Introduction
This blog article offers a comprehensive, step-by-step guide to establishing a Microsoft SQL Server JDBC data server connection within Cognos Analytics, utilizing Kerberos authentication utilizing constrained delegation.
This implementation builds upon our existing knowledge base for JDBC Kerberos in Cognos Analytics. This blog emphasizes a practical, hands-on approach with visual aids, detailing the creation of a Kerberos initialization file, Keytab file creation, Kerberos login module configuration, and data server connection setup. The methodology centers on utilizing the IBM-JRE bundled with the Cognos Analytics installation.
The article will illustrate how to use the same service account for single-sign-on authentication with Kerberos constrained delegation assigned to the query service (DQM). This setup allows the DQM to perform Kerberos authentication using the service principal name (SPN) provided in the keytab file.
Overview
Technologies Involved:
Prerequisites
1. Cognos Single Sign-On:IBM Cognos Analytics configured for single sign-on through Microsoft Active Directory.
2. Database Authentication:Microsoft SQL Server Database employing the Kerberos protocol for authentication.
3. User Configuration:Active Directory users directly configured on the database server for streamlined access.
4. Driver Compatibility: Ensure the use of the correct SQL Server JDBC driver supporting Kerberos authentication with constrained delegation.
5. Service Account Setup:Identify and establish appropriate service accounts for applications like Cognos Analytics and relevant servers.
6. Kerberos Expertise:Acquire proficiency in Kerberos authentication mechanisms, SPNs, and delegation configurations.
7. Administrative Access:Obtain adequate administrative privileges within the Active Directory domain for delegation settings management.
Content Overview
1.Create a Kerberos Initialization File
2.Configure Kerberos Delegation for Service Type Set to MSSQLSvc
3.Creating the Keytab File
4.Configuring the Kerberos Login Module
5.Verify the Kerberos Configuration
6.Configure the DQM Service Principal Name
7.Configure Microsoft SQL Server Data Server Connections with Kerberos
8.Test the Microsoft SQL Server Data Server Connection
9.Retrieving Data From Framework Manager And Conducting Data Validation/Testing
Implementation
Before proceeding with the demonstration, it's crucial to note the following points for clarity:
-
The service account responsible for initiating Cognos Services and executing Kerberos SSO authentication within Cognos Analytics is 'cmuser'.
-
The account designated for the query service, facilitating Kerberos SSO authentication with Microsoft SQL Server, will the same account responsible for starting the Cognos Services 'cmuser'.
Create a Kerberos Initialization File
The krb5.conf file serves as the Kerberos initialization file utilized by the JRE Kerberos protocol implementation. It contains essential configuration details, such as the locations of Kerberos Distribution Centers (KDCs), admin servers for the relevant Kerberos realms, defaults for the current realm, settings for Kerberos applications, and mappings of hostnames to Kerberos realms.
The following is a typical format of how the krb5.conf file might appear, based on the information obtained from the KDC server:
============================
[logging]
default = C:/krblogs/krb5libs.log
kdc = C:/krblogs/krb5kdc.log
admin_server = C:/krblogs/kadmind.log
[libdefaults]
default_realm = <Default Kerberos realm for the client>
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
<Name of a Kerberos realm> = {
kdc = <IP Address of the Kerberos realm aka the kerberos server>
admin_server = <IP Address of the Kerberos admin server>
default_domain = <Name of a Kerberos realm>
}
[domain_realm]
.<<Name of a Kerberos realm> = <Default Kerberos realm for the client>
==============================================================
Example
[logging]
default = C:/krblogs/krb5libs.log
kdc = C:/krblogs/krb5kdc.log
admin_server = C:/krblogs/kadmind.log
[libdefaults]
default_realm = SQUAD5.SUPPORT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
SQUAD5.SUPPORT.COM = {
kdc = 9.1.1.410
admin_server = 9.1.1.410
default_domain = squad5.support.com
}
[domain_realm]
.squad5.support.com = SQUAD5.SUPPORT.COM
Note:The displayed IP addresses for the KDC and admin_server services are fabricated for confidentiality. However, the purpose of their display is to indicate that these services share identical IP addresses.
==============================================================
After creating the krb5.conf file the following are the next steps:
- As this is a single-server setup, position the Krb5.conf file under CA_INSTALLS\ibm-jre\jre\lib\security, given that we are utilizing the IBM JRE bundled with the Cognos installation.
3.Configure the jaas.conf file to include the principal name exactly as provided in the ibmcognosba.keytab file created earlier and the location of the keytab file.
Verify the Kerberos Configuration
Configure the DQM Service Principal Name and Specify the sAMAccountName of the user running Application Tier Components
To set up the login module for Kerberos with single sign-on (Active Directory):
- Open Cognos Configuration and navigate to Security > Authentication.
- Choose the Active Directory namespace.
- Locate the DQM Service Principal Name property and enter the value exactly as specified in the keytab file for the corresponding service principal name as shown below.
5.Locate the the property 'Application Tier Components sAMAccountName' and enter 'cmuser' which is the account designated to account designated for the query service and facilitating Kerberos SSO authentication with Microsoft SQL Server.
Configure Microsoft SQL Server Data Server Connections with Kerberos
Configure the connection string for Microsoft SQL Server with the respect to the available SQl Server host , port and database name along with the Kerberos connection properties 'integratedSecurity=true;ibmcognos.authentication=java_krb5;authenticationScheme=JavaKerberos;' as provided below