<transport name="jdbc" protocol="teiid" socket-binding="teiid-jdbc"/>
<authentication security-domain="teiid-security" krb5-domain="krb5-domain"/>
</transport>
Teiid supports kerberos authentication using GSSAPI, to be used with single sign-on applications. This service ticket negotiation based authentication is supported through remote JDBC and ODBC drivers and LocalConnections. Client configuration is different for based on connection you are using
Set the JDBC URL property PassthroughAuthentication as true and use JBoss Negotiation for authentication of your web-application with kerberos. When the web application authenticates with the provided kerberos token, the same subject authenticated will be used in Teiid. For details about configuration, check the JBoss Negotiation documentation.
On the server, edit the <jboss-install>/standalone/configuration/standalone-teiid.xml under teiid subsystem on "transport" definition, add follows:
<transport name="jdbc" protocol="teiid" socket-binding="teiid-jdbc"/>
<authentication security-domain="teiid-security" krb5-domain="krb5-domain"/>
</transport>
Now we need to define a security domain context for kerberos with the name mentioned (kbr5-domain)in above. Since kerberos authorization cannot define authorization roles, we'll define them using another login context. Given below is a sample configuration to define roles using a UserRolesLoginModule.
This configuration replaces the default Teiid login configuration, and you should change the principal and key tab locations accordingly.
<!--login module that negotiates the login conext for kerberos -->
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="krb5-domain" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">demo@EXAMPLE.COM</module-option>
<module-option name="keyTab">path/to/krb5.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">false</module-option>
</login-module>
</authentication>
</security-domain>
<!-- teiid's default security domain, replace this with your own if needs to be any other JAAS domain -->
<security-domain name="teiid-security" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="teiid-security-users.properties" />
<module-option name="rolesProperties" value="teiid-security-roles.properties" />
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
Edit the "standalone.conf" file in the "${jboss-as}/bin" directory and add the following JVM options (changing the realm and KDC settings according to your environment)
JAVA_OPTS = "$JAVA_OPTS -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=kerberos.example.com -Djavax.security.auth.useSubjectCredsOnly=false"
This finishes the configuration on the server side, restart the server and make sure that there were no errors during startup.
In you client VM the JAAS configuration for kerberos authentication needs to be written. A sample configuration file (client.conf) is show below
Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
storeKey=true
useKeyTab=true
keyTab="/path/to/krb5.keytab"
doNotPrompt=false
debug=false
principal="demo@EXAMPLE.COM";
};
Add the following JVM options to your client's startup script - change Realm and KDC settings according to your environment
-Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=kerberos.example.com -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false -Djava.security.auth.login.config=/path/to/client.conf
or if you want to control the KDC and REALM system wide use below instead
-Djava.security.krb5.conf=/path/to/krb5.conf (on Linux /etc/krb5.conf) -Djava.security.auth.login.config=/path/to/client.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false
Add the following URL connection properties to Teiid JDBC connection string
authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=demo@EXAMPLE.COM
There is no need to provide the user name and password. When the application makes a JDBC connection, it will authenticate locally and use the same user credentials to negotiate a service token with server and grant the connection. See Client Developer's guide for information on connection properties and how to configure data sources.