Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Creating an Information Services JDBC Data source with Kerberos delegated authentication to a Microsoft SQL Server database.

Rich Talbot
Date Posted:
Product: TIBCO Spotfire®

Problem:

Creating an Information Services JDBC Data source with Kerberos delegated authentication to a Microsoft SQL Server database.


Solution:


Product: TIBCO Spotfire Server

Version: 5.5 and later

OS: All Supported Operating Systems

--------------------

Description:

How to create an Information Services Data source with Kerberos delegated authentication to Microsoft SQL Server Database.

Resolution:

Prerequisites

1). TIBCO Spotfire Server configured for Kerberos authentication. Refer to the TIBCO Spotfire Server Installation manual (section "Kerberos Authentication").

2). TIBCO Spotfire Web Player (optional), configured for Single Sign-On (SSO) using Delegation with Kerberos authentication. Refer to the TIBCO Spotfire Web Player installation manual.

3). Constrained or Unconstrained delegation enabled on the domain controller for the Service Account used for Kerberos authentication on TIBCO Spotfire Server. Refer to the TIBCO Spotfire Server installation manual (section "Grant the Spotfire Server Service Account the Right to Delegate Client Credentials").

4). Microsoft SQL Server database to be used in setting up an information link data source that is configured for Kerberos authentication.

Instructions

1). Download the JDBC driver for Microsoft SQL Server from the following location and copy the sqljdbc_auth.dll file into the TIBCO Spotfire Server instance's tomcat\lib folder.

- http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774 .

The sqljdbc_auth.dll files are extracted into the following location:

\sqljdbc_\\auth\x64\

2). Create a new Database Template for Kerberos delegated Authentication to Microsoft SQL Server Database using the TIBCO Spotfire Server Configuration Tool. Define the JDBC data source template using the XML shown below. For detailed instructions, refer to knowledge base article KB 45013 on the TIBCO Support site.

-----------------------------------------------------------------------

( sqlserver2005_delegated com.microsoft.sqlserver.jdbc.SQLServerDriver jdbc:sqlserver://<host>:<port>;DatabaseName=<database>;integratedSecurity=true; authenticationScheme=JavaKerberos SELECT 1 spotfire.connection.pool.factory.data.source kerberos.data.source selectMethod cursor com.spotfire.ws.im.ds.sql.sqlserver.SQLServerMetadataProvider 10000 100 TABLE, VIEW true true true 1000 10000 false [$$catalog$$.][$$schema$$.]$$table$$ $$value$$ convert(varchar(8), $$value$$, 108) $$value$$ String VARCHAR($$value$$) String VARCHAR(8000) Integer DECIMAL(10, 0) Long DECIMAL(38, 0) Float REAL Double DOUBLE PRECISION Date DATETIME Time DATETIME DateTime DATETIME #$$name$$ CREATE TABLE $$name$$ $$column_list$$ DROP TABLE $$name$$ true )

-------------------------------------------------

3). Enable the template and Save the configuration into the database.

4). On the Spotfire Server, create a keytab file for the MS SQL Server database secured with Kerberos:

ktpass /princ {dbspnuser}@DOMAIN /ptype krb5_nt_principal /crypto rc4-hmac-nt /out spotfire-database.keytab /kvno 0 /pass ***

Replace dbspnuser - User used to register SPNs for the database

DOMAIN - your custom domain

5). Copy spotfire-database.keytab to \jdk\jre\lib\security folder.

6). Create spotfire-database.login file in \jdk\jre\lib\security\ containing the following text:

DatabaseKerberos { com.sun.security.auth.module.Krb5LoginModule required debug=true storeKey=true useKeyTab=true keyTab="${java.home}/jre/lib/security/spotfire-database.keytab" principal="{dbspnuser}@DOMAIN" }

Replace dbspnuser - User used to register SPNs for the SQL Server database

DOMAIN - your custom domain

7). Add an entry for the spotfire-database.login in the \jdk\jre\lib\security\java.security file:

login.config.url.1=file:${java.home}/jre/lib/security/spotfire-database.login

8). Run the Spotfire Server service with the service account used to register SPNs for the server machine.

9). Restart the TIBCO Spotfire Server service (as a Windows or Linux service), to make these changes take effect.

10). Login to Spotfire Server from the Spotfire desktop client, then select "Tools > Information Designer" from the main menu and create a new Data Source using the newly created template(sqlserver2005_delegated). Keep the username/password field blank.

11). If the data source connection fails, purge the kerberos tickets on the Spotfire client machine using this command:

klist purge

References:

- https://msdn.microsoft.com/en-us/library/ms378428(v=sql.110).aspx

- https://msdn.microsoft.com/en-us/library/gg558122(v=sql.110).aspx

Related articles