Configuring JDBC data servers for single sign-on using Kerberos

Support for constrained delegation (a Microsoft extension to Kerberos), allows a service to obtain a ticket for another service on behalf of the user by presenting the user's service ticket to itself. The service ticket is either delegated from the user (Service for User to Proxy - S4U2Proxy), or generated by the service itself when user is authenticated by different means.

To configure a data server for SSO using Kerberos, perform the following steps:

• Create a Kerberos initialization file.
• Configure a service principal name (SPN) for the dynamic query mode data server.
• Create a keytab file.
• Configure the Kerberos login module.
• Configure data server connections.

Before you start, ensure that the following conditions are met:

1. The IBM® Cognos® service is configured for single sign-on using a Microsoft Active Directory namespace.
2. The database is configured to use the Kerberos protocol.
3. The Active Directory users are also configured on the database server.
4. If SSO is configured with constrained delegation, check the driver documentation to ensure the driver supports constrained delegation. Not all drivers that support Kerberos authentication also support constrained delegation.

   Dynamic query supports Kerberos constrained delegation with the JDBC drivers for Netezza and Cloudera Impala. This capability requires JDBC drivers of the following versions or higher which have been enhanced to receive GSS credentials: Netezza 7.2.0.9-P3 and 7.2.1.3-P3 (see http://www-01.ibm.com/support/docview.wss?uid=swg21997658 for more information), and Cloudera Impala 2.5.36

   IBM Cognos Analytics can be used with either an ORACLE or IBM JRE. The JRE versions that IBM requires are found in the supported environments page. If you use Cognos Analytics with an IBM JRE, Cloudera Impala JDBC needs to use IBM JRE 8.0.3.12 or above. For more information, see https://developer.ibm.com/javasdk/downloads/sdk8/.