Using Kerberos Authentication in Virtual DataPort Without Joining a Kerberos Realm

Virtual DataPort and the Information Self-Service Tool can use the authentication method provided by a Kerberos realm (e.g. a Windows Active Directory domain), even if the server where Virtual DataPort runs does not join this realm. To be able to do this, you have to add some properties to the Denodo configuration scripts.

Follow these steps:

  1. Open the Denodo Control Center
  2. Click Configure
  3. Click JVM Options
  4. In the Virtual DataPort server / ITPilot wrapper server box, add the following (do not remove the existing content of this field):
-Djava.security.krb5.realm=<domain realm>
-Djava.security.krb5.kdc=<Key distribution center 1>[:<key distribution center>]+

For example,

-Djava.security.krb5.realm=CONTOSO.COM -Djava.security.krb5.kdc=dc-01.contoso.com

If there is more than one key distribution center (kdc) in your domain, add it to the java.security.krb5.kdc property separated by a colon. For example:

-Djava.security.krb5.realm=CONTOSO.COM
-Djava.security.krb5.kdc=dc-01.contoso.com:dc-02.contoso.com
  1. Add the same properties you added in the previous step, to the Virtual DataPort Administration Tool box.

    Important

    Perform this last step in all the hosts that run an Administration Tool that need to use Kerberos authentication. Not just in the host where the Virtual DataPort server runs.

  2. Restart the Virtual DataPort server and its Administration Tools.


If the Virtual DataPort Server and/or the Information Self-Service Tool are running on a “headless” host (i.e. a host without graphical support), you cannot launch the Control Center. Instead, to set the Kerberos system properties do the following:

  1. Edit the <DENODO_HOME>/conf/vdp/VDBConfiguration.properties file.

  2. Add to the java.env.DENODO_OPTS_START property, the properties java.security.krb5.realm and java.security.krb5.kdc with the values explained above.

  3. Execute <DENODO_HOME>/bin/regenerateFiles.sh

  4. Restart the Virtual DataPort server.

    Even if the Server runs in a headless environment, you still have to set these properties in the hosts where the Administration Tools run.


Note that you have to run these steps in:

  • The Virtual DataPort server installations.
  • The Information Self-Service Tool installations.
  • The installation of all the Administration Tools that will use Kerberos authentication.
  • You have to define these system properties in the Java applications that will connect to Virtual DataPort using Kerberos authentication.

After performing these steps, configure the Virtual DataPort server and its clients to use Kerberos authentication. The section Kerberos Authentication of the Virtual DataPort Administration Guide explains how to do so.