Configuring the Kerberos login module
You must configure the Kerberos login module to allow the IBM® Cognos® query service to log in to the Active Directory domain. To allow the log in the Java™ Authentication and Authorization Service (JAAS) package requires a configuration file.
There are two possible procedures in configuring the login modules.
- In Cognos Configuration, select the Active Directory namespace in .
- In the DQM Service Principal Name property, enter the value exactly as it
is listed in the keytab.
Use the command klist -k <keytab file> to find the principal name.
- Rename the keytab file to ibmcognosba.keytab, and place it in the install_location/configuration folder.
A configuration file must be included in the java.security file in the JRE_HOME/lib/security directory. You must include a line such as the following in the java.security file.
login.config.url.1=file:///${java.home}/lib/security/jaas.conf
JAAS configuration examples are provided in the IBM Cognos installation. The example files are named jaas-ibm.config and jaas-oracle.config, and the files are in the install_location\configuration directory.
In the example files, you must replace the following values:
<principal name>is the SPN that you created.<keytab file specification>is the path and file name of the keytab file that you created.
If you are not using a database connection that is configured for Kerberos authentication for modeling, then instead of modifying the java.security file, you can specify the JAAS login configuration file as an additional startup parameter for query service in IBM Cognos Administration. In IBM Cognos Administration, under System, expand your server, select , and enter the value in Additional JVM arguments for the query service in the form -Djava.security.auth.login.config=<configuration file>