5 Replies Latest reply on Sep 8, 2014 6:26 AM by rareddy

    Kerberos support in JBoss Teiid ?

    madhurika_sharma
    madhurika_sharma Sep 4, 2014 4:21 AM

      Hello,

      I am connecting to SQL Server 2008 database from Teiid using jdbc username and password. Now, i want to connect to db using Kerberos authentication .
      From the Kerberos support through GSSAPI - Teiid 8.9 (draft) - Project Documentation Editor i am not able to understand if Teiid supports Kerberos authentication.

       

      If it does , do we have more material related to it ?

        • 1. Re: Kerberos support in JBoss Teiid ?
          shawkins
          shawkins Sep 4, 2014 1:34 PM (in response to madhurika_sharma)

          Kerberos support through GSSAPI - Teiid 8.9 (draft) - Project Documentation Editor outlines how to connect to the server using GSSAPI/Kerberos.  I gather you are then asking about Kerberos to the source under Teiid.  See Data Source Security - Teiid 8.9 (draft) - Project Documentation Editor for some options.

            • Actions
          • 2. Re: Kerberos support in JBoss Teiid ?
            madhurika_sharma
            madhurika_sharma Sep 5, 2014 2:30 AM (in response to shawkins)

            Hello Steven,

             

            Thanks for the reply.
            I see Teiid 8.9 in the URL you have given . I am using Teiid 8.4.0 .
            Does Teiid 8.4.0 with Jboss 6.1.0 supports Kerberos?

              • Actions
            • 3. Re: Kerberos support in JBoss Teiid ?
              rareddy
              rareddy Sep 5, 2014 10:45 AM (in response to madhurika_sharma)

              Yes it is supported in Teiid 8.4 Kerberos support through GSSAPI   However it got refined in 8.8 for delegation model. However, we still do not support kerberos delegation to JDBC sources yet, see [TEIID-3005] Support Kerberos pass-thru to the data source - JBoss Issue Tracker

                • Actions
              • 4. Re: Kerberos support in JBoss Teiid ?
                madhurika_sharma
                madhurika_sharma Sep 6, 2014 6:36 AM (in response to rareddy)

                I am getting confused here.
                I was connecting to SQL server 2008 database with jdbc username and password before ;now i want to connect to MS SQL server 2008 database (servers are kerberos enabled) with kerberos authentication from JBoss Teiid . So, are you saying i can do it with Kerberos support through GSSAPI - Teiid 8.4 - Project Documentation Editor ?

                  • Actions
                • 5. Re: Re: Kerberos support in JBoss Teiid ?
                  rareddy
                  rareddy Sep 8, 2014 6:26 AM (in response to madhurika_sharma)

                  OK, here is what is supported and not

                   

                  1) Your Application --> Kerberos Auth --> Teiid (supported)

                   

                  2) Teiid --> Kerberos Auth --> SQL Server 2008 (should be supported)

                   

                  3) Your Application --> Kerberos Auth --> Teiid --> Use same logged in kerberos token (No reauth) --> SQL Server 2008 (not supported TEIID-3005)

                   

                  If you are only looking for (2), then consult JBoss EAP documents for configuration, it will be like configuring a security-domain in JBoss EAP then configuring data source with that security domain.

                   

                  For ex:

                   

                  Add following system properties

                   

                  JAVA_OPTS = "$JAVA_OPTS -Djava.security.krb5.conf=/path/to/krb5.conf -Djava.security.krb5.debug=false -Djavax.security.auth.useSubjectCredsOnly=false"

                   

                  then security-domain like

                   

                  <security-domain name="host" cache-type="default">
   <authentication>
      <login-module code="Kerberos" flag="required">
         <module-option name="storeKey" value="true"/>
         <module-option name="useKeyTab" value="true"/>
         <module-option name="principal" value="host/testserver@MY_REALM"/>
         <module-option name="keyTab" value="/path/to/service.keytab"/>
         <module-option name="doNotPrompt" value="true"/>
         <module-option name="debug" value="false"/>
      </login-module>
   </authentication>
</security-domain>

                   

                  Then data source like

                   

                  <datasources>
    <datasource jndi-name="java:/sqlserverDS" pool-name="sqlserverDS">
        <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
        <connection-url>jdbc:microsoft:sqlserver://{host}:1433</connection-url>
        <driver>sqljdbc4.jar</driver>
        <pool>
            <prefill>false</prefill>
            <use-strict-min>false</use-strict-min>
            <flush-strategy>FailingConnectionOnly</flush-strategy>
        </pool>
        <security>
            <security-domain>host</security-domain>
        </security>
    </datasource>                               
</datasources>
                    • Actions