To configure the driver for Kerberos authentication, take the following steps.

  1. Verify that your environment meets the requirements outlined in "Kerberos Authentication Requirements."
  2. Use one of the following methods to integrate the JAAS configuration file into your Kerberos environment. (See "The JAAS Login Configuration File" for details about this file.)

    Option 1. Specify a login configuration file directly in your application with the java.security.auth.login.config system property. For example:

    System.setProperty("java.security.auth.login.config","install_dir/lib/JDBCDriverLogin.conf");
    Note: The install_dir/lib/JDBCDriverLogin.conf file is the JAAS login configuration file installed with the driver. You can use this file or another file as your JAAS login configuration file.

    Option 2. Set up a default configuration. Modify the Java security properties file to indicate the URL of the login configuration file with the login.config.url.n property where n is an integer connoting separate, consecutive login configuration files. When more than one login configuration file is specified, then the files are read and concatenated into a single configuration.

    1. Open the Java security properties file. The security properties file is the java.security file in the /jre/lib/security directory of your Java installation.
    2. Find the line # Default login configuration file in the security properties file.
    3. Below the # Default login configuration file line, add the URL of the login configuration file as the value for a login.config.url.n property. For example: 
      # Default login configuration file
login.config.url.1=file:${user.home}/.java.login.config
login.config.url.2=file:install_dir/lib/JDBCDriverLogin.conf
  3. Modify your JAAS login configuration file to include an entry with authentication technology that the driver can use to establish a Kerberos connection. (See "The JAAS Login Configuration File" for details about this file.)

    JAAS login configuration file entries begin with an entry name followed by one or more LoginModule items. Each LoginModule item contains information that is passed to the LoginModule. A login configuration file entry takes the following form.

    entry_name {
  login_module flag_value module_options
};
    where:
    entry_name
    is the name of the login configuration file entry. The driver's LoginConfigName connection property can be used to specify the name of this entry. JDBC_DRIVER_01 is the default entry name for the JDBCDriverLogin.conf file installed with the driver.
    login_module
    is the fully qualified class name of the authentication technology used with the driver.
    flag_value
    specifies whether the success of the module is required, requisite, sufficient, or optional.
    module_options
    specifies available options for the LoginModule. These options vary depending on the LoginModule being used.

    The following examples show that the LoginModule used for a Kerberos implementation depends on your JRE.

    Oracle JRE

    JDBC_DRIVER_01 {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};

    IBM JRE

    JDBC_DRIVER_01 {
  com.ibm.security.auth.module.Krb5LoginModule required useDefaultCcache=true;
};
  4. Set the Kerberos realm name and the KDC name for that realm using either of the following methods.
    Note: If using Windows Active Directory, the Kerberos realm name is the Windows domain name and the KDC name is the Windows domain controller name.

    Option 1. Modify the krb5.conf file to include the default realm name and the KDC name for that realm. (See "The krb5.conf File" for details about using and locating the krb5.conf file.)

    For example, if the realm name is XYZ.COM and the KDC name is kdc1, your krb5.conf file would include the following entries.

    [libdefaults] 
default_realm = XYZ.COM

[realms]
XYZ.COM = {
kdc = kdc1
}

    Option 2. Specify the Java system properties, java.security.krb5.realm and java.security.krb5.kdc, in your application. For example, if the realm name is XYZ.COM and the KDC name is kdc1, your application would include the following settings.

    System.setProperty("java.security.krb5.realm","XYZ.COM");
System.setProperty("java.security.krb5.kdc","kdc1")
    Note: Even if you do not use the krb5.conf file to specify the realm and KDC names, you may need to modify your krb5.conf file to suit your environment. Refer to your database vendor documentation for information.

    If you do not specify a valid Kerberos realm and a valid KDC name, the following exception is thrown.

    Message:[DataDirect][Cassandra JDBC Driver]Could not establish a connection using
integrated security: No valid credentials provided
  5. Set the driver's AuthenticationMethod connection property to kerberos. (See "AuthenticationMethod" for details.)
  6. If any of the following statements is valid, specify the service principal name with the ServicePrincipalName connection property. (See "ServicePrincipalName" for details on the composition of the service principal name.)
    Note: The ServicePrincipalName takes the following form. 
    Service_Name/Fully_Qualified_Domain_Name@REALM_NAME
    • You are using a service name other than the default service name cassandra.
    • The fully qualified domain name (FQDN) in your connection string is different from the FQDN registered with the KDC.
    • You are using a Kerberos realm other than the default realm specified in the krb5.conf file.
  7. If necessary, set the User connection property. (See "User" for details.)

    In most circumstances, there is no need to set the User connection property. By default, the driver uses the user principal name in the Kerberos Ticket Granting Ticket (TGT) as the value for the User property.

  8. If necessary, set the KeyspaceName connection property. (See "KeyspaceName" for details.)

    If authentication has not been enabled, client applications will have access to all keyspaces on the server. If authentication has been enabled, a client application will only have access to the keyspace specified by the KeyspaceName property assuming it has the required permissions.

    Even when authentication has not been enabled, KeyspaceName is strongly recommended because its value functions as the default qualifier for unqualified tables in SQL queries.

  9. If you want the driver to use user credentials other than the server user’s operating system credentials, include code in your application to obtain and pass a javax.security.auth.Subject used for authentication. (See "Specifying User Credentials for Kerberos Authentication (Delegation of Credentials)" for details.)
  10. Establish a procedure for obtaining a Kerberos Ticket Granting Ticket (TGT) for your environment. (See "Obtaining a Kerberos Ticket Granting Ticket" for details.)

    Scenario 1. For Windows Active Directory configurations, Active Directory automatically obtains a TGT.

    Scenario 2. For non-Active Directory configurations, you can enable the application to obtain a TGT in either of the following ways.

    1. Automate the method of obtaining the TGT as with a keytab. (See your Kerberos documentation for details.)
    2. Require the application user to obtain the TGT with a kinit command when logging on.

    A TGT can be obtained with a kinit command to the Kerberos server. For example, the following command requests a TGT from the server with a lifetime of 10 hours, which is renewable for 5 days.

    kinit -l 10h -r 5d user@REALM
    Note: The klist command can be used on Windows or UNIX/Linux systems to verify that a TGT has been obtained.