Kerberos 認証を使用するCData Virtuality Server の構成を開始する前に、CData Virtuality Server Kerberos 認証のpre-requisites がすべて満たされていることを確認してください。
Version 4.9 and Above
Configuration in the Main CData Virtuality Server Configuration File
CData Virtuality 4.9 以上の場合、サーバーはKerberos 用にElytron ベースの設定をサポートします。Kerberos 認証の設定は、CData Virtuality Server のメイン設定ファイルで行います:path\to\DVServer\standalone\configuration\dvserver-standalone.xml。
Note: If you are upgrading from a previous version, migrate your old security logic to the new Elytron subsystem configuration.
system-properties
<system-properties>
要素を探します;その要素で、以下のエントリを既存のエントリに追加します(
<realm>
はKerberos レルムの名前であることに注意してください):
<
system
-properties>
<
property
name
=
"java.security.krb5.conf"
value="<path to krb5.conf>"/>
<
property
name
=
"javax.security.auth.useSubjectCredsOnly"
value
=
"false"
/>
<
property
name
=
"sun.security.jgss.native"
value
=
"false"
/>
</
system
-properties>
以下に構成例を示します:
<
system
-properties>
...
<
property
name
=
"java.security.krb5.conf"
value
=
"C:\datavirtuality\krb5.conf"
/>
<
property
name
=
"javax.security.auth.useSubjectCredsOnly"
value
=
"false"
/>
<
property
name
=
"sun.security.jgss.native"
value
=
"false"
/>
</
system
-properties>
Elytron Subsystem Configuration
Kerberos Security Factory
dvserver-standalone.xml の
<subsystem xmlns="urn:wildfly:elytron:9.0">
セクションを探します。<credential-security-factories>
セクションの下に、プリンシパルとキータブを参照する<kerberos-security-factory>
を追加します:
<
credential
-security-factories>
<
kerberos
-security-factory
name
=
"dv-kerberos-factory"
principal="DVServer/<principal as mapped in keyfile. machine@realm notation>"
path="<
path
/to/keytab>">
<
option
name
=
"credsType"
value
=
"both"
/>
</
kerberos
-security-factories>
</
credential
-security-factories>
以下に構成例を示します:
<
credential
-security-factories>
<
kerberos
-security-factory
name
=
"dv-kerberos-factory"
path
=
"C:\datavirtuality\dvsvc01.keytab"
>
<
option
name
=
"credsType"
value
=
"both"
/>
</
kerberos
-security-factories>
</
credential
-security-factories>
LDAP Realm (more details about LDAP configuration can be found here)
<custom-realm class-name="com.datavirtuality.dv.core.teiid.users.DVLoginModule" module="com.datavirtuality.dv" name="DataVirtualityRealm"/>
を見つけ、次のコードに置き換えてください:
<
ldap
-realm
dir-context
=
"ldap-connection"
direct-verification
=
"true"
name
=
"DataVirtualityRealm"
>
<
identity
-mapping
rdn-identifier
=
"cn"
search-base-dn
=
"DC=,DC="
use-recursive-search
=
"true"
>
<
attribute
-mapping>
<
attribute
filter
=
"(member={1})"
filter-base-dn
=
"OU=,DC=,DC="
from
=
"cn"
to
=
"Roles"
/>
</
attribute
-mapping>
</
identity
-mapping>
</
ldap
-realm>
以下に構成例を示します:
<
ldap
-realm
dir-context
=
"ldap-connection"
direct-verification
=
"true"
name
=
"DataVirtualityRealm"
>
<
identity
-mapping
rdn-identifier
=
"cn"
search-base-dn
=
"DC=KRBTEST,DC=DV"
use-recursive-search
=
"true"
>
<
attribute
-mapping>
<
attribute
filter
=
"(member={1})"
filter-base-dn
=
"OU=dv-user-accounts,DC=KRBTEST,DC=DV"
from
=
"cn"
to
=
"Roles"
/>
</
attribute
-mapping>
</
identity
-mapping>
</
ldap
-realm>
</expression-resolver>
タグを見つけ、次のコードを貼り付けます。まず必要な部分を自分の値に置き換えてください:
<
dir
-contexts>
<
dir
-context
name
=
"ldap-connection"
principal
=
"CN=Administrator,CN=Users,DC=KRBTEST,DC=DV"
url="<ldap (dc) machine name - fqdn>">
<
credential
-reference clear-text="<password>"/>
</
dir
-context>
</
dir
-contexts>
</policy-decider-module>
タグを見つけ、次のコードを挿入してください:
<
ldap
>
<
property
name
=
"defaultAdminGroup"
value
=
"dv-admin-role"
/>
<
property
name
=
"displayUserName"
value
=
"cn"
/>
<
property
name
=
"roleRecursion"
value
=
"5"
/>
</
ldap
>
Transport
<subsystem xmlns="urn:jboss:domain:teiid:1.1">
要素を探します。その要素の中で、
<transport>
要素を含むセクションを見つけます。そのセクションに、JDBC とODBC のKerberos 対応トランスポート構成を追加します:
<
transport
name
=
"jdbc-krb"
protocol
=
"teiid"
socket-binding
=
"dv-jdbc-krb"
>
<
authentication
security-domain="<security domain name>"
type="GSS"
krb5-security-factory="<
kerberos
factory name>"/>
</
transport
>
<
transport
name
=
"odbc-krb"
socket-binding
=
"dv-odbc-krb"
protocol
=
"pg"
>
<
authentication
security-domain="<security domain name>"
type="GSS"
krb5-security-factory="<
kerberos
factory name>"/>
<
ssl
mode
=
"disabled"
/>
</
transport
>
以下はその例です:
<
transport
name
=
"jdbc-krb"
protocol
=
"teiid"
socket-binding
=
"dv-jdbc-krb"
>
<
authentication
security-domain
=
"dv-security"
type
=
"GSS"
krb5-security-factory
=
"dv-kerberos-factory"
/>
</
transport
>
<
transport
name
=
"odbc-krb"
socket-binding
=
"dv-odbc-krb"
protocol
=
"pg"
>
<
authentication
security-domain
=
"dv-security"
type
=
"GSS"
krb5-security-factory
=
"dv-kerberos-factory"
/>
<
ssl
mode
=
"disabled"
/>
</
transport
>
この設定により、以下のことが可能になります:
AD キータブを使用して(Kerberos ファクトリー経由で)受信Kerberos チケットを検証します;
AD LDAP からグループメンバーシップを取得します(
dv-security
セキュリティドメインで使用される<ldap-realm>
経由)。
Socket-binding/ports
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">.
要素を探します。その要素の中に、Kerberos 対応ポートの構成を追加します:
<
socket
-binding
name
=
"dv-jdbc-krb"
port
=
"31002"
/>
<
socket
-binding
name
=
"dv-odbc-krb"
port
=
"35434"
/>
Version 4.8 and Below
Configuration in the Main CData Virtuality Server Configuration File
Kerberos 認証の設定は、CData Virtuality Server のメイン設定ファイルで行います:path\to\DVServer\standalone\configuration\dvserver-standalone.xml。
コンフィギュレーションはファイル内の4つのエリアで行われます:
system-properties エリアに、エントリが追加されます;
security-domains エリアに、既存のエントリが1つ置き換えられ、新しいエントリが2つ追加されます;
transport エリアに、2つのエントリが追加されます;
socket-binding エリアに、2つのエントリが追加されています;
system-properties
<system-properties>
要素を探します。その要素に、以下のエントリを既存のエントリに追加します(<realm> はKerberos レルムの名前であることに注意してください):
<
system
-properties>
<
property
name
=
"java.security.krb5.realm"
value="<REALM>"/>
<
property
name
=
"java.security.krb5.kdc"
value="<kdc machine name - fqdn>"/>
<
property
name
=
"javax.security.auth.useSubjectCredsOnly"
value
=
"false"
/>
<
property
name
=
"sun.security.jgss.native"
value
=
"false"
/>
</
system
-properties>
以下に構成例を示します:
<
system
-properties>
...
<
property
name
=
"java.security.krb5.realm"
value
=
"KRBTEST.DV"
/>
<
property
name
=
"java.security.krb5.kdc"
value
=
"DVDC01.KRBTEST.DV"
/>
<
property
name
=
"javax.security.auth.useSubjectCredsOnly"
value
=
"false"
/>
<
property
name
=
"sun.security.jgss.native"
value
=
"false"
/>
</
system
-properties>
security-domains
<subsystem xmlns="urn:jboss:domain:security:2.0">
要素を探します。その要素の中で、
<security-domain name="dv-security" cache-type="default">
要素を見つけます。<security-domain name="dv-security" cache-type="default">
要素を以下の3つの要素に置き換えてください:<security-domain name="dv-security">
<security-domain name="<realm>"
<security-domain name="dv-security-krb">
要素名dv-security
とdv-security-krb
は、あなたの設定に合わせることなく、ここで示された名前を持ち、要素名<realm>
は、あなたの環境におけるKerberos レルムの名前であることに注意してください。
以下は、3つのセキュリティドメインの一般的な構成です:
dv-security
<
security
-domain
name
=
"dv-security"
cache-type
=
"default"
>
<
authentication
>
<
login
-module
code
=
"com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule"
flag
=
"requisite"
module
=
"com.datavirtuality.dv"
>
<
module
-option
name
=
"java.naming.factory.initial"
value
=
"com.sun.jndi.ldap.LdapCtxFactory"
/>
<
module
-option
name
=
"java.naming.provider.url"
value="ldap(s)://<ldap (dc) machine name - fqdn>:389|636"/>
<
module
-option
name
=
"java.naming.security.authentication"
value
=
"simple"
/>
<
module
-option
name
=
"java.naming.security.principal"
value
=
""
/>
<
module
-option
name
=
"java.naming.security.credentials"
value
=
"***"
/>
<
module
-option
name
=
"bindDN"
value
=
""
/>
<
module
-option
name
=
"bindCredential"
value
=
"***"
/>
<
module
-option
name
=
"baseCtxDN"
value="<...>"/>
<
module
-option
name
=
"baseFilter"
value
=
"(cn={0})"
/>
<
module
-option
name
=
"rolesCtxDN"
value="<...>"/>
<
module
-option
name
=
"roleFilter"
value
=
"(member={1})"
/>
<
module
-option
name
=
"roleAttributeID"
value
=
"cn"
/>
<
module
-option
name
=
"allowEmptyPasswords"
value
=
"false"
/>
<
module
-option
name
=
"defaultAdminGroup"
value="<...>"/>
</
login
-module>
</
authentication
>
</
security
-domain>
<realm>
<
security
-domain name="<realm>">
<
authentication
>
<
login
-module
code
=
"SPNEGO"
flag
=
"requisite"
module
=
"org.jboss.security.negotiation"
>
<
module
-option
name
=
"password-stacking"
value
=
"useFirstPass"
/>
<
module
-option
name
=
"serverSecurityDomain"
value
=
"dv-security-krb"
/>
<
module
-option
name
=
"removeRealmFromPrincipal"
value
=
"true"
/>
</
login
-module>
<
login
-module
code
=
"com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule"
flag
=
"requisite"
module
=
"com.datavirtuality.dv"
>
<
module
-option
name
=
"password-stacking"
value
=
"useFirstPass"
/>
<
module
-option
name
=
"java.naming.factory.initial"
value
=
"com.sun.jndi.ldap.LdapCtxFactory"
/>
<
module
-option
name
=
"java.naming.provider.url"
value="ldap(s)://<ldap (dc) machine name - fqdn>:389|636"/>
<
module
-option
name
=
"java.naming.security.authentication"
value
=
"simple"
/>
<
module
-option
name
=
"java.naming.security.principal"
value
=
""
/>
<
module
-option
name
=
"java.naming.security.credentials"
value
=
"***"
/>
<
module
-option
name
=
"bindDN"
value
=
""
/>
<
module
-option
name
=
"bindCredential"
value
=
"***"
/>
<
module
-option
name
=
"baseCtxDN"
value="<...>"/>
<
module
-option
name
=
"baseFilter"
value
=
"(cn={0})"
/>
<
module
-option
name
=
"rolesCtxDN"
value="<...>"/>
<
module
-option
name
=
"roleFilter"
value
=
"(member={1})"
/>
<
module
-option
name
=
"roleAttributeID"
value
=
"cn"
/>
<
module
-option
name
=
"allowEmptyPasswords"
value
=
"false"
/>
<
module
-option
name
=
"defaultAdminGroup"
value="<...>"/>
</
login
-module>
</
authentication
>
</
security
-domain>
dv-security-krb
<
security
-domain
name
=
"dv-security-krb"
>
<
authentication
>
<
login
-module
code
=
"com.sun.security.auth.module.Krb5LoginModule"
flag
=
"requisite"
module
=
"org.jboss.security.negotiation"
>
<
module
-option
name
=
"storeKey"
value
=
"true"
/>
<
module
-option
name
=
"useKeyTab"
value
=
"true"
/>
<
module
-option
name
=
"principal"
value="DVServer/<principal as mapped in keyfile. machine@realm notation>"/>
<
module
-option
name
=
"keyTab"
value
=
"<path/to/keytab"
>/>
<
module
-option
name
=
"doNotPrompt"
value
=
"true"
/>
<
module
-option
name
=
"tryFirstPass"
value
=
"true"
/>
</
login
-module>
</
authentication
>
</
security
-domain>
security-domain
の3つの要素の設定例です:
<
security
-domain
name
=
"dv-security"
cache-type
=
"default"
>
<
authentication
>
<
login
-module
code
=
"com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule"
flag
=
"requisite"
module
=
"com.datavirtuality.dv"
>
<
module
-option
name
=
"java.naming.factory.initial"
value
=
"com.sun.jndi.ldap.LdapCtxFactory"
/>
<
module
-option
name
=
"java.naming.provider.url"
value
=
"ldap://dc01.krbtest.dv:389"
/>
<
module
-option
name
=
"java.naming.security.authentication"
value
=
"simple"
/>
<
module
-option
name
=
"java.naming.security.credentials"
value
=
"***"
/>
<
module
-option
name
=
"bindCredential"
value
=
"***"
/>
<
module
-option
name
=
"baseCtxDN"
value
=
"ou=dv-user-accounts,dc=KRBTEST,dc=DV"
/>
<
module
-option
name
=
"baseFilter"
value
=
"(CN={0})"
/>
<
module
-option
name
=
"rolesCtxDN"
value
=
"ou=dv-roles,DC=KRBTEST,DC=DV"
/>
<
module
-option
name
=
"roleFilter"
value
=
"(member={1})"
/>
<
module
-option
name
=
"roleAttributeID"
value
=
"cn"
/>
<
module
-option
name
=
"allowEmptyPasswords"
value
=
"false"
/>
<
module
-option
name
=
"defaultAdminGroup"
value
=
"dv-admin-role"
/>
</
login
-module>
</
authentication
>
</
security
-domain>
<
security
-domain
name
=
"KRBTEST.DV"
>
<
authentication
>
<
login
-module
code
=
"SPNEGO"
flag
=
"requisite"
module
=
"org.jboss.security.negotiation"
>
<
module
-option
name
=
"password-stacking"
value
=
"useFirstPass"
/>
<
module
-option
name
=
"serverSecurityDomain"
value
=
"dv-security-krb"
/>
<
module
-option
name
=
"removeRealmFromPrincipal"
value
=
"true"
/>
</
login
-module>
<
login
-module
code
=
"com.datavirtuality.dv.core.teiid.users.ldap.ext.DVLdapExtLoginModule"
flag
=
"requisite"
module
=
"com.datavirtuality.dv"
>
<
module
-option
name
=
"password-stacking"
value
=
"useFirstPass"
/>
<
module
-option
name
=
"java.naming.factory.initial"
value
=
"com.sun.jndi.ldap.LdapCtxFactory"
/>
<
module
-option
name
=
"java.naming.provider.url"
value
=
"ldap://dc01.krbtest.dv:389"
/>
<
module
-option
name
=
"java.naming.security.authentication"
value
=
"simple"
/>
<
module
-option
name
=
"java.naming.security.credentials"
value
=
"***"
/>
<
module
-option
name
=
"bindCredential"
value
=
"***"
/>
<
module
-option
name
=
"baseCtxDN"
value
=
"ou=dv-user-accounts,dc=KRBTEST,dc=DV"
/>
<
module
-option
name
=
"baseFilter"
value
=
"(CN={0})"
/>
<
module
-option
name
=
"rolesCtxDN"
value
=
"ou=dv-roles,DC=KRBTEST,DC=DV"
/>
<
module
-option
name
=
"roleFilter"
value
=
"(member={1})"
/>
<
module
-option
name
=
"roleAttributeID"
value
=
"cn"
/>
<
module
-option
name
=
"allowEmptyPasswords"
value
=
"false"
/>
<
module
-option
name
=
"defaultAdminGroup"
value
=
"dv-admin-role"
/>
</
login
-module>
</
authentication
>
</
security
-domain>
<
security
-domain
name
=
"dv-security-krb"
>
<
authentication
>
<
login
-module
code
=
"com.sun.security.auth.module.Krb5LoginModule"
flag
=
"requisite"
module
=
"org.jboss.security.negotiation"
>
<
module
-option
name
=
"storeKey"
value
=
"true"
/>
<
module
-option
name
=
"useKeyTab"
value
=
"true"
/>
<
module
-option
name
=
"keyTab"
value
=
"C:\datavirtuality\dvsvc01.keytab"
/>
<
module
-option
name
=
"doNotPrompt"
value
=
"true"
/>
<
module
-option
name
=
"tryFirstPass"
value
=
"true"
/>
</
login
-module>
</
authentication
>
</
security
-domain>
Transport
<subsystem xmlns="urn:jboss:domain:teiid:1.1">.
要素を探します。その要素の中で、
<transport>
要素を含むセクションを見つけます。そのセクションに、JDBC とODBC のKerberos 対応トランスポート構成を追加します:
<
transport
name
=
"jdbc-krb"
socket-binding
=
"dv-jdbc-krb"
protocol
=
"teiid"
>
<
authentication
security-domain="<realm>" type="GSS"/>
</
transport
>
<
transport
name
=
"odbc-krb"
socket-binding
=
"dv-odbc-krb"
protocol
=
"pg"
>
<
authentication
security-domain="<realm>" type="GSS"/>
<
ssl
mode
=
"disabled"
/>
</
transport
>
以下はその例です:
<
transport
name
=
"jdbc-krb"
socket-binding
=
"dv-jdbc-krb"
protocol
=
"teiid"
>
<
authentication
security-domain
=
"KRBTEST.DV"
type
=
"GSS"
/>
</
transport
>
<
transport
name
=
"odbc-krb"
socket-binding
=
"dv-odbc-krb"
protocol
=
"pg"
>
<
authentication
security-domain
=
"KRBTEST.DV"
type
=
"GSS"
/>
<
ssl
mode
=
"disabled"
/>
</
transport
>
Socket-binding/ports
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">.
要素を探します。その要素の中に、Kerberos 対応ポートの構成を追加します:
<
socket
-binding
name
=
"dv-jdbc-krb"
port
=
"31002"
/>
<
socket
-binding
name
=
"dv-odbc-krb"
port
=
"35434"
/>