Skip to main content
Skip table of contents

Configuration of Data Virtuality Server

You are looking at an older version of the documentation. The latest version is found here.

Before you start configuring the Data Virtuality Server to use Kerberos authentication, please check that all pre-requisites for the Data Virtuality Server Kerberos Authentication are met.

Configuration in the Main Data Virtuality Server Configuration File

The configuration for Kerberos authentication is done in the main configuration file of the Data Virtuality Server: path\to\DVServer\standalone\configuration\dvserver-standalone.xml.

The configuration is done in four areas in that file:

  • In the area system-properties, entries are added;
  • In the area security-domains, one existing entry is replaced and two new entries are added;
  • In the area transport, two entries are added;
  • In the area socket-binding, two entries are added;

system-properties

  1. Find the <system-properties> element.
  2. In that element, add the following entries to the existing ones (please note that <realm> is the name of your Kerberos realm):
TEXT 
<system-properties>
    <property name="java.security.krb5.realm" value="<REALM>"/>
    <property name="java.security.krb5.kdc" value="<kdc machine name - fqdn>"/>
    <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    <property name="sun.security.jgss.native" value="false"/>
</system-properties>

Here is an example configuration:

TEXT 
<system-properties>
    ...
    <property name="java.security.krb5.realm" value="KRBTEST.DV"/>
    <property name="java.security.krb5.kdc" value="DVDC01.KRBTEST.DV"/>
    <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    <property name="sun.security.jgss.native" value="false"/>
</system-properties>

security-domains

  1. Find the <subsystem xmlns="urn:jboss:domain:security:2.0"> element.
  2. Inside that element, find the <security-domain name="dv-security" cache-type="default"> element.
  3. Replace the <security-domain name="dv-security" cache-type="default"> element with the following three elements:
    1. <security-domain name="dv-security"> 
    2. <security-domain name="<realm>"
    3. <security-domain name="dv-security-krb">

Please note that the element names dv-security and dv-security-krb have names as indicated here, without adaptation to your configuration, and the element name <realm> is the name of the Kerberos realm in your environment.

Here are the general configurations for the three security domains:

  • dv-security 
TEXT 
<security-domain name="dv-security" cache-type="default">
    <authentication>
        <login-module code="com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule" flag="requisite" module="com.datavirtuality.dv">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap(s)://<ldap (dc) machine name - fqdn>:389|636"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="java.naming.security.principal" value=""/>
            <module-option name="java.naming.security.credentials" value="***"/>
            <module-option name="bindDN" value=""/>
            <module-option name="bindCredential" value="***"/>
            <module-option name="baseCtxDN" value="<...>"/>
            <module-option name="baseFilter" value="(cn={0})"/>
            <module-option name="rolesCtxDN" value="<...>"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>                    
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="defaultAdminGroup" value="<...>"/>
        </login-module>
    </authentication>
</security-domain>
  •  <realm>
TEXT 
<security-domain name="<realm>">
    <authentication>
        <login-module code="SPNEGO" flag="requisite" module="org.jboss.security.negotiation">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="serverSecurityDomain" value="dv-security-krb"/>
            <module-option name="removeRealmFromPrincipal" value="true"/>
        </login-module>
        <login-module code="com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule" flag="requisite" module="com.datavirtuality.dv">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap(s)://<ldap (dc) machine name - fqdn>:389|636"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="java.naming.security.principal" value=""/>
            <module-option name="java.naming.security.credentials" value="***"/>
            <module-option name="bindDN" value=""/>
            <module-option name="bindCredential" value="***"/>
            <module-option name="baseCtxDN" value="<...>"/>
            <module-option name="baseFilter" value="(cn={0})"/>
            <module-option name="rolesCtxDN" value="<...>"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>                   
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="defaultAdminGroup" value="<...>"/>
        </login-module>
    </authentication>
</security-domain>
  • dv-security-krb
TEXT 
<security-domain name="dv-security-krb">
    <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="requisite" module="org.jboss.security.negotiation">
            <module-option name="storeKey" value="true"/>
            <module-option name="useKeyTab" value="true"/>
            <module-option name="principal" value="DVServer/<principal as mapped in keyfile. machine@realm notation>"/>
            <module-option name="keyTab" value="<path/to/keytab">/>
            <module-option name="doNotPrompt" value="true"/>
            <module-option name="tryFirstPass" value="true"/>        
        </login-module>
    </authentication>
</security-domain>

Here is an example configuration for the three security-domain elements:

TEXT 
<security-domain name="dv-security" cache-type="default">
    <authentication>
        <login-module code="com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule" flag="requisite" module="com.datavirtuality.dv">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://dc01.krbtest.dv:389"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="java.naming.security.principal" value="administrator@KRBTEST.DV"/>
            <module-option name="java.naming.security.credentials" value="***"/>
            <module-option name="bindDN" value="administrator@KRBTEST.DV"/>
            <module-option name="bindCredential" value="***"/>
            <module-option name="baseCtxDN" value="ou=dv-user-accounts,dc=KRBTEST,dc=DV"/>
            <module-option name="baseFilter" value="(CN={0})"/>
            <module-option name="rolesCtxDN" value="ou=dv-roles,DC=KRBTEST,DC=DV"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>                   
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="defaultAdminGroup" value="dv-admin-role"/>
        </login-module>
    </authentication>
</security-domain>

<security-domain name="KRBTEST.DV">
    <authentication>
        <login-module code="SPNEGO" flag="requisite" module="org.jboss.security.negotiation">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="serverSecurityDomain" value="dv-security-krb"/>
            <module-option name="removeRealmFromPrincipal" value="true"/>
        </login-module>
        <login-module code="com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule" flag="requisite" module="com.datavirtuality.dv">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://dc01.krbtest.dv:389"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="java.naming.security.principal" value="administrator@KRBTEST.DV"/>
            <module-option name="java.naming.security.credentials" value="***"/>
            <module-option name="bindDN" value="administrator@KRBTEST.DV"/>
            <module-option name="bindCredential" value="***"/>
            <module-option name="baseCtxDN" value="ou=dv-user-accounts,dc=KRBTEST,dc=DV"/>
            <module-option name="baseFilter" value="(CN={0})"/>
            <module-option name="rolesCtxDN" value="ou=dv-roles,DC=KRBTEST,DC=DV"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>                   
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="defaultAdminGroup" value="dv-admin-role"/>
        </login-module>
    </authentication>
</security-domain>

<security-domain name="dv-security-krb">
    <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="requisite" module="org.jboss.security.negotiation">
            <module-option name="storeKey" value="true"/>
            <module-option name="useKeyTab" value="true"/>
            <module-option name="principal" value="DVServer/DVDV01@KRBTEST.DV"/>
            <module-option name="keyTab" value="C:\datavirtuality\dvsvc01.keytab"/>
            <module-option name="doNotPrompt" value="true"/>
            <module-option name="tryFirstPass" value="true"/>       
        </login-module>
    </authentication>
</security-domain>

Transport

  1. Find the element  <subsystem xmlns="urn:jboss:domain:teiid:1.1">.
  2. Inside that element, find the section with the <transport> elements.
  3. Inside that section, add the Kerberos enabled transport configuration for JDBC and ODBC:
TEXT 
<transport name="jdbc-krb" socket-binding="dv-jdbc-krb" protocol="teiid">
    <authentication security-domain="<realm>" type="GSS"/>
</transport>
<transport name="odbc-krb" socket-binding="dv-odbc-krb" protocol="pg">
    <authentication security-domain="<realm>" type="GSS"/>
    <ssl mode="disabled"/>
</transport>

Here is an example:

TEXT 
<transport name="jdbc-krb" socket-binding="dv-jdbc-krb" protocol="teiid">
    <authentication security-domain="KRBTEST.DV" type="GSS"/>
</transport>
<transport name="odbc-krb" socket-binding="dv-odbc-krb" protocol="pg">
    <authentication security-domain="KRBTEST.DV" type="GSS"/>
    <ssl mode="disabled"/>
</transport>

Socket-binding/ports

  1. Find the element <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">.
  2. Inside that element, add the configuration for the Kerberos-enabled ports:
TEXT 
<socket-binding name="dv-jdbc-krb" port="31002"/>
<socket-binding name="dv-odbc-krb" port="35434"/>
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close