Implementing Kerberos Single Sign-on (SSO) for GridServer 6.1 Java Drivers on McroSoft Windows.

book

Article ID: KB0089362

calendar_today

Updated On:

Products	Versions
TIBCO DataSynapse GridServer	-
Not Applicable	-

Description

Description:

Introduction

This knowledge base article describes the requisites as well as how to implement Kerberos SSO for the Java driver in a GridServer 6.1 environment on the Windows platform.

Java Requirements

The following versions of Java are supported when using Kerberos SSO with Java :

Java 1.6.0_34 or newer
Java 1.7.0_17 or newer

You must ensure that you have installed Java Cryptography Extensions (JCE) Unlimited Strength Jurisdiction Policy Files. These files are dependent on the Java version and can be downloaded from Oracle at:

Windows Requirements

XP

Add/change the following registry value:

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos

Value Name: allowtgtsessionkey

Value Type: REG_DWORD

Value Data: 1

Windows Vista, 7, 2008 and 2012

Add/change the following registry value:

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: allowtgtsessionkey

Value Type: REG_DWORD

Value Data: 1

Note: You may find references to the required value type being REG_SZ in MSDN or other places. This a bug. The Value type should be REG_DWORD

Setting up the Java Driver

The DSNegotiateEnabled property in driver.properties specifies if Negotiate authentication is used. Set this to true in the driver.properties file or by using the DriverManager API to enable Negotiate authentication, otherwise the username and password properties will be used.

Java includes support for Kerberos authentication natively. The standard method of configuring a Kerberos-enabled application is via the login.conf and krb5.conf files depending on which version of Java you use.

login.conf is only required with Java 6. If you are using Java 6, you must create a login.conf file as shown below. Java 7 does not require login.conf.

login.conf

                      com.sun.security.jgss.krb5.initiate {
                    
                      com.sun.security.auth.module.Krb5LoginModule required
                    
                      useTicketCache=
                      true
                    
                      doNotPrompt=
                      true
                      ;
                    
                      };

Note: If you are using Java 6, you must ensure that the login.conf file is in your class path. The easiest thing to do is to keep it in the same place you keep driver.properties if you are using that file.

We have added the following convenience properties to driver.properties file so that you do not need a krb5.conf file:

DSKerberosRealm : the name of the kerberos realm in capital letters, for example, REALM.NAME
DSKerberosKDC : The hostname of the KDC, for example, dc.domain.com

These properties can also be set via the DriverManager class using the GridServer API.

Note: If your Java application already is set up to use Kerberos, you might not need to do anything.

Issue/Introduction

Implementing Kerberos Single Sign-on (SSO) for GridServer 6.1 Java Drivers on McroSoft Windows.

Feedback

thumb_up Yes

thumb_down No

Welcome to "KB Articles"

Implementing Kerberos Single Sign-on (SSO) for GridServer 6.1 Java Drivers on McroSoft Windows.

Article ID: KB0089362

Updated On:

Description

Introduction

Java Requirements

Windows Requirements

XP

Windows Vista, 7, 2008 and 2012

Issue/Introduction

Feedback