Troubleshooting
Problem
When Cognos Analytics is configured to use SSL and the Oracle JRE, connecting to a Hive JDBC data source that uses Kerberos and cached credentials fails with an error such as:
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
Caused by: com.ibm.ws.security.authentication.AuthenticationException
at com.ibm.ws.security.authentication.jaas.modules.Krb5LoginModuleWrapper.inVokeMethod(Krb5LoginModuleWrapper.java:160)
at com.ibm.ws.security.authentication.jaas.modules.Krb5LoginModuleWrapper.login(Krb5LoginModuleWrapper.java:114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at com.ibm.ws.security.authentication.jaas.modules.Krb5LoginModuleWrapper.inVokeMethod(Krb5LoginModuleWrapper.java:160)
at com.ibm.ws.security.authentication.jaas.modules.Krb5LoginModuleWrapper.login(Krb5LoginModuleWrapper.java:114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:258)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:335)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:330)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:258)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:335)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:330)
If the connection is tested outside of Cognos by using a tool like JDBCINFO, the connection succeeds.
Cause
When Cognos is configured to use SSL, it adds a feature in the <cognos_location>/WLP/usr/servers/dataset-service/server.xml file to load <feature>ssl-1.0</feature>. The SSL feature in WLP also implements the appSecurity feature. As a result, WLP uses its own Kerberos login wrapper.
If Cognos is configured to use SSL and the Oracle JRE, the connection fails by using the WLP Kerberos login wrapper.
If Cognos is not configured for SSL or is configured to use the IBM JRE, the connection succeeds.
Resolving The Problem
To resolve the problem, manually specify the jaasLoginModule for WLP in the dataset-service server.xml file. This instructs WLP to use the specified ticketCache for the login.
- Ensure Cognos is stopped
- Make a backup of the <cognos_location>/wlp/usr/servers/dataset-service/server.xml file by copying it to another location
- Edit the <cognos_location>/wlp/usr/servers/dataset-service/server.xml file
- Under </featureManager>, add the following lines:
- Make a backup of the <cognos_location>/wlp/usr/servers/dataset-service/server.xml file by copying it to another location
- Edit the <cognos_location>/wlp/usr/servers/dataset-service/server.xml file
- Under </featureManager>, add the following lines:
<jaasLoginContextEntry id="com.sun.security.auth.module.Krb5LoginModule" name="com.sun.security.auth.module.Krb5LoginModule" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginContextEntry id="com.sun.security.jgss.krb5.initiate" name="com.sun.security.jgss.krb5.initiate" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginModule id="com.sun.security.auth.module.Krb5LoginModule" className="com.sun.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
<options debug="true" useTicketCache="true" ticketCache="<path_to_krb5cc_file" renewTGT="true" doNotPrompt="true" principal="user@principal"/>
</jaasLoginModule>
<jaasLoginContextEntry id="com.sun.security.jgss.krb5.initiate" name="com.sun.security.jgss.krb5.initiate" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginModule id="com.sun.security.auth.module.Krb5LoginModule" className="com.sun.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
<options debug="true" useTicketCache="true" ticketCache="<path_to_krb5cc_file" renewTGT="true" doNotPrompt="true" principal="user@principal"/>
</jaasLoginModule>
NOTE: Be sure to replace <path_to_krb5cc_file> and "user@principal" with your own krb5cc cached credentials file and principal values.
Example:
</featureManager>
<jaasLoginContextEntry id="com.sun.security.auth.module.Krb5LoginModule" name="com.sun.security.auth.module.Krb5LoginModule" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginContextEntry id="com.sun.security.jgss.krb5.initiate" name="com.sun.security.jgss.krb5.initiate" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginModule id="com.sun.security.auth.module.Krb5LoginModule" className="com.sun.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
<options debug="true" useTicketCache="true" ticketCache="/tmp/krb5cc_0" renewTGT="true" doNotPrompt="true" principal="hive31_1@COGDC.IBM.COM"/>
</jaasLoginModule>
<jaasLoginContextEntry id="com.sun.security.auth.module.Krb5LoginModule" name="com.sun.security.auth.module.Krb5LoginModule" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginContextEntry id="com.sun.security.jgss.krb5.initiate" name="com.sun.security.jgss.krb5.initiate" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginModule id="com.sun.security.auth.module.Krb5LoginModule" className="com.sun.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
<options debug="true" useTicketCache="true" ticketCache="/tmp/krb5cc_0" renewTGT="true" doNotPrompt="true" principal="hive31_1@COGDC.IBM.COM"/>
</jaasLoginModule>
- Save the file
- Start Cognos again
- Start Cognos again
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m50000000Cl6nAAC","label":"Data Source"}],"ARM Case Number":"TS009567384","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 July 2022
UID
ibm16605849