Kerberos support through GSSAPI
Page edited by Steven Hawkins
Changes (1)
| h1. Kerberos support through GSSAPI |
| Teiid supports kerberos authentication using GSSAPI, to be used with GSSAPI for single sign\-on applications. This service ticket negotiation based authentication is supported through remote JDBC and ODBC drivers and LocalConnections. Client configuration is different for based on connection you are using each client type. |
| |
| ... |
Full Content
Kerberos support through GSSAPI
Teiid supports kerberos authentication using GSSAPI for single sign-on applications. This service ticket negotiation based authentication is supported through remote JDBC and ODBC drivers and LocalConnections. Client configuration is different for each client type.
LocalConnection
Set the JDBC URL property PassthroughAuthentication as true and use JBoss Negotiation for authentication of your web-application with kerberos. When the web application authenticates with the provided kerberos token, the same subject authenticated will be used in Teiid. For details about configuration, check the JBoss Negotiation documentation.
Remote Connections
On the server, edit the <jboss-install>/standalone/configuration/standalone-teiid.xml under teiid subsystem on "transport" definition, add follows:
<transport name="jdbc" protocol="teiid" socket-binding="teiid-jdbc"/>
<authentication security-domain="teiid-security" krb5-domain="krb5-domain"/>
</transport>
Now we need to define a security domain context for kerberos with the name mentioned (kbr5-domain)in above. Since kerberos authorization cannot define authorization roles, we'll define them using another login context. Given below is a sample configuration to define roles using a UserRolesLoginModule.
 | This configuration replaces the default Teiid login configuration, and you should change the principal and key tab locations accordingly. |
<!--login module that negotiates the login conext for kerberos -->
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="krb5-domain" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">demo@EXAMPLE.COM</module-option>
<module-option name="keyTab">path/to/krb5.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">false</module-option>
</login-module>
</authentication>
</security-domain>
<!-- teiid's default security domain, replace this with your own if needs to be any other JAAS domain -->
<security-domain name="teiid-security" cache-type="default">
<authentication>
<login-module code="org.teiid.jboss.SimpleLoginModule" flag="required" module="org.jboss.teiid">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.CertRolesLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
 | "verbose error" With above setup you will see error like PBOX000246: The JSSE security domain other is not valid. All authentication using this login module will fail! This is captured at https://issues.jboss.org/browse/WFLY-777 and is erroneous and can be safely ignored. |
Edit the "standalone.conf" file in the "${jboss-as}/bin" directory and add the following JVM options (changing the realm and KDC settings according to your environment)
JAVA_OPTS = "$JAVA_OPTS -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=kerberos.example.com -Djavax.security.auth.useSubjectCredsOnly=false"
This finishes the configuration on the server side, restart the server and make sure that there were no errors during startup.
JDBC Client Configuration
In you client VM the JAAS configuration for kerberos authentication needs to be written. A sample configuration file (client.conf) is show below
Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
storeKey=true
useKeyTab=true
keyTab="/path/to/krb5.keytab"
doNotPrompt=false
debug=false
principal="demo@EXAMPLE.COM";
};
Add the following JVM options to your client's startup script - change Realm and KDC settings according to your environment
-Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=kerberos.example.com -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false -Djava.security.auth.login.config=/path/to/client.conf
or if you want to control the KDC and REALM system wide use below instead
-Djava.security.krb5.conf=/path/to/krb5.conf (on Linux /etc/krb5.conf) -Djava.security.auth.login.config=/path/to/client.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false
Add the following URL connection properties to Teiid JDBC connection string
authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=demo@EXAMPLE.COM
Supplying the Role information
There are two layers of security in this setup, one Kerberoes and next is security to access Teiid itself. The above configuration builds on top of each other so that you have single SSO based solution.
There is no need to provide the separate user name and password for establishing a JDBC connection, it will authenticate using kerberoes with and provided username to negotiate a service token with kerberoes server and grant the JDBC connection. In order to supply the role information for the user defined on "kerberosServicePrincipleName" property, edit the "${jboss.server.config.dir}/teiid-security-roles.properties" file and add appropriate role information.
You can also choose to replace "teiid-security" domain configuration with another JAAS based security domain, however in that case a user name and password need to be set on the JDBC connection URL, which will be used to authenticate with newly configured JAAS domain.