Setting Up JGSS Kerberos SSO
TDV and Studio can use Java Generic Security Services (JGSS) for Kerberos SSO.
Note: Kerberos SSO setup assumes the customer has created a domain name service (DNS) account under Windows for the TIBCO Data Virtualization Server using the Windows Services window. If you have no local DNS account for the TDV server, you need to set one up (for example, SUPPORT <domain> + <user> + <password>).
To prepare TDV Server and Studio for JGSS Kerberos SSO, follow these procedures:
Setting Up the Windows Service for JGSS Kerberos SSO (TDV Server on Windows only)
You need to configure services, import groups and assign privileges to set up the server side for JGSS Kerberos SSO.
Note: JGSS clients using Kerberos can authenticate both the connection to TDV and the connection to the underlying data source.
Follow these steps to set up the TDV service for JGSS Kerberos SSO:
1. Open the Services window in your Windows environment.
For example in Windows 10, select Start > Settings. Type “services” in the Settings Search bar and click on “View Local Services” to open the Windows Services Manager.
2. Scroll to the TDV instance you are setting up for Kerberos SSO.
3. Right-click the instance and select Properties from the context menu.
You need to configure JGSS Kerberos in this Properties window.
4. On the Log On tab, select the "This account" radio button and give the Service account credentials that was used to setup the instance. A Service account is used to access the network resources with service-specific rights and permissions while minimizing the permissions required for individual users using the application server. A Domain administrator will usually create this account.
5. In the Studio menu bar, select Administration > Launch Manager (Web).
6. Log into the Web Manager and go to the Domain Manager page to create an LDAP domain.
7. Click Domain > Domain Name; usually select the Active Directory radio button for the server URL.
8. Enter an LDAP name and password.
9. Click the Add External Group button to import the group containing TDV.
Add External Group pulls in all groups, for which you then set appropriate privileges. Once the group is created, choose the group, click on Edit Resource Privileges and grant Access Tools and Read All Resources rights.
Configuring TDV Server for JGSS Kerberos SSO
The TDV Server supports JGSS Kerberos SSO authentication for the convenience of users who have already authenticated their identity to a Kerberos domain controller.
Note: Data sources support JGSS based Negotiate and Kerberos authentication, but they do not support SSPI Kerberos authentication.
On the server side, you need to configure TDV for JGSS Kerberos SSO authentication.
Follow these steps to configure the TDV parameters for JGSS Kerberos SSO authentication:
1. Log into Studio as the admin user.
2. Select Administration > Configuration from the Studio menu bar.
3. In the tree pane of the Configuration window, navigate to the Server > Configuration > Security > Authentication folder.
4. Make the following change within that folder.
Parameter | Action and Description |
Windows Domain Mapping | Enter a key-value pair. • The key is the reported Active Directory domain of an authenticated user. Often the Windows domain key and the LDAP name value are the same. Keys and values are case-sensitive. |
5. Navigate to the Kerberos subfolder.
6. Make the following changes within that folder.
Parameter | Action and Description |
Allow Kerberos Authentication | Change this value to True. A warning helps you avoid inadvertently changing this without implementing Kerberos first. |
Debug Output Kerberos Authentication Enabled | Set this to True to have TDV write JDK's Kerberos implementation output messages to the cs_server.out in the logs directory. |
KeyTab File | Enter the value point to the generated keytab file in the TDV Server. For example, when TDV is installed on a Linux server, the keytab file is in <TDV_install_dir>/kerb5cis.kt. |
Kerberos Configuration File | The Kerberos configuration file contains the locations of Key Distribution Centers (KDCs) and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of host names onto Kerberos realms. This file is usually: • c:\WINDOWS\krb.ini (Windows) • /etc/krb.conf (UNIX) Changes to this value do not take effect until server restart. |
Native | Make sure this is set to False for JGSS Kerberos. |
Required Principal Name | Enter the SPN value established by invocation of the Kerberos setspn utility. TDV must know the SPN to address the Kerberos domain server. |
7. Click OK.
8. Restart the Server.
Preparing the Studio Kerberos Properties File for JGSS SSO
On each Studio client that is to be configured for use with JGSS single sign-on, you need to set up the krb5.properties file.
Follow these steps to set up the krb5.properties file for JGSS single sign-on
1. In <TDV_install_dir>\ conf\studio, make a copy of krb5_sample.properties and rename it krb5.properties.
2. Open an editor such as Wordpad to edit krb5.properties.
3. Make sure Native is set to false for JGSS.
4. Copy the Specific User -- JGSS section for each user who intends to log in using SSPI Kerberos for single sign-on.
Native = false
5. Uncomment the lines that apply to JGSS, and fill in the values appropriate to the current TDV instance:
####################################
# Default User -- JGSS #
####################################
##Service Principal Name
spn=HTTP@dev-krb5-win.support.net
native=false
doNotPrompt=true
useKeyTab=false
debug=true
useTicketCache=true
renewTGT=true
krb5.conf=c:/krb5.conf
####################################
# Specific User -- JGSS #
####################################
##Service Principal Name
#spn=HTTP@dev-krb5-win.support.net
#native=false
#principal=principalName
#doNotPrompt=true
#storeKey=true
#debug=true
#useKeyTab=true
#keyTab=keytab file
Studio is now ready.
6. Restart Studio.