Enabling Kerberos Authentication Without Joining a Kerberos Realm

You can enable Kerberos authentication in almost all the components of the Denodo Platform and the Solution Manager. Usually, when you want to enable Kerberos authentication, the computers in which you installed the Denodo Platform and the Solution Manager belong to the Windows Active Directory domain of your organization.

This page explains what you have to do when this computer does not belong to a Windows domain but you want to enable Kerberos authentication anyway.

Note

You have to follow the steps of this page before enabling Kerberos authentication on any of the components of the Denodo Platform.

Stage #1: Obtain the Configuration Details

Obtain this information from the administrators of the Active Directory of your organization:

  1. The name of the “realm” of your organization. For example, “CONTOSO.COM”.

  2. The host name of the Key Distribution Center (KDC). There may be more than one.

Once you get this information, copy these values to an editor and construct the Java properties for Kerberos configuration. The syntax of these properties is this:

-Djava.security.krb5.realm=<Windows domain> -Djava.security.krb5.kdc=<Key distribution center 1>[:<key distribution center>]+'

Note that if your organization has more than one Key Distribution Center (KDC), you have to separate the host name of each KDC by a colon (:).

For example:

-Djava.security.krb5.realm=CONTOSO.COM -Djava.security.krb5.kdc=dc-01.contoso.com:dc-02.contoso.com

Note

We will use this string (i.e. the Java properties for Kerberos configuration) in the following sections of this page.

Stage #2: Configure Virtual DataPort

Log in to Virtual DataPort using an administrator account and do this:

  1. Execute this command:

    SELECT property_value
    FROM GET_PARAMETER()
    WHERE input_property_name = 'java.env.DENODO_OPTS_START';
    
  2. Copy the value of the result to an external editor. For example -Xmx4096m -XX:+DisableExplicitGC -XX:+UseG1GC -XX:ReservedCodeCacheSize=256m.

  3. Execute this:

    SET 'java.env.DENODO_OPTS_START' = '<"property value" returned of the previous command> <Java properties for Kerberos configuration>
    

    For example:

    SET 'java.env.DENODO_OPTS_START' = '-Xmx4096m -XX:+DisableExplicitGC -XX:+UseG1GC -XX:ReservedCodeCacheSize=256m -Djava.security.krb5.realm=CONTOSO.COM -Djava.security.krb5.kdc=dc-01.contoso.com:dc-02.contoso.com';
    

Stage #3: Stop all the Components

Stop all the components of the Denodo Platform. Then, execute <DENODO_HOME>/bin/webcontainer_shutdown to make sure the web container is stopped.

Stage #4: Configure Scheduler and its Administration Tool, Data Catalog and Design Studio

If the Denodo Platform runs on a computer with graphical support do this:

  1. Open the Denodo Control Center.

  2. Click Configure and then, JVM Options.

  3. In the boxes Web Container and Scheduler Server, add the Java properties for Kerberos configuration (do not remove the existing content of this field). You have to end up with something like this:

    Example of Scheduler server JVM configuration
    -Xmx1024m -Djava.security.krb5.realm=CONTOSO.COM -Djava.security.krb5.kdc=dc-01.contoso.com:dc-02.contoso.com';
    
    Example of web container JVM configuration
    -Djava.security.egd=file:/dev/urandom -Xmx1024m -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true -Djava.locale.providers=COMPAT,SPI -Djava.security.krb5.realm=CONTOSO.COM -Djava.security.krb5.kdc=dc-01.contoso.com:dc-02.contoso.com
    

If the Denodo Platform runs on a computer without graphical support, do this:

  1. Edit the file <DENODO_HOME>/resources/apache-tomcat/tomcat.properties and in the value of the property java.env.DENODO_OPTS_START, add the Kerberos configuration parameters (what we defined in the stage #1 of this page). Make sure to leave a space between the existing value and the Kerberos configuration parameters

  2. For the Scheduler server, edit the file <DENODO_HOME>/conf/scheduler/ConfigurationParameters.properties and look for the property java.env.DENODO_OPTS_START and add the Kerberos configuration parameters

  3. Execute <DENODO_HOME>/bin/regenerateFiles.sh

Stage #5: Start Components

Start the components of the Denodo Platform.

Stage #6: Apply This Changes for the Solution Manager

Stop all the components of the Solution Manager. Then, execute <SOLUTION_MANAGER_HOME>/bin/webcontainer_shutdown to make sure the web container is stopped.

If the Solution Manager is installed on a computer with graphical support do this:

  1. Open the Denodo Control Center of the Solution Manager.

  2. Click Configure and then, JVM Options.

  3. In the following boxes, add the Java properties for Kerberos configuration (do not remove the existing content of these boxes):

    • Solution Manager Server

    • License Manager

    • Web container


If the Denodo Platform runs on a computer without graphical support, do this:

  1. Edit the file <SOLUTION_MANAGER_HOME>/resources/apache-tomcat/tomcat.properties and in the value of the property java.env.DENODO_OPTS_START, add the Kerberos configuration parameters (what we defined in the stage #1 of this page). Make sure to leave a space between the existing value and the Kerberos configuration parameters

  2. For the Solution Manager, do the same in the file <SOLUTION_MANAGER_HOME>/conf/solution-manager/SMConfigurationParameters.properties. That is, modify the value of the property java.env.DENODO_OPTS_START.

  3. For the License Manager, do the same in the file <SOLUTION_MANAGER_HOME>/conf/license-manager/LMConfigurationParameters.properties. That is, modify the value of the property java.env.DENODO_OPTS_START.

  4. Execute <SOLUTION_MANAGER_HOME>/bin/regenerateFiles.sh

Stage #7: Enable Kerberos Authentication

You can now enable Kerberos authentication in the components of the Denodo Platform and the Solution Manager:

Stage #8: Enable Kerberos on the Administration Tools of Virtual DataPort

The users that have the Administration Tool installed on their computers and if their computers do not belong to a Windows domain, they have to do this:

  1. Open the Denodo Control Center in their computer.

  2. Click Configure and then, JVM Options.

  3. In the box Virtual DataPort Administration Tool, add the Java properties for Kerberos configuration (do not remove the existing content of this field).