Known issue with the web clients Spotfire® Business Author and Consumer
In the TIBCO Spotfire® Connector for Oracle, version 7.5 and later, it?s not possible to connect to Oracle with Kerberos authentication. This pertains only to the web clients Spotfire Business Author and Consumer. The problem pertains to the Oracle ADO .Net driver and connections created using the Spotfire Connector for Oracle.
Connections to Oracle are created and configured in the installed client Spotfire Analyst. Oracle connections that use Kerberos authentication cannot be opened in the web clients, neither as connections saved in the library nor if they are embedded in analysis files.
Since Spotfire 7.5, the Oracle connector uses a larger portion of the Oracle feature set. Using the extended feature set has revealed issues when the credentials of a user on TIBCO Spotfire Server are delegated further to an Oracle database using Kerberos.
Alternative solutions
To connect to Oracle in Spotfire web clients, you can use the following methods.
- Configure your connection with Oracle authentication instead, allowing users to manually enter credentials for the data source.
- Use Information Services (JDBC) in Spotfire to connect to Oracle data sources with Kerberos authentication.
Possible configurations
While investigating this issue, TIBCO has explored multiple configurations for solving the issue. The following instructions describe configurations that have worked but only in some limited test cases.
There is no guarantee that the following instructions will work for your environment. Officially, using the Spotfire Oracle Connector with Kerberos authentication does not work on the Spotfire Web clients TIBCO Spotfire Business Author and Consumer.
Pre-requisites:
- A Spotfire environment configured for Kerberos delegation.
- An Oracle support account, so you can download the required patches from Oracle support.
Installing and configuring Oracle Database
- Install Oracle Database 12c and set up a database. Add externally identified users to the database.
- Open the file sqlnet.ora and make sure that SQLNET.AUTHENTICATION_SERVICES includes KERBEROS5 and it does not include KERBEROS5PRE.
Installing and configuring the Oracle Client
-
On the node manager server that will run the Spotfire web client, install the Oracle Client.
Caution: Make sure you install Oracle Client and not the Instant Client. The Instant Client cannot be upgraded with patches using Oracle?s ?Opatch? tool on Windows.
- During the installation, select Custom and choose to install SQLPlus, Oracle Advanced security, Oracle Data Provider for OleDB and Oracle Data Provider for .NET.
- Apply both the latest Opatch and Oracle Windows Bundle patch. Make sure that you follow the instructions on how to apply patches in the file readme.html, and also make sure to follow the instructions in the section 'Oracle .NET Assembly Optional Setup Instructions'.
Kerberos configurations
-
On the node manager server, open the file sqlnet.ora and configure it to include the following:
SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5) SQLNET.KERBEROS5_CC_NAME = MSLSA:// SQLNET.KERBEROS5_CONF = PATH TO KRB5.CONF FILE SQLNET.KERBEROS5_CONF_MIT = TRUE
-
On both the client and the server, the krb5.conf file should look like this:
[libdefaults] default_realm = DOMAIN.COM default_tkt_enctypes = rc4-hmac (or aes-256 if that's what's being used) default_tgs_enctypes = rc4-hmac (or aes-256 if that's what's being used) [realms] DOMAIN.COM = { kdc = FQDN admin_server = FQDN default_domain = domain.com } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM -
On the node manager server, install the MIT Kerberos Client. You can download the program here.
-
Restart the node manager server. To verify that you can now use Kerberos authentication with Oracle in the Spotfire web client, log in to Oracle using sqlplus with the command sqlplus /@SID. If this is successful, open an analysis file that uses the Oracle connector or OleDB and Kerberos authentication.
Recommended Comments
There are no comments to display.