IBM Support

Hive JDBC data source connection using Kerberos, cached credentials, SSL and Oracle JRE fails with "No valid credentials provided" error

Troubleshooting


Problem

When Cognos Analytics is configured to use SSL and the Oracle JRE, connecting to a Hive JDBC data source that uses Kerberos and cached credentials fails with an error such as:
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
Caused by: com.ibm.ws.security.authentication.AuthenticationException
        at com.ibm.ws.security.authentication.jaas.modules.Krb5LoginModuleWrapper.inVokeMethod(Krb5LoginModuleWrapper.java:160)
        at com.ibm.ws.security.authentication.jaas.modules.Krb5LoginModuleWrapper.login(Krb5LoginModuleWrapper.java:114)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at sun.security.jgss.GSSUtil.login(GSSUtil.java:258)
        at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158)
        at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:335)
        at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:330)
If the connection is tested outside of Cognos by using a tool like JDBCINFO, the connection succeeds.

Cause

When Cognos is configured to use SSL, it adds a feature in the <cognos_location>/WLP/usr/servers/dataset-service/server.xml file to load <feature>ssl-1.0</feature>. The SSL feature in WLP also implements the appSecurity feature. As a result, WLP uses its own Kerberos login wrapper.
If Cognos is configured to use SSL and the Oracle JRE, the connection fails by using the WLP Kerberos login wrapper.
If Cognos is not configured for SSL or is configured to use the IBM JRE, the connection succeeds. 
 

Resolving The Problem

To resolve the problem, manually specify the jaasLoginModule for WLP in the dataset-service server.xml file. This instructs WLP to use the specified ticketCache for the login.
- Ensure Cognos is stopped
- Make a backup of the <cognos_location>/wlp/usr/servers/dataset-service/server.xml file by copying it to another location
- Edit the <cognos_location>/wlp/usr/servers/dataset-service/server.xml file
- Under </featureManager>, add the following lines:
<jaasLoginContextEntry id="com.sun.security.auth.module.Krb5LoginModule" name="com.sun.security.auth.module.Krb5LoginModule" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginContextEntry id="com.sun.security.jgss.krb5.initiate" name="com.sun.security.jgss.krb5.initiate" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginModule id="com.sun.security.auth.module.Krb5LoginModule" className="com.sun.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
<options debug="true" useTicketCache="true" ticketCache="<path_to_krb5cc_file" renewTGT="true" doNotPrompt="true" principal="user@principal"/>
</jaasLoginModule>
NOTE: Be sure to replace <path_to_krb5cc_file> and "user@principal" with your own krb5cc cached credentials file and principal values.
Example:
</featureManager>
<jaasLoginContextEntry id="com.sun.security.auth.module.Krb5LoginModule" name="com.sun.security.auth.module.Krb5LoginModule" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginContextEntry id="com.sun.security.jgss.krb5.initiate" name="com.sun.security.jgss.krb5.initiate" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule"/>
<jaasLoginModule id="com.sun.security.auth.module.Krb5LoginModule" className="com.sun.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
<options debug="true" useTicketCache="true" ticketCache="/tmp/krb5cc_0" renewTGT="true" doNotPrompt="true" principal="hive31_1@COGDC.IBM.COM"/>
</jaasLoginModule>
- Save the file
- Start Cognos again

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m50000000Cl6nAAC","label":"Data Source"}],"ARM Case Number":"TS009567384","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
22 July 2022

UID

ibm16605849

Page Feedback