Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
How to set up Kerberos constrained delegation from Spotfire Analyst to a TIBCO Data Virtualization data source?
Solution:
How to set up Kerberos constrained delegation from Spotfire Analyst to a TIBCO Data Virtualization data source?
To setup this constrained delegation, the following pre-requisites must be met:
I. Configure TDV for Kerberos with constrained delegation
II. Configure Spotfire for Kerberos with constrained delegation
iii. Copy the TDV JDBC driver (csjdbc.jar) to "[Spotfire Server installation folder]\tomcat\lib" (for versions earlier than 10.3) or "[Spotfire Server installation folder]\tomcat\custom-ext" folder (for versions 10.3 and higher)
I. Configure TDV for Kerberos
To configure the TDV server to use Kerberos, follow the steps below.
1. Set up an external LDAP domain
- In the Studio menu bar, select Administration > Launch Manager (Web).
- Log into the Web Manager and go to Security >> Domain Management
- Create an LDAP domain (e.g. firstldapdomain) by clicking the 'Add Domain' button, then entering your LDAP connection details.
- Click the 'Add External Group' button to import the LDAP group containing the user.
2. Configure the TDV server to work with LDAP and work with the KDC
Go to Studio >> Administration >> Configuration >> Server >> Configuration >> Security >> Authentication >> Kerberos, and do the following:]
- Set 'Allow Kerberos Authentication' to true. This will enable Kerberos in TDV.
- If you do not have a keytab file and an SPN, generate both of these. The keytab file is needed because it contains pairs of Kerberos principals and encrypted keys that the TDV server uses to authenticate to the Kerberos KDC. Copy the keytab file to a folder that the TDV server has access to. For purposes of illustration, let us assume that the file is C:\myfiles\keytab
- In the 'KeyTab File' field, type in the full pathname of a keytab file (C:\myfiles\keytab).
- In the 'Kerberos Configuration File' field, type in the full pathname of the file containing your Kerberos configuration information (e.g. c:\WINDOWS\krb.ini).
- Leave the 'Kerberos Ticket Cache Name' field blank. There is not need to enter the name of a ticket cache file in this field as when using Kerberos delegation, Java needs to obtain a ticket from the LSA (instead of from a specific ticket cache file).
- Set the 'Native' field to false. This tells TDV to use JGSS and not SSPI. This is important as the data source needs to use JGSS for delegation (delegation in SSPI mode is not supported)
- In the 'Required Principal Name' field, type in the Service Principal Name registered by the Kerberos KDC. A general format for the entry is HTTP/hostname@DOMAIN.
- Go to Studio >> Administration >> Configuration >> Server >> Configuration >> Security >> Authentication > Windows Domain Mapping, and enter a key-value pair. The key is the reported Windows domain of an authenticated user. The value is the name of the corresponding LDAP external domain that yu created earlier (e.g. firstldapdomain). Note that keys and values are case-sensitive.
3. Configure the Windows Registry
Add a Windows Registry Key to enable Ticket-Granting-Ticket (TGT) Session Keys.
For Windows XP and Windows 2000, the registry location of allowtgtsessionkey is:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
For Windows 2003 and Windows Vista, the registry location of allowtgtsessionkey is:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ Parameters
Change the allowtgtsessionkey registry REG_DWORD value to 1 to include a session key in the TGT. A value of 1 requires that a session key be returned with the TGT, and enables use of Kerberos TGT sessions.
4. Ensure that tickets generated by Kerberos can be forwarded (and also, can be delegated)
Run klist.exe and inspect the output to make sure that the related ticket includes the flags 'forwardable' and 'ok_as_delegate'.
Example
C:\Windows\System32\klist.exe
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 11/4/2019 23:33:44 (local)
End Time: 11/5/2019 9:33:44 (local)
II. Configure Spotfire for Kerberos
To set up constrained delegation for TDV with Spotfire, carry out the steps below.
1. Configure Spotfire Server with constrained delegation and ensure the SSO is working fine. Refer to the TIBCO Spotfire Server Installation manual for more information on this setup
2. Launch the Spotfire Server Configuration Tool and browse to ‘Configuration > Datasource Templates’. Click on ‘New’, type in a name for the template and paste the following template in the “Data source template” section:
Note If you intend to setup a template with unconstrained delegation, remove the property spotfire.kerberos.gsscredential.property
<jdbc-type-settings>
<type-name>Composite_Kerberos_constrained</type-name>
<driver>cs.jdbc.driver.CompositeDriver</driver>
<connection-url-pattern>jdbc:compositesw:dbapi@<server>:<port9401>?domain=<domain>&dataSource=<data_source>&authenticationMethod=<auth_method>&kerberos.spn=<spn>&kerberos.useTicketCache=true</connection-url-pattern>
<ping-command>SELECT 1 FROM /services/databases/system/all_domains</ping-command>
<connection-properties>
<connection-property>
<key>spotfire.connection.pool.factory.data.source</key>
<value>kerberos.data.source</value>
</connection-property>
<connection-property>
<key>spotfire.kerberos.gsscredential.property</key>
<value>userGSSCredential</value>
</connection-property>
</connection-properties>
<supports-catalogs>true</supports-catalogs>
<supports-schemas>true</supports-schemas>
<use-ansii-style-outer-join>true</use-ansii-style-outer-join>
<metadata-provider>com.spotfire.ws.im.ds.sql.composite.CompositeMetadataProvider</metadata-provider>
<supports-procedures>true</supports-procedures>
</jdbc-type-settings>
3. Save the configuration to the Spotfire Database and restart the Spotfire Server Service for the changes to take effect
4. Login to Spotfire Analyst Client
5. Using Spotfire Information Designer, build an information model for TDV datasources. If the delegation is setup correctly, no user credentials need to be provided while creating & accessing the datasource
Comments
0 comments
Article is closed for comments.