Skip to main content
Skip table of contents

Configuration of CData Virtuality Server

Before you start configuring the CData Virtuality Server to use Kerberos authentication, please check that all pre-requisites for the CData Virtuality Server Kerberos Authentication are met.

Version 4.9 and Above

Configuration in the Main CData Virtuality Server Configuration File

For CData Virtuality 4.9 and above, the Server supports Elytron-based configuration for Kerberos. The configuration for Kerberos authentication is done in the main configuration file of the CData Virtuality Server: path\to\DVServer\standalone\configuration\dvserver-standalone.xml.

Note: If you are upgrading from a previous version, migrate your old security logic to the new Elytron subsystem configuration.

system-properties

  1. Find the <system-properties> element;

  2. In that element, add the following entries to the existing ones (please note that <realm> is the name of your Kerberos realm):

XML 
<system-properties>
    <property name="java.security.krb5.conf" value="<path to krb5.conf>"/>
    <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    <property name="sun.security.jgss.native" value="false"/>
</system-properties>

Here is an example configuration:

XML 
<system-properties>
    ...
    <property name="java.security.krb5.conf" value="C:\datavirtuality\krb5.conf"/>
    <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    <property name="sun.security.jgss.native" value="false"/>
</system-properties>

Elytron Subsystem Configuration

Kerberos Security Factory

  1. Locate the <subsystem xmlns="urn:wildfly:elytron:9.0"> section in dvserver-standalone.xml.

  2. Add a <kerberos-security-factory> referencing your principal and keytab under <credential-security-factories> section:

XML 
           <credential-security-factories>
                <kerberos-security-factory name="dv-kerberos-factory"
                                           principal="DVServer/<principal as mapped in keyfile. machine@realm notation>"
                                           path="<path/to/keytab>">
                    <option name="credsType" value="both"/>
                </kerberos-security-factories>
            </credential-security-factories>

Here is an example configuration:

XML 
    <credential-security-factories>
                <kerberos-security-factory name="dv-kerberos-factory"
                                           principal="DVServer/DVDV01@KRBTEST.DV"
                                           path="C:\datavirtuality\dvsvc01.keytab">
                    <option name="credsType" value="both"/>
                </kerberos-security-factories>
            </credential-security-factories>

LDAP Realm (more details about LDAP configuration can be found here)

Find and replace the following code: <custom-realm class-name="com.datavirtuality.dv.core.teiid.users.DVLoginModule" module="com.datavirtuality.dv" name="DataVirtualityRealm"/>

with:

XML 
<ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealm">
    <identity-mapping rdn-identifier="cn" search-base-dn="DC=,DC=" use-recursive-search="true">
        <attribute-mapping>
            <attribute filter="(member={1})" filter-base-dn="OU=,DC=,DC=" from="cn" to="Roles"/>
        </attribute-mapping>
    </identity-mapping>
</ldap-realm>

Here is an example configuration:

XML 
<ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealm">
    <identity-mapping rdn-identifier="cn" search-base-dn="DC=KRBTEST,DC=DV" use-recursive-search="true">
        <attribute-mapping>
            <attribute filter="(member={1})" filter-base-dn="OU=dv-user-accounts,DC=KRBTEST,DC=DV" from="cn" to="Roles"/>
        </attribute-mapping>
    </identity-mapping>
</ldap-realm>

Find the </expression-resolver> tag and paste below the following code, first replacing the required parts with your values:

XML 
<dir-contexts>
    <dir-context name="ldap-connection" principal="CN=Administrator,CN=Users,DC=KRBTEST,DC=DV" url="<ldap (dc) machine name - fqdn>">
        <credential-reference clear-text="<password>"/>
    </dir-context>
</dir-contexts>

Find the </policy-decider-module> tag and insert the following code below:

XML 
<ldap>
    <property name="defaultAdminGroup" value="dv-admin-role"/>
    <property name="displayUserName" value="cn"/>
    <property name="roleRecursion" value="5"/>   
</ldap>

Transport

  1. Find the element  <subsystem xmlns="urn:jboss:domain:teiid:1.1">.

  2. Inside that element, find the section with the <transport> elements.

  3. Inside that section, add the Kerberos-enabled transport configuration for JDBC and ODBC:

XML 
			<transport name="jdbc-krb" protocol="teiid" socket-binding="dv-jdbc-krb">
				<authentication 
					security-domain="<security domain name>" 
					type="GSS" 
					krb5-security-factory="<kerberos factory name>"/>
			</transport>
            <transport name="odbc-krb" socket-binding="dv-odbc-krb" protocol="pg">
                 <authentication 
					security-domain="<security domain name>" 
					type="GSS" 
					krb5-security-factory="<kerberos factory name>"/>
					<ssl mode="disabled"/>
            </transport>

Here is an example:

XML 
			<transport name="jdbc-krb" protocol="teiid" socket-binding="dv-jdbc-krb">
				<authentication 
					security-domain="dv-security" 
					type="GSS" 
					krb5-security-factory="dv-kerberos-factory"/>
			</transport>
            <transport name="odbc-krb" socket-binding="dv-odbc-krb" protocol="pg">
                 <authentication 
					security-domain="dv-security" 
					type="GSS" 
					krb5-security-factory="dv-kerberos-factory"/>
					<ssl mode="disabled"/>
            </transport>

This config allows to:

  1. Validate incoming Kerberos tickets using your AD keytab (via the Kerberos factory);

  2. Retrieve group memberships from AD LDAP (via the <ldap-realm> that used by dv-security security domain).

Socket-binding/ports

  1. Find the element <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">.

  2. Inside that element, add the configuration for the Kerberos-enabled ports:

XML 
<socket-binding name="dv-jdbc-krb" port="31002"/>
<socket-binding name="dv-odbc-krb" port="35434"/>

Version 4.8 and Below

Configuration in the Main CData Virtuality Server Configuration File

The configuration for Kerberos authentication is done in the main configuration file of the CData Virtuality Server: path\to\DVServer\standalone\configuration\dvserver-standalone.xml.

The configuration is done in four areas in that file:

  • In the area system-properties, entries are added;

  • In the area security-domains, one existing entry is replaced and two new entries are added;

  • In the area transport, two entries are added;

  • In the area socket-binding, two entries are added;

system-properties

  1. Find the <system-properties> element.

  2. In that element, add the following entries to the existing ones (please note that <realm> is the name of your Kerberos realm):

XML 
<system-properties>
    <property name="java.security.krb5.realm" value="<REALM>"/>
    <property name="java.security.krb5.kdc" value="<kdc machine name - fqdn>"/>
    <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    <property name="sun.security.jgss.native" value="false"/>
</system-properties>

Here is an example configuration:

XML 
<system-properties>
    ...
    <property name="java.security.krb5.realm" value="KRBTEST.DV"/>
    <property name="java.security.krb5.kdc" value="DVDC01.KRBTEST.DV"/>
    <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    <property name="sun.security.jgss.native" value="false"/>
</system-properties>

security-domains

  1. Find the <subsystem xmlns="urn:jboss:domain:security:2.0"> element.

  2. Inside that element, find the <security-domain name="dv-security" cache-type="default"> element.

  3. Replace the <security-domain name="dv-security" cache-type="default"> element with the following three elements:

    1. <security-domain name="dv-security"> 

    2. <security-domain name="<realm>"

    3. <security-domain name="dv-security-krb">

Please note that the element names dv-security and dv-security-krb have names as indicated here, without adaptation to your configuration, and the element name <realm> is the name of the Kerberos realm in your environment.

Here are the general configurations for the three security domains:

  • dv-security 

XML 
<security-domain name="dv-security" cache-type="default">
    <authentication>
        <login-module code="com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule" flag="requisite" module="com.datavirtuality.dv">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap(s)://<ldap (dc) machine name - fqdn>:389|636"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="java.naming.security.principal" value=""/>
            <module-option name="java.naming.security.credentials" value="***"/>
            <module-option name="bindDN" value=""/>
            <module-option name="bindCredential" value="***"/>
            <module-option name="baseCtxDN" value="<...>"/>
            <module-option name="baseFilter" value="(cn={0})"/>
            <module-option name="rolesCtxDN" value="<...>"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>                    
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="defaultAdminGroup" value="<...>"/>
        </login-module>
    </authentication>
</security-domain>

  •  <realm>

XML 
<security-domain name="<realm>">
    <authentication>
        <login-module code="SPNEGO" flag="requisite" module="org.jboss.security.negotiation">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="serverSecurityDomain" value="dv-security-krb"/>
            <module-option name="removeRealmFromPrincipal" value="true"/>
        </login-module>
        <login-module code="com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule" flag="requisite" module="com.datavirtuality.dv">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap(s)://<ldap (dc) machine name - fqdn>:389|636"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="java.naming.security.principal" value=""/>
            <module-option name="java.naming.security.credentials" value="***"/>
            <module-option name="bindDN" value=""/>
            <module-option name="bindCredential" value="***"/>
            <module-option name="baseCtxDN" value="<...>"/>
            <module-option name="baseFilter" value="(cn={0})"/>
            <module-option name="rolesCtxDN" value="<...>"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>                   
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="defaultAdminGroup" value="<...>"/>
        </login-module>
    </authentication>
</security-domain>

  • dv-security-krb

XML 
<security-domain name="dv-security-krb">
    <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="requisite" module="org.jboss.security.negotiation">
            <module-option name="storeKey" value="true"/>
            <module-option name="useKeyTab" value="true"/>
            <module-option name="principal" value="DVServer/<principal as mapped in keyfile. machine@realm notation>"/>
            <module-option name="keyTab" value="<path/to/keytab">/>
            <module-option name="doNotPrompt" value="true"/>
            <module-option name="tryFirstPass" value="true"/>        
        </login-module>
    </authentication>
</security-domain>

Here is an example configuration for the three security-domain elements:

XML 
<security-domain name="dv-security" cache-type="default">
    <authentication>
        <login-module code="com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule" flag="requisite" module="com.datavirtuality.dv">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://dc01.krbtest.dv:389"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="java.naming.security.principal" value="administrator@KRBTEST.DV"/>
            <module-option name="java.naming.security.credentials" value="***"/>
            <module-option name="bindDN" value="administrator@KRBTEST.DV"/>
            <module-option name="bindCredential" value="***"/>
            <module-option name="baseCtxDN" value="ou=dv-user-accounts,dc=KRBTEST,dc=DV"/>
            <module-option name="baseFilter" value="(CN={0})"/>
            <module-option name="rolesCtxDN" value="ou=dv-roles,DC=KRBTEST,DC=DV"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>                   
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="defaultAdminGroup" value="dv-admin-role"/>
        </login-module>
    </authentication>
</security-domain>

<security-domain name="KRBTEST.DV">
    <authentication>
        <login-module code="SPNEGO" flag="requisite" module="org.jboss.security.negotiation">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="serverSecurityDomain" value="dv-security-krb"/>
            <module-option name="removeRealmFromPrincipal" value="true"/>
        </login-module>
        <login-module code="com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule" flag="requisite" module="com.datavirtuality.dv">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://dc01.krbtest.dv:389"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="java.naming.security.principal" value="administrator@KRBTEST.DV"/>
            <module-option name="java.naming.security.credentials" value="***"/>
            <module-option name="bindDN" value="administrator@KRBTEST.DV"/>
            <module-option name="bindCredential" value="***"/>
            <module-option name="baseCtxDN" value="ou=dv-user-accounts,dc=KRBTEST,dc=DV"/>
            <module-option name="baseFilter" value="(CN={0})"/>
            <module-option name="rolesCtxDN" value="ou=dv-roles,DC=KRBTEST,DC=DV"/>
            <module-option name="roleFilter" value="(member={1})"/>
            <module-option name="roleAttributeID" value="cn"/>                   
            <module-option name="allowEmptyPasswords" value="false"/>
            <module-option name="defaultAdminGroup" value="dv-admin-role"/>
        </login-module>
    </authentication>
</security-domain>

<security-domain name="dv-security-krb">
    <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="requisite" module="org.jboss.security.negotiation">
            <module-option name="storeKey" value="true"/>
            <module-option name="useKeyTab" value="true"/>
            <module-option name="principal" value="DVServer/DVDV01@KRBTEST.DV"/>
            <module-option name="keyTab" value="C:\datavirtuality\dvsvc01.keytab"/>
            <module-option name="doNotPrompt" value="true"/>
            <module-option name="tryFirstPass" value="true"/>       
        </login-module>
    </authentication>
</security-domain>

Transport

  1. Find the element  <subsystem xmlns="urn:jboss:domain:teiid:1.1">.

  2. Inside that element, find the section with the <transport> elements.

  3. Inside that section, add the Kerberos enabled transport configuration for JDBC and ODBC:

XML 
<transport name="jdbc-krb" socket-binding="dv-jdbc-krb" protocol="teiid">
    <authentication security-domain="<realm>" type="GSS"/>
</transport>
<transport name="odbc-krb" socket-binding="dv-odbc-krb" protocol="pg">
    <authentication security-domain="<realm>" type="GSS"/>
    <ssl mode="disabled"/>
</transport>

Here is an example:

XML 
<transport name="jdbc-krb" socket-binding="dv-jdbc-krb" protocol="teiid">
    <authentication security-domain="KRBTEST.DV" type="GSS"/>
</transport>
<transport name="odbc-krb" socket-binding="dv-odbc-krb" protocol="pg">
    <authentication security-domain="KRBTEST.DV" type="GSS"/>
    <ssl mode="disabled"/>
</transport>

Socket-binding/ports

  1. Find the element <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">.

  2. Inside that element, add the configuration for the Kerberos-enabled ports:

XML 
<socket-binding name="dv-jdbc-krb" port="31002"/>
<socket-binding name="dv-odbc-krb" port="35434"/>

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close