Administration Guide > Configuring Kerberos Single Sign-On > Using Kerberos Authentication with TDV > Configuring Kerberos for Use with TDV
 
Configuring Kerberos for Use with TDV
The KDC Kerberos v5 Server must already be installed and running in your environment before you install TDV Server and Studio. You then configure the Kerberos system to use with TDV, establishing a security context in which Kerberos and the TDV identify each other.
Creating a Service Keytab
A Domain Administrator must follow these steps to create a KeyTab file:
1. Run the following ktpass command line utility:
ktpass -princ <servicename>/<hostname>.<domain>@<REALM> -mapuser <username>
-pass <password> -crypto All -pType
[KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST]
-out <name>.keytab
 
Note: The exact ktpass utility syntax depends on the environment you have set up. The following is a sample ktpass command line to create the keytab file for a QA environment:
ktpass -princ HTTP/krb5-win.sample.net@sample.NET -mapuser qa1 -pass tiger -crypto All -pType KRB5_NT_PRINCIPAL -out krb5cis.keytab
 
A keytab file contains pairs of Kerberos principals and encrypted keys derived from the Kerberos password. The keytab file is used to identify TDV to Kerberos so that automated service processes can be run in this secure environment.
2. Copy the KeyTab file to a local directory accessible to Server.
In a later procedure (Configuring TDV for Use with Kerberos Authentication) you set a TDV configuration parameter value to the KeyTab file’s directory.
3. Make sure that each Kerberos client has a Kerberos configuration file.
All clients (end-user computers, data sources, and the TIBCO Data Virtualization Server) require a Kerberos configuration file to define the realm and the domain for authentication to the Kerberos Key Distribution Center (KDC).
Default locations for the Kerberos configuration file are shown in the table.
Operating System
Default Location and Filename
Windows
The location of the krb5.ini file varies with Windows version. For example: it can be C:\Winnt\krb5.ini, C:\Windows\krb5.ini, and so on.
Linux
/etc/krb5.conf
UNIX-based
/etc/krb5/krb5.conf
The Kerberos configuration file contains definitions like the following, where default_realm, kdc, default domain, and domain_realm have your implementation values:
[libdefaults]
default_realm = SUPPORT.NET
 
[realms]
SUPPORT.NET = {
kdc = qaad.support.net
default_domain = SUPPORT.NET
}
 
[domain_realm]
.support.net = SUPPORT.NET
 
 
 
 
A sample configuration file in Linux (krb5.conf) is given below:
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
default_realm = SUPPORT.NET
 
4. (Optional) If you are using Active Directory, the server user account must enable the delegation property for the realm. The realm has a value like: SUPPORT.NET\qa1 if the Kerberos token from the client is used to access Kerberos-enabled data sources.
Creating a User KeyTab
Follow these steps to create a KeyTab file on the client. These steps are necessary for any data source requiring a user KeyTab.
1. Install TDV Server and Studio.
2. Change directory to JDK bin path
3. Type the following command:
ktab -a <username>
Note: The <username> must be the same user logged in to the machine and also a domain account.
4. Type the password for your user account.
5. Type the following command to get the Principal:
ktab -l -e -t
6. Type the following command to obtain and cache the Kerberos Ticket Granting Tickets (TGT):
kinit <username@REALM> and give your password.
7. To get a TGT ticket, execute the "klist” command.
Note: If a file cache is used as the default cache setting in the Kerberos configuration file, then the klist command returns a Ticket Cache that looks like:
FILE:/tmp/krb5cc_uid number
8. Restart the TDV Server.
9. Open the Studio and make a connection to a data source that supports Kerberos. Use the authentication you have used in the above steps.
Note: If you are unable to connect, run the “klist” command in your bin directory (TDV_InstallDir\bin\jdk) to check if you have a valid ticket cache. If it expired, run the “kinit” command in step 7 above to get a new ticket cache and try to connect again.