Kerberos tickets need refresh when using a keytab account for JDBC
Article ID: KB0081058
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | 7.5 and later |
Description
When connecting to a JDBC data source using Kerberos authentication, you can sometimes face a problem if the Kerberos tickets have a finite lifetime. If this is the case, you need to change the connection property spotfire.kerberos.refresh.tgt from the default false to true in the data source template.
For general information about use cases and considerations when connecting TIBCO Spotfire to a Kerberized data source, see the article Connecting TIBCO Spotfire to a Kerberized Data Source on the TIBCO Community.
Environment
TIBCO Spotfire Server.
JDBC data source with kerberos authentication and a service account, i.e. not delegation of end user credentials
Resolution
Add this connection property to the Data Source template:
Example Debug row showing how you can see if the refreshTGT property is set to true or false (here set to false):
<connection-property> <key>spotfire.kerberos.refresh.tgt</key> <value>true</value> </connection-property>
Example Debug row showing how you can see if the refreshTGT property is set to true or false (here set to false):
DEBUG 2018-01-05T10:46:19,274+0000 [..., #5772, #59816] util.sql.PoolingDataSource: Initializing data source Test Impala (d2be56d0-4411-472d-8fbe-f0d3eedc4af5)[driverClass=com.cloudera.impala.jdbc41.Driver, url='...', username='...', password=[NOT SHOWN], kerberosLoginContextName=impalakerberos2, refreshTGT=false, initialized=false, destroyed=false, active=false, minConnections=1, maxConnections=1, connectionTimeout=600, poolingScheme=WAIT, loginTimeout=0, autoCommit=false, readOnly=false, mBeanEnabled=true, properties={}]
Issue/Introduction
One additional connection property needs to be set when using a kerberos.login.context if the tickets are to be refreshed
Additional Information
https://community.tibco.com/wiki/connecting-tibco-spotfire-kerberized-data-source
Example error message:
Note: There error could very well be something else, depending on what data source is being used.
Note 2: There could also be other causes for this error message.
Example error message:
Note: There error could very well be something else, depending on what data source is being used.
Note 2: There could also be other causes for this error message.
ERROR 2017-12-05T08:49:55,884+0000 [..., #4891, #49779] api.common.InformationModelServiceCommon: Error retrieving metadata: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. com.spotfire.ws.api.common.InformationModelWebServiceException: Error retrieving metadata: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. ... Caused by: com.spotfire.ws.im.IMException: Error retrieving metadata: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. ... Caused by: java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. ... Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. ... Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed ... Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
Feedback
Yes
No
Powered by
