Implementation Guide¶
This guide provides step-by-step instructions for implementing ZeroTrustKerberosLink in your environment. Each section focuses on a specific aspect of the implementation process.
Table of Contents¶
- Prerequisites
- Architecture Overview
- Installation
- Configuration
- AWS Integration
- Security Hardening
- Testing
- Monitoring
- Troubleshooting
Prerequisites¶
Before implementing ZeroTrustKerberosLink, ensure your environment meets the following requirements:
System Requirements¶
- Linux-based operating system (Ubuntu 20.04+ or RHEL/CentOS 8+)
- Docker 20.10+ or Kubernetes 1.19+
- AWS CLI v2
- Python 3.8+
Network Requirements¶
- Outbound access to AWS services
- Connectivity to your Kerberos KDC
- Recommended: Dedicated subnet for ZeroTrustKerberosLink
AWS Account Requirements¶
- IAM permissions to create roles and policies
- AWS STS service enabled
- Cross-account access configured (if applicable)
Kerberos Requirements¶
- Functional Kerberos infrastructure
- Service principal for ZeroTrustKerberosLink
- Keytab file for the service principal
Architecture Overview¶
ZeroTrustKerberosLink consists of several components working together:
Core Components¶
- Authentication Service: Handles Kerberos authentication
- Policy Engine: Evaluates access policies and context
- AWS Connector: Manages AWS role assumption
- Redis Cache: Stores session information
- Monitoring Agent: Collects metrics and logs
Deployment Options¶
- Standalone: Single-instance deployment
- High Availability: Multi-instance deployment with load balancing
- Kubernetes: Containerized deployment on Kubernetes
Network Architecture¶
┌─────────────────┐ ┌───────────────────┐ ┌──────────────┐
│ │ │ │ │ │
│ Enterprise │◄───▶│ ZeroTrust │◄───▶│ AWS │
│ Network │ │ KerberosLink │ │ Services │
│ │ │ │ │ │
└─────────────────┘ └───────────────────┘ └──────────────┘
▲ ▲
│ │
▼ ▼
┌─────────────────┐ ┌───────────────────┐
│ │ │ │
│ Kerberos KDC │ │ Redis Cache │
│ │ │ │
└─────────────────┘ └───────────────────┘
Installation¶
Follow these steps to install ZeroTrustKerberosLink:
Using Docker¶
- Pull the Docker image:
docker pull zerotrustkerberos/kerberos-aws-proxy:latest
- Create a configuration directory:
mkdir -p /etc/zerotrustkerberos/config
- Run the container:
docker run -d \
--name zerotrustkerberos \
-v /etc/zerotrustkerberos:/etc/zerotrustkerberos \
-p 8080:8080 \
zerotrustkerberos/kerberos-aws-proxy:latest
Using Kubernetes¶
- Create a namespace:
kubectl create namespace zerotrustkerberos
- Create a ConfigMap for configuration:
kubectl create configmap zerotrustkerberos-config \
--from-file=/path/to/config.yaml \
-n zerotrustkerberos
- Create a Secret for sensitive data:
kubectl create secret generic zerotrustkerberos-secrets \
--from-file=/path/to/krb5.keytab \
-n zerotrustkerberos
- Apply the deployment manifest:
kubectl apply -f zerotrustkerberos-deployment.yaml -n zerotrustkerberos
From Source¶
- Clone the repository:
git clone https://github.com/zerotrustkerberos/kerberos-aws-proxy.git
cd kerberos-aws-proxy
- Install dependencies:
pip install -r requirements.txt
- Build the application:
make build
- Install the application:
make install
Configuration¶
Configure ZeroTrustKerberosLink using the following steps:
Basic Configuration¶
Create a config.yaml file with the following structure:
server:
host: "0.0.0.0"
port: 8080
workers: 4
kerberos:
service_principal: "HTTP/zerotrustkerberos.example.com@EXAMPLE.COM"
keytab_path: "/etc/zerotrustkerberos/krb5.keytab"
realm: "EXAMPLE.COM"
aws:
region: "us-west-2"
role_mappings:
- kerberos_principal: "admin@EXAMPLE.COM"
aws_role: "arn:aws:iam::123456789012:role/AdminRole"
- kerberos_principal: "developer@EXAMPLE.COM"
aws_role: "arn:aws:iam::123456789012:role/DeveloperRole"
redis:
host: "localhost"
port: 6379
use_tls: true
Advanced Configuration¶
For advanced security features, extend your configuration:
security:
input_validation:
enabled: true
validate_kerberos_principal: true
validate_aws_role_arn: true
rate_limiting:
enabled: true
requests_per_minute: 30
burst: 10
session:
default_duration: 3600 # 1 hour
max_duration: 14400 # 4 hours
renewal_enabled: true
logging:
level: "info"
format: "json"
output: "file"
file_path: "/var/log/zerotrustkerberos/app.log"
Environment Variables¶
You can override configuration using environment variables:
| Environment Variable | Description | Default |
|---|---|---|
ZEROTRUST_SERVER_PORT | Server port | 8080 |
ZEROTRUST_KERBEROS_KEYTAB_PATH | Path to keytab file | /etc/zerotrustkerberos/krb5.keytab |
ZEROTRUST_AWS_REGION | AWS region | us-west-2 |
ZEROTRUST_REDIS_HOST | Redis host | localhost |
ZEROTRUST_LOG_LEVEL | Logging level | info |
AWS Integration¶
Configure AWS integration for ZeroTrustKerberosLink:
IAM Role Setup¶
- Create an IAM role for ZeroTrustKerberosLink:
aws iam create-role \
--role-name ZeroTrustKerberosLinkRole \
--assume-role-policy-document file://trust-policy.json
Example trust-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Attach necessary policies:
aws iam attach-role-policy \
--role-name ZeroTrustKerberosLinkRole \
--policy-arn arn:aws:iam::aws:policy/AmazonSTS-AssumeRoleAccess
User Role Mapping¶
- Create roles for different user types:
aws iam create-role \
--role-name AdminRole \
--assume-role-policy-document file://admin-trust-policy.json
- Configure role mappings in
config.yaml:
aws:
role_mappings:
- kerberos_principal: "admin@EXAMPLE.COM"
aws_role: "arn:aws:iam::123456789012:role/AdminRole"
conditions:
ip_ranges: ["10.0.0.0/8"]
time_window: ["08:00-18:00"]
- kerberos_principal: "*@EXAMPLE.COM"
aws_role: "arn:aws:iam::123456789012:role/DefaultRole"
Cross-Account Access¶
For cross-account access:
- Create roles in target accounts:
aws iam create-role \
--role-name CrossAccountRole \
--assume-role-policy-document file://cross-account-trust-policy.json
- Configure cross-account mappings:
aws:
cross_account_mappings:
- source_principal: "admin@EXAMPLE.COM"
target_accounts:
- account_id: "987654321098"
role_name: "CrossAccountAdminRole"
- account_id: "876543210987"
role_name: "CrossAccountAdminRole"
Security Hardening¶
Implement security hardening measures:
TLS Configuration¶
- Generate TLS certificates:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/zerotrustkerberos/tls/private.key \
-out /etc/zerotrustkerberos/tls/certificate.crt
- Configure TLS in
config.yaml:
server:
tls:
enabled: true
cert_path: "/etc/zerotrustkerberos/tls/certificate.crt"
key_path: "/etc/zerotrustkerberos/tls/private.key"
min_version: "TLSv1.2"
Security Headers¶
Configure security headers:
security:
headers:
content_security_policy: "default-src 'self'"
x_content_type_options: "nosniff"
x_frame_options: "DENY"
strict_transport_security: "max-age=31536000; includeSubDomains"
Input Validation¶
Enable comprehensive input validation:
security:
input_validation:
enabled: true
validate_kerberos_principal: true
validate_aws_role_arn: true
validate_client_context: true
sanitize_headers: true
Secure Redis Communication¶
Configure secure Redis communication:
redis:
host: "redis.example.com"
port: 6379
use_tls: true
cert_path: "/etc/zerotrustkerberos/tls/redis-ca.crt"
auth:
username: "zerotrustkerberos"
password_file: "/etc/zerotrustkerberos/secrets/redis-password"
Testing¶
Test your ZeroTrustKerberosLink implementation:
Authentication Testing¶
- Test Kerberos authentication:
kinit testuser@EXAMPLE.COM
curl --negotiate -u : https://zerotrustkerberos.example.com/auth/test
- Test AWS role assumption:
curl --negotiate -u : https://zerotrustkerberos.example.com/auth/aws
Load Testing¶
Run load tests to ensure performance:
ab -n 1000 -c 10 https://zerotrustkerberos.example.com/auth/test
Security Testing¶
- Run the built-in security test suite:
zerotrustkerberos-cli security-test --config /etc/zerotrustkerberos/config.yaml
- Verify security headers:
curl -I https://zerotrustkerberos.example.com/auth/test
Monitoring¶
Set up monitoring for ZeroTrustKerberosLink:
Metrics Collection¶
- Enable Prometheus metrics:
monitoring:
prometheus:
enabled: true
endpoint: "/metrics"
- Configure Grafana dashboards:
kubectl apply -f zerotrustkerberos-grafana-dashboard.yaml
Log Management¶
- Configure log forwarding:
logging:
forward:
enabled: true
type: "elasticsearch"
endpoint: "https://elasticsearch.example.com:9200"
index: "zerotrustkerberos-logs"
- Set up log alerts:
monitoring:
alerts:
- name: "high_auth_failure_rate"
query: "auth_failures > 10"
threshold: 5
duration: "5m"
notification: "slack"
Health Checks¶
Configure health check endpoints:
server:
health_check:
enabled: true
endpoint: "/health"
include_details: true
Troubleshooting¶
Common issues and their solutions:
Authentication Issues¶
Issue: Kerberos authentication fails
Solution: 1. Verify keytab file permissions:
ls -la /etc/zerotrustkerberos/krb5.keytab
klist -kt /etc/zerotrustkerberos/krb5.keytab
chronyc tracking
AWS Integration Issues¶
Issue: Unable to assume AWS role
Solution: 1. Check IAM role trust policy:
aws iam get-role --role-name AdminRole
cat /etc/zerotrustkerberos/config.yaml | grep -A 10 role_mappings
aws sts get-caller-identity
Performance Issues¶
Issue: High latency in authentication
Solution: 1. Increase worker processes:
server:
workers: 8
cache:
enabled: true
ttl: 300
aws:
connection_pool_size: 10
timeout: 5
For more detailed troubleshooting, refer to the Troubleshooting Guide.
Next Steps¶
After completing the basic implementation:
- Implement Advanced Security Features
- Set up High Availability
- Configure Audit Logging
- Implement Custom Policies