Setting Up JGSS Kerberos SSO
TDV and Studio can use Java Generic Security Services (JGSS) for Kerberos SSO.
Note: Kerberos SSO setup assumes the customer has created a domain name service (DNS) account under Windows for the TIBCO Data Virtualization Server using the Windows Services window. If you have no local DNS account for the TDV server, you need to set one up (for example, SUPPORT <domain> + <user> + <password>).
To prepare TDV Server and Studio for JGSS Kerberos SSO, follow these procedures:
Setting Up the TDV Service for JGSS Kerberos SSO
You need to configure services, import groups and assign privileges to set up the server side for JGSS Kerberos SSO.
Note: JGSS clients using Kerberos can authenticate both the connection to TDV and the connection to the underlying data source.
To set up the TDV service for JGSS Kerberos SSO
1. Open the Services window in your Windows environment.
For example, in Windows 7 select Start > Control Panel > Administrative Tools > Services.
2. Scroll to the TDV instance you are setting up for Kerberos SSO.
3. Right-click the instance and select Properties from the context menu.
You need to configure JGSS Kerberos in this Properties window.
4. On the Log On tab, select the This account radio button, type the account name, and set up a password.
5. In the Studio menu bar, select Administration > Launch Manager (Web).
6. Log into the Web Manager and go to the Domain Manager page to create an LDAP domain.
7. Click Domain > Domain Name; usually select the Active Directory radio button for the server URL.
8. Enter an LDAP name and password.
9. Click the Add External Group button to import the group containing TDV.
Add External Group pulls in all groups, for which you then set appropriate privileges.
Configuring TDV Server for JGSS Kerberos SSO
The TDV Server supports JGSS Kerberos SSO authentication for the convenience of users who have already authenticated their identity to a Kerberos domain controller.
Note: Data sources support JGSS based Negotiate and Kerberos authentication, but they do not support SSPI Kerberos authentication.
On the server side, you need to configure TDV for JGSS Kerberos SSO authentication.
To configure the TDV parameters for JGSS Kerberos SSO authentication
1. Log into Studio as the admin user.
2. Select Administration > Configuration from the Studio menu bar.
3. In the tree pane of the Configuration window, navigate to the Server > Configuration > Security > Authentication folder.
4. Make the following change within that folder.
Parameter | Action and Description |
Windows Domain Mapping | Enter a key-value pair. • The key is the reported Windows domain of an authenticated user. Often the Windows domain key and the LDAP name value are the same. Keys and values are case-sensitive. |
5. Navigate to the Kerberos subfolder.
6. Make the following changes within that folder.
Parameter | Action and Description |
Allow Kerberos Authentication | Change this value to True. A warning helps you avoid inadvertently changing this without implementing Kerberos first. |
Debug Output Kerberos Authentication Enabled | Set this to True to have TDV write JDK's Kerberos implementation output messages to the cs_server.out in the logs directory. |
KeyTab File | Enter the value point to the generated keytab file in the TDV Server. For example, when TDV is installed on a Linux server, the keytab file is in <TDV_install_dir>/kerb5cis.kt. |
Kerberos Configuration File | The Kerberos configuration file contains the locations of Key Distribution Centers (KDCs) and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of host names onto Kerberos realms. This file is usually: • c:\WINDOWS\krb.ini (Windows) • /etc/krb.conf (UNIX) Changes to this value do not take effect until server restart. |
Native | Make sure this is set to False for JGSS Kerberos. |
Required Principal Name | Enter the SPN value established by invocation of the Kerberos setspn utility. TDV must know the SPN to address the Kerberos domain server. |
7. Click OK.
8. Restart the Server.
Understanding Studio Kerberos Properties Files (JGSS)
Each Studio client that is to be configured for use with Kerberos SSO must have a local copy of the krb5.properties file located in the <TDV_install_dir>/conf/studio directory. When Studio is starting up, the presence of this file triggers display of an SSO check box on the Studio login window.
Note: If Studio does not detect this file, or if the SPN value is set to a different TDV node, the Studio login uses Basic authentication, which requires the user to enter a valid user name, password, and domain for that server instance.
The Studio krb5.properties Service Principal Name (SPN) is derived from the TDV SPN. The TDV Server uses the Required Principal Name configuration parameter to authenticate the TDV service to Kerberos.
All Studio clients that connect to that TDV Server instance must use an SPN derived from the TDV instance’s SPN. For example, if the Required Principal Name is HTTP/krb5-win.support.net@SUPPORT.NET, the derived SPN is HTTP@krb5-win.support.net. If a user of a Studio instance wants to use Kerberos SSO authentication to connect with a different TDV Server instance, the krb5.properties file SPN value must be changed to specify that TDV instance’s SPN name.
For more information about the krb5.properties file, see the Krb5LoginModule Java documentation.
Preparing the Studio Kerberos Properties File for JGSS SSO
On each Studio client that is to be configured for use with JGSS single sign-on, you need to set up the krb5.properties file.
To set up the krb5.properties file for JGSS single sign-on
1. In <TDV_install_dir>\ conf\studio, make a copy of krb5_sample.properties and rename it krb5.properties.
2. Open an editor such as Wordpad to edit krb5.properties.
3. Make sure Native is set to false for JGSS.
4. Copy the Specific User -- JGSS section for each user who intends to log in using SSPI Kerberos for single sign-on.
Native = false
5. Uncomment the lines that apply to JGSS, and fill in the values appropriate to the current TDV instance:
####################################
# Default User -- JGSS #
####################################
##Service Principal Name
spn=HTTP@dev-krb5-win.support.net
native=false
doNotPrompt=true
useKeyTab=false
debug=true
useTicketCache=true
renewTGT=true
krb5.conf=c:/krb5.conf
####################################
# Specific User -- JGSS #
####################################
##Service Principal Name
spn=HTTP@dev-krb5-win.support.net
native=false
principal=principalName
doNotPrompt=true
storeKey=true
debug=true
useKeyTab=true
keyTab=keytab file
Studio is now ready.
6. Restart Studio.