEMENT_SERVER_SPN=host/myKerberosTicketGrantingServer
# Path to Kerberos shared object library
VEN_KERBEROS_LIBRARY_PATH=/usr/lib/libgssapi_krb5.so

  5. Install the Linux VEN:

    rpm -ivh illumio-ven*.rpm

  6. Run kinit to get a Kerberos ticket for myWorkload1:

    kinit -k -t /etc/krb5.keytab host/myWorkload1.BigCo.com@MYREALM

  7. Run kinit to get a Kerberos ticket for myWorkload2:

    kinit -k -t /etc/krb5.keytab host/myWorkload2.BigCo.com@MYREALM
Results

The Kerberos-authenticated workloads are created, set in the desired modes, and given a Kerberos ticket.