Looking for the old docs site? You can still view it for a limited time here.

Use Kerberos for JDBC Authentication

Use the following steps to configure the Fusion SQL service to use Kerberos for authentication.

  1. Create a service principal and keytab; your Active Directory or Kerberos administrator will know how to do this. At a minimum, enable the AES 128-bit encryption. You can use 256, but you’ll have to install the JCE extensions.

    This is an example command to create a keytab file for the service account:

    ktpass /out c:\fusion.service.keytab /princ fusion/sawsserver@FUSIONSQL.LOCAL /rndpass /ptype KRB5_NT_PRINCIPAL /mapUser fusion@FUSIONSQL.LOCAL -mapOp set -crypto AES128-SHA1
  2. Copy the keytab file to the Fusion conf directory.

  3. Update the file conf/hive-site.xml (on Unix) or conf\hive-site.xml (on Windows) to use Kerberos authentication and the correct principal and keytab file installed in step 2.

    On Unix:

    <property>
      <name>hive.server2.authentication</name>
      <value>Kerberos</value>
    </property>
    <property>
      <name>hive.server2.authentication.Kerberos.principal</name>
      <value>fusion/sawsserver@FUSIONSQL.LOCAL</value>
    </property>
    <property>
      <name>hive.server2.authentication.Kerberos.keytab</name>
      <value>./conf/fusion.service.keytab</value>
    </property>

    On Windows:

    <property>
      <name>hive.server2.authentication</name>
      <value>Kerberos</value>
    </property>
    <property>
      <name>hive.server2.authentication.Kerberos.principal</name>
      <value>fusion/sawsserver@FUSIONSQL.LOCAL</value>
    </property>
    <property>
      <name>hive.server2.authentication.Kerberos.keytab</name>
      <value>conf\fusion.service.keytab</value>
    </property>
  4. Install the file that contains information about your Kerberos realm on the Fusion server.

    On Unix:

    Place the file krb5.conf in the etc directory.

    On Windows:

    Place the file krb5.ini in the C:\Windows directory.

  5. Update the file conf/fusion.properties (on Unix) or conf\fusion.properties (on Windows) to point to the file krb5.conf (on Windows) or krb5.ini (on Windows) installed in step 4.

    On Unix:

    sql.jvmOptions = -Xmx1g -Djava.security.krb5.conf=/etc/krb5.conf

    On Windows:

    sql.jvmOptions = -Xmx1g -Djava.security.krb5.conf=C:\Windows\krb5.ini