Caché Installation Guide - InterSystems Documentation
Caché Installation Guide - InterSystems Documentation
Caché Installation Guide - InterSystems Documentation
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Preparing for <strong>Caché</strong> Advanced Security<br />
is in most cases cache (except when more than one <strong>Caché</strong> server instance is on one Windows<br />
machine). For example, the service principal names for the service accounts created in the<br />
previous examples become:<br />
cache/WINSRVR.testdomain.com<br />
cache2/WINSRVR.testdomain.com<br />
When you add a remote server connection to the preferred server list on the <strong>Caché</strong> Cube, the<br />
<strong>Caché</strong> Server Manager pre-fills the service principal name if you choose Kerberos. Therefore,<br />
if you do not use these recommended naming conventions, take special care to enter the<br />
appropriate name in the Service Principal Name field. See the “Connecting to Remote Servers”<br />
chapter of the <strong>Caché</strong> System Administration <strong>Guide</strong> for the detailed procedure.<br />
Note:<br />
For detailed information on the setspn tool, see the Microsoft Setspn.exe page for<br />
Windows 2000 or the Setspn Overview page for Windows 2003.<br />
C.1.2 Create Service Accounts for Non-Windows <strong>Caché</strong> Servers<br />
with a Windows Domain Controller<br />
Before you install <strong>Caché</strong> in a Windows domain, the Windows domain administrator must<br />
create a service account for each <strong>Caché</strong> server on a non-Windows machine that uses the<br />
Windows domain controller. Create one service account for each machine, regardless of the<br />
number of <strong>Caché</strong> server instances on that machine.<br />
A suggested naming convention for these accounts is “cacheHOST,” which is the literal,<br />
cache, followed by the host computer name in uppercase. For example, if you run a <strong>Caché</strong><br />
server on a non-Windows machine called UNIXSRVR, name the domain account<br />
cacheUNIXSRVR. For <strong>Caché</strong> servers on non-Windows platforms, this is the account that maps<br />
to the Kerberos service principal.<br />
When you create this account on the Windows domain controller, <strong>Caché</strong> requires that the<br />
account have the following characteristics:<br />
• Set the Password never expires property.<br />
• Set the Use DES encryption types for this account property<br />
To set up a non-Windows <strong>Caché</strong> server in the Windows domain, it must have a keytab file<br />
from the Windows domain. A keytab file is a file containing the service name for the <strong>Caché</strong><br />
server and its key.<br />
To accomplish this, map the Windows service account (cacheUNIXSRVR, in this example)<br />
to a service principal on the <strong>Caché</strong> server and extract the key from the account using the<br />
90 <strong>Caché</strong> <strong>Installation</strong> <strong>Guide</strong>