Kerberos tickets need refresh when using a keytab account for JDBC

Kerberos tickets need refresh when using a keytab account for JDBC

book

Article ID: KB0081058

calendar_today

Updated On:

Products Versions
Spotfire Server 7.5 and later

Description

When connecting to a JDBC data source using Kerberos authentication, you can sometimes face a problem if the Kerberos tickets have a finite lifetime. If this is the case, you need to change the connection property spotfire.kerberos.refresh.tgt from the default false to true in the data source template.

For general information about use cases and considerations when connecting TIBCO Spotfire to a Kerberized data source, see the article Connecting TIBCO Spotfire to a Kerberized Data Source on the TIBCO Community.



 

Issue/Introduction

One additional connection property needs to be set when using a kerberos.login.context if the tickets are to be refreshed

Environment

TIBCO Spotfire Server. JDBC data source with kerberos authentication and a service account, i.e. not delegation of end user credentials

Resolution

Add this connection property to the Data Source template:
  
​<connection-property>
  <key>spotfire.kerberos.refresh.tgt</key>
  <value>true</value>
</connection-property>

Example Debug row showing how you can see if the refreshTGT property is set to true or false (here set to false): 

DEBUG 2018-01-05T10:46:19,274+0000 [..., #5772, #59816] util.sql.PoolingDataSource: Initializing data source Test Impala (d2be56d0-4411-472d-8fbe-f0d3eedc4af5)[driverClass=com.cloudera.impala.jdbc41.Driver, url='...', username='...', password=[NOT SHOWN], kerberosLoginContextName=impalakerberos2, refreshTGT=false, initialized=false, destroyed=false, active=false, minConnections=1, maxConnections=1, connectionTimeout=600, poolingScheme=WAIT, loginTimeout=0, autoCommit=false, readOnly=false, mBeanEnabled=true, properties={}]

Additional Information

https://community.tibco.com/wiki/connecting-tibco-spotfire-kerberized-data-source

Example error message:

Note: There error could very well be something else, depending on what data source is being used.
Note 2: There could also be other causes for this error message.
  
ERROR 2017-12-05T08:49:55,884+0000 [..., #4891, #49779] api.common.InformationModelServiceCommon: Error retrieving metadata: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
com.spotfire.ws.api.common.InformationModelWebServiceException: Error retrieving metadata: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
...
Caused by: com.spotfire.ws.im.IMException: Error retrieving metadata: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
...
Caused by: java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
...
Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
...
Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed
...
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
Powered by Wolken Software