Setting up security for connections
If you use connections, such as platform connections, you should review the following information to determine whether there are any additional tasks that you must complete.
| Configuration task | Additional information |
|---|---|
| Configuring an external route to the Flight service | The Flight service is a data connection service that enables assets, such as notebooks, to interact with various data sources without calling the REST APIs for the data sources. By default, the Flight service is only available to the IBM Cloud Pak for Data instance where the Flight service is running. However, an administrator can create an external route to the Flight service to enable other applications to interact with it. |
| Enabling platform connections to use Kerberos authentication | If you want to connect to data sources that use Kerberos authentication, you must provide the Kerberos configuration file to the platform connections
microservice. You can use Kerberos
authentication for the following connections:
|
| Enabling platform connections to use Kerberos SSO authentication | If your data sources use Kerberos authentication, you can enable users to use
their IBM Cloud Pak for Data credentials to authenticate
to the data source. You can use Kerberos
SSO authentication for the following connections:
|
| Using a CA certificate to connect to internal servers from the platform | If you want to enable the IBM Cloud Pak for Data platform to use your company's CA certificate to validate certificates from your internal servers, you must create a secret that contains the CA certificate. Additionally, if your internal servers use an SSL certificate that is signed using your company's CA certificate, you must create this secret to enable the platform to connect to the servers. |
| Requiring users to use secrets for credentials when creating connections | When a user creates a connection, they can provide their
credentials by entering them directly or by specifying a secret. A Red Hat
OpenShift administrator can configure Cloud Pak for Data to enforce the exclusive use of secrets from an
external vault (such as CyberArk or
HashiCorp). Important: Before you change this setting, ensure that the services that you plan to run can
use connections that use credentials from a vault. For details, see Managing secrets and vaults.
|
| Enabling users to use JDBC URLs stored in secrets | When a user creates a Generic JDBC connection, they must specify the JDBC URL of the data source. You can optionally enable users to use a JDBC URL this is stored in a secret in a vault. For example, you might want to use JDBC URLs that are stored in secrets to protect any sensitive data in the JDBC URLs. |