Use Kerberos for JDBC Authentication

Use the following steps to configure the Fusion SQL service to use Kerberos for authentication.

  1. Create a service principal and keytab; your Active Directory or Kerberos administrator will know how to do this. At a minimum, enable the AES 128-bit encryption. You can use 256, but you’ll have to install the JCE extensions.

    This is an example command to create a keytab file for the service account:

    ktpass /out c:\fusion.service.keytab /princ fusion/sawsserver@FUSIONSQL.LOCAL /rndpass /ptype KRB5_NT_PRINCIPAL /mapUser fusion@FUSIONSQL.LOCAL -mapOp set -crypto AES128-SHA1
  2. Copy the keytab file to the Fusion conf directory.

  3. Update the file conf/hive-site.xml (on Unix) or conf\hive-site.xml (on Windows) to use Kerberos authentication and the correct principal and keytab file installed in step 2.

    On Unix:

    <property>
      <name>hive.server2.authentication</name>
      <value>Kerberos</value>
    </property>
    <property>
      <name>hive.server2.authentication.Kerberos.principal</name>
      <value>fusion/sawsserver@FUSIONSQL.LOCAL</value>
    </property>
    <property>
      <name>hive.server2.authentication.Kerberos.keytab</name>
      <value>./conf/fusion.service.keytab</value>
    </property>

    On Windows:

    <property>
      <name>hive.server2.authentication</name>
      <value>Kerberos</value>
    </property>
    <property>
      <name>hive.server2.authentication.Kerberos.principal</name>
      <value>fusion/sawsserver@FUSIONSQL.LOCAL</value>
    </property>
    <property>
      <name>hive.server2.authentication.Kerberos.keytab</name>
      <value>conf\fusion.service.keytab</value>
    </property>
  4. Install the file that contains information about your Kerberos realm on the Fusion server.

    On Unix:

    Place the file krb5.conf in the etc directory.

    On Windows:

    Place the file krb5.ini in the C:\Windows directory.

  5. Update the file conf/fusion.cors (fusion.properties in Fusion 4.x) (on Unix) or conf\fusion.cors (fusion.properties in Fusion 4.x) (on Windows) to point to the file krb5.conf (on Windows) or krb5.ini (on Windows) installed in step 4.

    On Unix:

    sql.jvmOptions = -Xmx1g -Djava.security.krb5.conf=/etc/krb5.conf

    On Windows:

    sql.jvmOptions = -Xmx1g -Djava.security.krb5.conf=C:\Windows\krb5.ini