To configure the driver for Kerberos authentication, take the following steps.

  1. Verify that your environment meets the requirements outlined in Product Requirements.
  2. Specify the JAAS login module in your JAAS login configuration file using either of the following methods. (See The JAAS Login Configuration File for more information on the JAAS login configuration file.)
    • Option 1. Modify the JDBC_DRIVER_01 entry in the JDBCDriverLogin.conf file to include the JAAS login module information needed for your environment. The JDBCDriverLogin.conf file is installed in the /lib directory of the driver installation directory.
    • Option 2. Specify a JAAS login configuration file directly in your application with the java.security.auth.login.config system property. The specified login configuration file must contain the JAAS login module information with the entry JDBC_DRIVER_01.
    Whether you are using the JDBCDriverLogin.conf file or another file, the login configuration file must contain the entry JDBC_DRIVER_01 with JAAS login module information. The following examples show that the JAAS login module information depends on your JRE.

    Oracle JRE

    JDBC_DRIVER_01 {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};

    IBM JRE

    JDBC_DRIVER_01 {
  com.ibm.security.auth.module.Krb5LoginModule required useDefaultCcache=true;
};
  3. Set the default realm name and the KDC name for that realm using either of the following methods.
    Note: If using Windows Active Directory, the Kerberos realm name is the Windows domain name and the KDC name is the Windows domain controller name.
    • Option 1. Modify the krb5.conf file to include the default realm name and the KDC name for that realm. (See The krb5.conf File for details about using and locating the krb5.conf file.)

      For example, if the default realm name is XYZ.COM and the KDC name is kdc1, your krb5.conf file would include the following entries.

      [libdefaults] 
default_realm = XYZ.COM

[realms]
XYZ.COM = {
kdc = kdc1
}
    • Option 2. Specify the Java system properties, java.security.krb5.realm and java.security.krb5.kdc, in your application. For example, if the default realm name is XYZ.COM and the KDC name is kdc1, your application would include the following settings.
      System.setProperty("java.security.krb5.realm","XYZ.COM");
System.setProperty("java.security.krb5.kdc","kdc1")
      Note: Even if you do not use the krb5.conf file to specify the realm and KDC names, you may need to modify your krb5.conf file to suit your environment. Refer to your database vendor documentation for detailed information.

    If you do not specify a valid Kerberos realm and a valid KDC name, the following exception is thrown.

    Message:[DataDirect][Apache Hive JDBC Driver]Could not establish a connection using
integrated security: No valid credentials provided
  4. If you want the driver to use user credentials other than the server user’s operating system credentials, include code in your application to obtain and pass a javax.security.auth.Subject used for authentication. (See Specifying User Credentials for Kerberos Authentication (Delegation of Credentials) for details.)
  5. If using Kerberos authentication with a Security Manager on a Java Platform, you must grant security permissions to the application and driver. (See Apache Hive Kerberos Permissions for details.)
  6. Set the driver's AuthenticationMethod connection property to kerberos. (See AuthenticationMethod and Using the AuthenticationMethod Property for details.)
    Note: When Kerberos authentication is enabled through the driver (AuthenticationMethod=kerberos), the driver automatically detects and abides by the server's SASL-QOP configuration at connection time. See Kerberos SASL-QOP for details.
  7. Specify the service principal name with the ServicePrincipalName connection property. (See ServicePrincipalName for details on how to formulate and specify the service principal name.)
  8. To use Kerberos authentication, the application user must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The following scenarios describe whether the user must explicitly obtain the TGT with the kinit command. (See Obtaining a Kerberos Ticket Granting Ticket for details.)
    • Scenario 1. If the application uses Kerberos authentication from a Windows client, the application user does not need to explicitly obtain a TGT. Windows Active Directory automatically obtains a TGT for the user.
    • Scenario 2. If the application uses Kerberos authentication from a UNIX or Linux client and the kinit method of obtaining the TGT has not been automated, the application user must log onto the Kerberos server using the kinit command. For example, the following command requests a TGT from the server with a lifetime of 10 hours, which is renewable for 5 days.
      kinit -l 10h -r 5d user
    • Scenario 3. If the application uses Kerberos authentication from a UNIX or Linux client and the kinit method of obtaining the TGT has been automated, the application user does not need to explicitly obtain a TGT. Typically, in this scenario, a TGT is obtained programmatically at logon.
    Note: The klist command can be used on Windows or UNIX/Linux systems to verify that the TGT has been obtained.