Informatica® 10.4.0 Security Guide Informatica Security Guide 10.4.0 December 2019 © Copyright Informatica LLC 2013, 2020 This software and documentation are provided only under a separate license agreement containing restrictions on use and disclosure. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica LLC. U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation is subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License. Informatica, the Informatica logo, Informatica Cloud, PowerCenter, and PowerExchange are trademarks or registered trademarks of Informatica LLC in the United States and many jurisdictions throughout the world. A current list of Informatica trademarks is available on the web at https://www.informatica.com/trademarks.html. Other company and product names may be trade names or trademarks of their respective owners. Portions of this software and/or documentation are subject to copyright held by third parties. Required third party notices are included with the product. The information in this documentation is subject to change without notice. If you find any problems in this documentation, report them to us at [email protected]. Informatica products are warranted according to the terms and conditions of the agreements under which they are provided. INFORMATICA PROVIDES THE INFORMATION IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. Publication Date: 2020-06-26 Table of Contents Preface ..................................................................... 10 Informatica Resources.................................................. 10 Informatica Network................................................. 10 Informatica Knowledge Base........................................... 10 Informatica Documentation............................................ 10 Informatica Product Availability Matrices................................... 11 Informatica Velocity................................................. 11 Informatica Marketplace.............................................. 11 Informatica Global Customer Support...................................... 11 Chapter 1: Introduction to Informatica Security.............................. 12 Overview of Informatica Security............................................ 12 Infrastructure Security.................................................. 13 Authentication.................................................... 13 Secure Domain Communication......................................... 14 Secure Data Storage................................................. 15 Operational Security.................................................... 15 Domain Configuration Repository........................................... 15 Security Domain...................................................... 16 Chapter 2: User Authentication.............................................. 17 User Authentication Overview.............................................. 17 Native User Authentication................................................ 18 LDAP User Authentication................................................ 18 Kerberos Authentication................................................. 19 SAML Authentication for Informatica Web Applications............................. 19 Chapter 3: LDAP Authentication............................................. 20 Overview........................................................... 20 LDAP Security Domains.................................................. 20 User Account Synchronization............................................. 21 LDAP Directory Services................................................. 21 Azure Active Directory for Secure LDAP Authentication............................. 22 Creating an LDAP Configuration............................................ 23 Create the LDAP Configuration and Configure the LDAP Server Connection.............. 23 Configure the Security Domain.......................................... 25 Configure the Synchronization Schedule.................................... 26 Using Nested Groups in the LDAP Directory Service............................. 27 Using a Self-Signed SSL Certificate....................................... 28 Deleting an LDAP Configuration............................................ 28 Table of Contents 3 Chapter 4: Kerberos Authentication......................................... 29 Kerberos Overview..................................................... 29 How Kerberos Works in an Informatica Domain.................................. 30 Kerberos Cross Realm Authentication........................................ 32 Converting a Domain From Kerberos Single Realm Authentication to Kerberos Cross Realm Authentication.................................................... 32 Preparing to Enable Kerberos Authentication.................................... 33 Determine the Kerberos Service Principal Level............................... 33 Configure the Kerberos Configuration File................................... 34 Create Kerberos Principal Accounts in Active Directory.......................... 37 Generate the Service Principal Name and Keytab File Name Formats.................. 38 Generate the Keytab Files............................................. 43 Enable Delegation for the Kerberos Principal User Accounts in Active Directory........... 47 Enabling Kerberos Authentication........................................... 48 Enable Kerberos Authentication in the Domain................................ 49 Update the Nodes in the Domain......................................... 51 Enabling Kerberos on Informatica Nodes....................................... 52 Copy the Keytab Files to the Informatica Nodes............................... 53 Enable Kerberos Authentication for Informatica Clients.......................... 54 Enabling User Accounts to Use Kerberos Authentication............................. 55 Import User Accounts from Active Directory into LDAP Security Domains............... 55 Migrate Native User Privileges and Permissions to the Kerberos Security Domain......... 58 Chapter 5: SAML Authentication for Informatica Web Applications........... 60 SAML Authentication Overview............................................. 60 SAML Authentication Process............................................. 61 Enable SAML Authentication in a Domain...................................... 61 Create an LDAP Configuration for the Identity Provider or LDAP Store................. 62 Export the Assertion Signing Certificate.................................... 62 Import the Certificate into the Truststore Used for SAML Authentication............... 62 Configure the Identity Provider.......................................... 63 Add Informatica Web Application URLs to the Identity Provider..................... 63 Enable SAML Authentication in the Domain.................................. 63 Enable SAML Authentication on the Gateway Nodes............................ 65 Configuring Web Applications to Use Different Identity Providers....................... 67 Prepare to Use an Identity Provider....................................... 67 Configure Informatica Administrator to Use an Identity Provider..................... 67 Configure an Informatica Web Application................................... 69 Chapter 6: Domain Security.................................................. 71 Domain Security Overview................................................ 71 Secure Communication Within the Domain..................................... 72 4 Table of Contents Secure Communication for Services and the Service Manager...................... 72 Secure Domain Configuration Repository Database............................. 78 Secure PowerCenter Repository Database................................... 80 Secure Model Repository Database....................................... 80 Secure Communication for Workflows and Sessions............................ 81 Secure Connections to a Web Application Service................................. 82 Requirements for Secure Connections to Web Application Services................... 82 Enabling Secure Connections to the Administrator Tool.......................... 83 Informatica Web Application Services..................................... 83 Cipher Suites for the Informatica Domain...................................... 86 Create the Cipher Suite Lists........................................... 86 Configure the Informatica Domain with a New Effective List of Cipher Suites............ 87 Secure Sources and Targets............................................... 88 Data Integration Service Sources and Targets................................ 88 PowerCenter Sources and Targets........................................ 89 Secure Data Storage...................................................