Configure JDBC data source connections for single sign-on using Kerberos

You can configure single sign-on using the Kerberos protocol for JDBC data source connections that are used for dynamic query mode (DQM).

Except for Microsoft SQL Server, single sign-on data source authentication is supported only for dynamic query mode.

Support for constrained delegation (a Microsoft extension to Kerberos), allows a service to obtain a ticket for another service on behalf of the user by presenting the user's service ticket to itself. The service ticket is either delegated from the user (Service for User to Proxy - S4U2Proxy), or generated by the service itself when user is authenticated by different means.

To configure a data source for single sign-on authentication using Kerberos, you must

  • Create a Kerberos initialization file.
  • Configure a service principal name (SPN) for the dynamic query mode data source.
  • Create a keytab file.
  • Configure the Kerberos login module.
  • Configure data source connections.

Before you start, you must ensure that the following conditions are met:

  1. The IBM® Cognos® service is configured for single sign-on using a Microsoft Active Directory namespace.
  2. The database is configured to use the Kerberos protocol.
  3. The Active Directory users are also configured on the database server.
  4. If single sign-on is configured with constrained delegation, check the driver documentation to ensure the driver supports constrained delegation. Not all drivers that support Kerberos authentication also support constrained delegation.

    Dynamic query supports Kerberos constrained delegation with the JDBC drivers for Netezza and Cloudera Impala. This capability requires JDBC drivers of the following versions or higher which have been enhanced to receive GSS credentials.: Netezza 7.2.0.9-P3 and 7.2.1.3-P3 (see http://www-01.ibm.com/support/docview.wss?uid=swg21997658 for more information), and Cloudera Impala 2.5.36

    IBM Cognos Analytics can be used with either an ORACLE or IBM JRE. The versions IBM requires are found in the supported environments page. Persons trying to use Cognos Analytics with an IBM JRE and Cloudera Impala JDBC would need to use IBM JRE 8.0.3.12 or above. See https://developer.ibm.com/javasdk/downloads/sdk8/.

Using Kerberos authentication without single sign-on

If you don't configure Active Directory namespace, you still can configure your data source for Kerberos authentication. The dynamic query mode query service interprets the credentials that you provide (user name and password) as the credentials for obtaining a ticket granting ticket (TGT) from the Kerberos Distribution Center (Active Directory or another Kerberos implementation). These credentials can be provided through a signon or entered by the user when prompted for database credentials. In this case, configuration steps change as follows:
  • You do not have to register an SPN.
  • You do not have to create a keytab file.
  • You do not have to configure the Kerberos Login Module.
  • You have to supply a Kerberos initialization file.