Business Analytics

 View Only

LinkedIn Share on LinkedIn

Cognos Analytics:Configuring a Kerberized Hive Data Server Connection with Cognos Analytics

By Dhruva J Mazumdar posted Tue December 10, 2024 11:58 PM

  

Introduction

This blog provides a comprehensive, step-by-step guide for configuring a Kerberized Hive Dataserver connection with IBM Cognos Analytics on Windows Operating system. This blog aims to clarify the necessary steps for configuring a Kerberized Hive connection with Cognos Analytics

Overview

Technology/Applications Covered:

  • IBM Cognos Analytics 12.0.4
  • Kerberos
  • Hive DataServer
  • Windows Operating System 2019
  • Hive JDBC driver hive-jdbc-3.1.3000.7.1.7.0-551-standalone.jar

Prerequisites

  • A Cognos Analytics server running versions 12.0.4 or 11.2.4 Fixpack 4
  • Hive Database
  • Keytab file
  • krb5.ini

Content Overview

This guide is organized into the following sections:

A) Placement of the krb5.conf file

B) Placement of the Hive keytab file

C) Configuring the jaaslogin.config file

D) Placing the Hive drivers in Cognos

E) Creating the cached credentials

F) Setting environment variables

G) Test the kerberized Hive connection outside of Cognos

H) Testing the kerberized Hive connection from Cognos 

Detailed Configuration Steps

A) Placement of the krb5.conf file

To set up a Kerberized Hive connection with Cognos, you will need to obtain the krb5.conf and keytab files from your administrator.I have provided  sample krb5.ini file received from the Hive administrator as shown below

Once you have these files, follow these steps:

For Windows:

Place the krb5.ini file in the C:\Windows directory and ensure it is named krb5.ini.

For Cognos Installation:

Copy the same krb5.ini file to the Cognos installation directory:

Cognos_Installation\ibm-jre\jre\lib\security.

Rename the file to krb5.conf when placing it in this directory.

Make sure the file names are correctly set for both Windows and Cognos directories to ensure proper configuration.

B) Placement of the Hive keytab file

Place the keytab file received from the Hive administration under the Cognos_Installation\configuration  directory as show below 

C) Configuring the jaaslogin.config sample file.

Depending on the JRE used with Cognos Analytics, you must select the appropriate jaas.config file. If you're using the default IBM JRE bundled with Cognos Analytics, choose the jaas-ibm.config.sample. If you're using an Oracle JRE, select the jaas-oracle.config.sample provided for Oracle. In this setup, we are using the default IBM JRE bundled with Cognos Analytics, so we will use the jaas-ibm.config.sample to point to the Hive keytab file located in the Cognos_Installation\configuration directory.

To begin, rename jaas-ibm.config.sample to jaas-ibm.config. Then, open the file in a text editor and specify the Hive principal name along with the path to the keytab file. 

==============================================================

com.cognos.biserver.security.xqe.jdbc
{
com.ibm.security.auth.module.Krb5LoginModule required useDefaultCcache=false;
};
 
com.cognos.biserver.security.xqe
{
com.ibm.security.auth.module.Krb5LoginModule required debug=true
principal="hive31_1@HIVE.IBM.COM"
useKeytab="C:\\Program Files\\ibm\\cognos\\analytics1203\\configuration\\hive31_1.keytab"
credsType=acceptor;
};
 
other
{
com.ibm.security.auth.module.Krb5LoginModule required debug=true
principal="hive31_1@HIVE.IBM.COM"
useKeytab="C:\\Program Files\\ibm\\cognos\\analytics1203\\configuration\\hive31_1.keytab"
credsType=acceptor;
};

=========================================================================

If you not sure what the hive principal to provide in the jaas config file you can request the information from the Hive administrator or  you run a a klist -k command from  CA_Install\ibm-jre\jre\bin using the command line by placing the hive keytab file under the  Cognos_Installation\ibm-jre\jre\bin directory which will provide you with the information as shown below : 

klist -k hive31_1.keytab

 

D) Placing the Hive drivers in Cognos

We will be using the hive driver hive-jdbc-3.1.3000.7.1.7.0-551-standalone.jar for tested in conformance DQM JDBC drivers Tested with Cognos to the hive jdbc drivers tested inhouse under the Cognos_installation\drivers directory as shown below:

E) Creating the cached credentials before testing the Hive connection using the jdbcinfo.jar tool

To create the cached credentials, you will need to run the kinit command as shown in the example below:

kinit -k -t <path>/<keytab>

For example, to generate cached credentials using the keytab file, run:

kinit -k -t "C:\Program Files\ibm\cognos\analytics1203\ibm-jre\jre\bin\hive31_1.keytab" hive31_1@HIVE.IBM.COM

F) Setting environment variables

Once the cached credentials are created, you will need to set up the environment variables to point to the credentials cache and the krb5.conf file.

Set the KRB5CCNAME variable to the path where the cached credentials were created in the previous step:

KRB5CCNAME=<Path to cached credentials>

eg example:

KRB5CCNAME=C:\Users\Administrator\krb5cc_Administrator

Set the KRB5_CONFIG variable to the path of the krb5.conf file:

KRB5_CONFIG=<Path to krb5.conf file>

For example:

KRB5_CONFIG=C:\Program Files\ibm\cognos\analytics1203\ibm-jre\jre\lib\security\krb5.conf

G) Test the Kerberized Hive Connection Outside of Cognos

Now that the Kerberos credentials cache and environment variables are properly configured, it's time to validate the Kerberized Hive connection outside of Cognos using the jdbcinfo.jar tool.The jdbcinfo.jar tool is located in the Cognos installation directory, specifically under:CA_installation\webapps\p2pd\WEB-INF\lib

C:\Program Files\ibm\cognos\analytics1203\ibm-jre\jre\bin>
java -cp ..\..\..\webapps\p2pd\WEB-INF\lib\jdbcinfo.jar;"C:\Program Files\ibm\cognos\analytics1203\drivers\hive-jdbc-3.1.3000.7.1.7.0-551-standalone.jar" -Dcom.ibm.security.jgss.debug=all -Djavax.security.auth.useSubjectCredsOnly=false com.ibm.cognos.jdbcinfo.App -d org.apache.hive.jdbc.HiveDriver -U "jdbc:hive2://cteds891.hive.ibm.com:10000/gosalesrt1021;principal=hive/cteds891.hive.ibm.com@HIVE.IBM.COM;hive.execution.engine=tez" -u hive31_1 Schemas
If the connection succeeded the you are expected to the following output provided below: 

H) Testing the kerberized Hive connection from Cognos

Now that we have confirmed the connection to the Kerberized Hive database works outside of Cognos, the final step is to test the Hive data server connection from the Cognos portal.

Conclusion

In this blog, we provide a detailed, step-by-step guide for configuring a Kerberized Hive Dataserver connection in Cognos Analytics.

While this guide focuses on the configuration process for the Windows platform, it’s important to recognize that the setup may differ based on an organization’s infrastructure and security policies. Additionally, since the configuration depends on third-party technologies outside of IBM's control, periodic adjustments might be necessary to accommodate updates from vendors. It's also crucial to consider the impact of the operating system and the underlying Java environment, which can influence testing and overall functionality.

#IBMCognosAnalytics#CognosAnalyticswithWatson#CognosAnalytics#Cognos#cognosanalyticssupport#GlobalBusinessAnalytics #CognosAnalytics     #Security  #LearnCognosAnalytics  #CognosAnalytics #IBMCognosAnalytics #cognosanalyticssupport #CognosAnalyticswithWatson #kerberos

0 comments
14 views

Permalink