Skip to content

Prerequisites

Before installing and configuring ZeroTrustKerberosLink, ensure your environment meets the following prerequisites. This will ensure a smooth installation process and optimal performance.

System Requirements

Hardware Requirements

Component Minimum Recommended
CPU 2 cores 4+ cores
RAM 4 GB 8+ GB
Disk Space 20 GB 40+ GB
Network 100 Mbps 1 Gbps

Operating System Requirements

ZeroTrustKerberosLink supports the following operating systems:

Linux

  • Ubuntu 20.04 LTS or later
  • CentOS/RHEL 8 or later
  • Debian 11 or later
  • Amazon Linux 2

macOS

  • macOS 11 (Big Sur) or later

Windows

  • Windows Server 2019 or later
  • Windows 10/11 Enterprise or Pro

Container Platforms

  • Docker 20.10 or later
  • Kubernetes 1.21 or later
  • Amazon ECS/EKS
  • Google GKE
  • Azure AKS

Software Dependencies

Required Software

Software Minimum Version Purpose
Python 3.8 or later Runtime environment
Redis 6.0 or later Session and cache management
OpenSSL 1.1.1 or later TLS support
Kerberos MIT Kerberos 1.18 or later Kerberos authentication
AWS CLI 2.0 or later AWS integration testing

Optional Software

Software Minimum Version Purpose
Nginx 1.18 or later Reverse proxy
Prometheus 2.30 or later Metrics collection
Grafana 8.0 or later Metrics visualization
Elasticsearch 7.10 or later Log aggregation
Kibana 7.10 or later Log visualization

Network Requirements

Ports

Ensure the following ports are open in your network configuration:

Port Protocol Direction Purpose
443 TCP Inbound HTTPS API access
88 TCP/UDP Outbound Kerberos authentication
389 TCP Outbound LDAP (if using LDAP integration)
636 TCP Outbound LDAPS (if using LDAP integration)
6379 TCP Outbound Redis (if using external Redis)

Connectivity

ZeroTrustKerberosLink requires connectivity to:

  1. Kerberos KDC: For authentication
  2. AWS Services: For role assumption and credential issuance
  3. Redis Server: For session and cache management
  4. Client Networks: For serving API requests

Firewall Configuration

Example iptables rules for a Linux host:

# Allow inbound HTTPS
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow outbound Kerberos
iptables -A OUTPUT -p tcp --dport 88 -j ACCEPT
iptables -A OUTPUT -p udp --dport 88 -j ACCEPT

# Allow outbound Redis
iptables -A OUTPUT -p tcp --dport 6379 -j ACCEPT

# Allow outbound HTTPS (for AWS API)
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

AWS Requirements

IAM Permissions

ZeroTrustKerberosLink requires an IAM role with the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": "arn:aws:iam::*:role/ZeroTrustKerberos*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles",
        "iam:GetRole"
      ],
      "Resource": "*"
    }
  ]
}

Cross-Account Setup

For cross-account access, each target account must have a role with a trust relationship to the ZeroTrustKerberosLink account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:role/ZeroTrustKerberosLink"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "EXTERNAL_ID"
        }
      }
    }
  ]
}

Kerberos Requirements

KDC Configuration

Ensure your Kerberos KDC is configured to:

  1. Issue service tickets for the ZeroTrustKerberosLink service principal
  2. Support renewable tickets
  3. Allow forwardable tickets (if credential delegation is required)

Service Principal

Create a service principal for ZeroTrustKerberosLink:

# Example for MIT Kerberos
kadmin -q "addprinc -randkey HTTP/zerotrust.example.com"
kadmin -q "ktadd -k /etc/zerotrust/keytab HTTP/zerotrust.example.com"

Client Configuration

Ensure client machines have proper Kerberos configuration:

# Example /etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

[realms]
    EXAMPLE.COM = {
        kdc = kdc1.example.com
        kdc = kdc2.example.com
        admin_server = kdc1.example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

TLS Certificate Requirements

ZeroTrustKerberosLink requires valid TLS certificates for secure communication. You can use:

  1. Public CA Certificates: From providers like Let's Encrypt, DigiCert, etc.
  2. Internal CA Certificates: From your organization's certificate authority
  3. Self-Signed Certificates: For testing only, not recommended for production

Certificate Requirements

  • Key Type: RSA (2048+ bits) or ECC (P-256 or higher)
  • Signature Algorithm: SHA-256 or stronger
  • Subject Alternative Names: Include all hostnames used to access the service

Redis Requirements

Redis Configuration

Redis should be configured with:

  1. TLS Encryption: For secure communication
  2. Authentication: Password or certificate-based
  3. Persistence: To prevent data loss
  4. High Availability: Redis Sentinel or Redis Cluster for production

Example secure Redis configuration:

# /etc/redis/redis.conf
port 0
tls-port 6379
tls-cert-file /etc/redis/tls/redis.crt
tls-key-file /etc/redis/tls/redis.key
tls-ca-cert-file /etc/redis/tls/ca.crt
tls-auth-clients yes
requirepass STRONG_PASSWORD
maxmemory 1gb
maxmemory-policy allkeys-lru

Security Prerequisites

SELinux/AppArmor

If using SELinux or AppArmor, ensure proper profiles are configured:

# Example SELinux policy for ZeroTrustKerberosLink
semanage port -a -t http_port_t -p tcp 8443
semanage fcontext -a -t httpd_sys_content_t "/etc/zerotrust(/.*)?"
restorecon -Rv /etc/zerotrust

Secure Boot

For enhanced security, enable Secure Boot on server hardware.

Disk Encryption

Use full disk encryption for servers storing sensitive data:

# Example using LUKS on Linux
cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 encrypted-volume
mkfs.ext4 /dev/mapper/encrypted-volume

Monitoring Prerequisites

Metrics Collection

Set up Prometheus or compatible metrics collection:

# prometheus.yml
scrape_configs:
  - job_name: 'zerotrust'
    scrape_interval: 15s
    static_configs:
      - targets: ['zerotrust:9090']

Log Aggregation

Configure a log aggregation solution:

# filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/zerotrust/*.log
output.elasticsearch:
  hosts: ["elasticsearch:9200"]

Backup Prerequisites

Ensure you have:

  1. Backup Solution: For configuration and data
  2. Secure Backup Storage: Encrypted and access-controlled
  3. Backup Testing Procedure: Regular validation of backups
  4. Disaster Recovery Plan: Documented recovery procedures

Compliance Prerequisites

Depending on your regulatory requirements, ensure:

  1. Audit Logging: Configured for all security-relevant events
  2. Data Retention: Policies for logs and credentials
  3. Access Controls: Properly documented and implemented
  4. Vulnerability Management: Regular scanning and patching

Pre-Installation Checklist

Use this checklist to verify all prerequisites are met:

  • Hardware meets minimum requirements
  • Operating system is supported and updated
  • All required software is installed
  • Network ports are properly configured
  • AWS IAM permissions are set up
  • Kerberos service principal is created
  • TLS certificates are obtained
  • Redis is properly configured
  • Security controls are implemented
  • Monitoring solutions are prepared
  • Backup procedures are established
  • Compliance requirements are addressed

Troubleshooting Prerequisites

If you encounter issues with prerequisites, refer to:

  1. Troubleshooting Guide
  2. Kerberos Configuration
  3. AWS Integration
  4. Security Hardening

Next Steps

Once all prerequisites are met, proceed to the Installation Guide to install ZeroTrustKerberosLink.