× Heads up!

Aqua Data Studio / nhilam

Follow
IDE for Relational Databases

×

Kerberos Configuration (Revision #80)

Configuring Kerberos for Aqua Data Studio requires passing JVM parameters for Kerberos configuration, configuring the jaas.conf file (Java Authentication and Authorization Service), and configuring the krb5 (Kerberos Configuration) file.

Contents

Prerequisites

Ensure that the correct Apache Hive JDBC Drivers  are installed for your distribution before proceeding.  

Kerberos Configuration Steps

Step 1 : Pass JVM parameters for Kerberos configuration

Add the following JVM paramaters to your Aqua Data Studio datastudio.ini file for windows, to your Aqua Data Studio info.plist file in OS X,  or to your Aqua Data Studio datastudio-bundled.sh file in linux.

Java Properties :

-Dsun.security.krb5.debug=[ true | false ]
-Dsun.security.jgss.debug=[ true | false ]
-Djava.security.krb5.realm=[ example : aqua-internal.com ]
-Djava.security.krb5.kdc=[ example : kdc.aqua-internal.com ]
-Djava.security.krb5.conf=[ example: /etc/krb5.conf | c:\windows\krb5.ini ]
-Djava.security.auth.login.config=[ example : /etc/jaas.conf | c:\windows\jaas.conf ]
-Djavax.security.auth.useSubjectCredsOnly=[ true | false ]

Example Windows datastudio.ini. This uses the datastudio.exe to start :

vmarg.5 = -Dsun.security.krb5.debug=true
vmarg.6 = -Dsun.security.jgss.debug=true
vmarg.7 = -Djava.security.krb5.realm=aqua-internal.com
vmarg.8 = -Djava.security.krb5.kdc=kdc.aqua-internal.com
vmarg.9 = -Djava.security.krb5.conf=c:\windows\krb5.ini
vmarg.10 = -Djava.security.auth.login.config=c:\windows\jaas.conf
vmarg.11 = -Djavax.security.auth.useSubjectCredsOnly=false

Example Linux datastudio-bundled.sh :

$ADS_HOME/jre/bin/java 
-Djsse.enableCBCProtection=false 
-Dsun.security.krb5.debug=true
-Dsun.security.jgss.debug=true
-Djava.security.krb5.realm=aqua-internal.com
-Djava.security.krb5.kdc=kdc.aqua-internal.com
-Djava.security.krb5.conf=/etc/krb5.conf
-Djava.security.auth.login.config=/etc/jaas.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Xmx756M -XX:MaxPermSize=192m -cp $CLASSES com.aquafold.datastudio.DataStudio

Example OS X /Aqua Data Studio.app/Contents/Info.plist :

    <array>
        <string>-DappRoot=$APP_ROOT</string>
        <string>-Djsse.enableCBCProtection=false</string>
        <string>-Dapple.laf.useScreenMenuBar=true</string>
        <string>-Dsun.security.krb5.debug=true</string>
        <string>-Dsun.security.jgss.debug=true</string>
        <string>-Djava.security.krb5.realm=aqua-internal.com</string>
        <string>-Djava.security.krb5.kdc=kdc.aqua-internal.com</string>
        <string>-Djava.security.krb5.conf=/etc/krb5.conf</string>
        <string>-Djava.security.auth.login.config=/etc/jaas.conf</string>
        <string>-Djavax.security.auth.useSubjectCredsOnly=false</string>
        <string>-Xmx756m</string>
        <string>-XX:MaxPermSize=192m</string>
    </array>

 

Step 2 : Configure jaas.conf configuration file (Java Authentication and Authorization Service)

Create a file called jaas.conf file with the contents specified below depending on your distribution. This file should be located in the same directory that is specified for the java property  -Djava.security.auth.login.config


EXAMPLE jaas.conf file (except Cloudera)

JaasClient {
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache = true;
};

For more on configuring the jaas.conf file see:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html

EXAMPLE jaas.conf file used for Cloudera

Client {
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache = true;
};

For more information on configuring the jaas.conf file see section "Setting Up the JAAS Login Configuration File" in below PDF file: 

http://www.cloudera.com/content/cloudera/en/documentation/connectors/latest/PDF/Cloudera-JDBC-Driver-for-Impala-Install-Guide.pdf

 

Step 3 : Configure krb5.conf (or krb5.ini) file (Kerberos Configuration File)

If you do not have a Kerberos configuration file, you need to create one. Look at the ADS reference example in <ADS_HOME>\krb5.ini.example. The contents must be modified to match your kerberos environment. Place the file in the location you specified for the java property -Djava.security.krb5.conf

For more on configuring the Kerberos Configuration file see: http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html

 

Step 4: Install JCE Unlimited Strength for Java

If your server is setup to use AES-256 encryption, you must download and install the JCE Unlimited Strength for Java.
Reference article from Cloudera: http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_sg_jce_policy_file_install.html
 
Steps to install JCE:
1. Download and install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" depending on which version of Java you are running.
    - ADS version 15 and version16 come packaged with Java 1.7 : http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
    - ADS version 17 comes packaged with Java 1.8 : http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
 
2. Unzip the file and replace these 2 files: US_export_policy.jar and local_policy.jar in  <ADS_HOME>/java/jre/lib/security with the downloaded files. 
 
If you are seeing the error message "unsupported key type found the default TGT: 18" this could be an indication that you do not have the Unlimited strength policy files installed. Reference link

 

Windows Kerberos Configuration Example Using Hortonworks

Step 1: Ensure that you have Kerberos installed - MIT Kerberos - as an example

Step 2: Modify your hosts file located in C:\Windows\System32\drivers\etc to establish hostname/ip reference.

 host-file-example.png

Step 3: Create krb5.ini file. This file should be located in the same folder specified in the -Djava.security.krb5.conf property.

inifile.png

Step 4: Request your kerberos ticket. It is a good idea to use the run as an administrator command window.
 
kinit-hdp-admin.png
 

Step 5: Create jaas.conf file. This file should be located in the same directory that is specified for the java property -Djava.security.auth.login.config 

JaasFile.png
 
Step 6: Replace jre security files with jce unlimited inside Aqua Data Studio bundled java located in C:\..\datastudio\jre\lib\security.
 
JCEFileCopy.png
 

Step 7: Ensure you have the correct Apache Hive JDBC Drivers for your distribution located in C:\..\datastudio\lib\drivers.

HivedriverCopy.png

Step 8: Add java parameters to datastudio-bundled.bat file located in C:\..\datastudio\ (These parameters must all be on one line) or add the parameters to the datastudio.ini file also located in C:\..\datastudio\ if you are going to start Aqua Data Studio using datastudio.exe.

datastudio-bundled.bat

BatFile.png

datastudio.ini

iniparms.png

Step 9: Run datastudio from a command window. It is a good idea to use the run as an administrator command window.

startadsbat.png

Step 10: Create a connection and test it

Serverproperties.png

Step 11: Kerberos information displayed in the command window as a result of the connection.

kerberosinformation.png

Integrated Windows Authentication for Kerberos

By default, Windows does not allow the session key of a TGT to be accessed while using the Windows Kerberos Client.  To allow accessibility, you will need to add a registry key on the client side, so that the session key for TGT is accessible and Java can use it to acquire additional service tickets.  To learn how to add the registry setting and more on this topic, go to this link :

https://blogs.oracle.com/wangwj/entry/kerberos_programming_on_windows

Last updated by tomconrad on Oct 6, 2015 3:26 PM

About AquaClusters Privacy Policy Support Version - 19.0.2-4 AquaFold, Inc Copyright © 2007-2017