JDBC setup for IBM Cognos SSO environments

If you use your JDBC driver to support connections to an IBM® Cognos® environment that uses Kerberos single sign-on (SSO) support, review this topic for important configuration steps.

When you configure an IBM Cognos Business Intelligence application in Kerberos SSO mode, the Cognos product performs the user authentication steps that the JDBC driver would normally perform. It then passes an authentication ticket to the JDBC driver in the connection request. In this environment, you must configure the JDBC driver to bypass its normal authentication and use the authentication ticket. To configure the JDBC driver to accept the authentication ticket, you set the JDBC krbSSODelegation connection property to true or select the Kerberos SSO delegation check box when configuring the JDBC data source. By default, the value of the connection property is false and the check box is not selected, which configures the driver to use the standard user name and password authentication (non-SSO) support. The value of the krbSSODelegation connection property overrides the setting of the Kerberos SSO delegation check box.

The krbSSODelegation property and Kerberos SSO delegation check box apply in only the following cases:

  • Where you configure the Cognos application to use SSO support as described in the Cognos documentation and you configure the Netezza Performance Server system to use Kerberos authentication as described in the IBM Netezza® System Administrator’s Guide
  • Where the Cognos application contacts the JDBC driver by using the Subject.doAs(subject, connectTask) method call

The REALM_NAME value in the krb5.conf file that you define for the Cognos application environment cannot have an at sign (@) in the name.

If the value of the krbSSODelegation property is true or you select the Kerberos SSO delegation check box but the JDBC driver did not obtain the user credentials from the Cognos application, the JDBC driver returns an error because it cannot validate the user name for the connection.

Additional configuration steps required for Constrained Delegation Mode

This section describes additional steps required in JAVA client code to use this feature.

The constrained delegation extension allows a service to obtain service tickets (under the delegated user's identity) to a restricted list of other services running on specific servers on the network after it has been presented with a service ticket, which may be a service ticket obtained through protocol transition. JDBC Driver supports Kerberos Constrained Delegation using protocol transition. Two users are required for constrained delegation.

  1. Authenticate user1 and get subject from login context using user1 credentials.
  2. Call impersonate method to generate service ticket for user2 on behalf of user1 identity (delegated user).
  3. Set gsscredential property to GSSCredential obtained from impersonation.
  4. Call JDBC Driver connect() method with property object.
The following example shows how user2 connects to NPS using user1 identity. After obtaining user1 authenticated subject, perform following steps:
/* obtain service credentials from access control context */

GSSCredential serviceCredential = manager.createCredential(GSSCredential.INITIATE_ONLY);
GSSName userName = manager.createName("user2@<REALM_NAME>", null);
GSSCredential userCredential = ((ExtendedGSSCredential) serviceCredential).impersonate(userName);

/* set gsscredential property and connect */

Properties properties = new Properties();
properties.put("gsscredential", <GSSCredential object obtained from impersonation>);