TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Authentication and User Directory<br />
HTTP/spotserver:8080<br />
HTTP/spotserver.research.example.com:8080<br />
Create Keytab Files<br />
The next step is to create keytab files, which the <strong>Spotfire</strong> <strong>Server</strong>(s) will use to<br />
authenticate using Kerberos. This is also done with a tool that comes with Microsoft<br />
Support Tools, called ktpass.exe. You can run this command on one of your Domain<br />
Controllers and then copy the created files to the <strong>Spotfire</strong> <strong>Server</strong>(s).<br />
Note: In a clustered environment, create one keytab file, and use the long principal<br />
name of the load balancer, not one of the <strong>Spotfire</strong> <strong>Server</strong>s.<br />
Always name the file spotfire.keytab, as shown below. Run the command, including<br />
all the text on one line, like this:<br />
> ktpass /princ HTTP/myHost.mydomain[:port]@MYDOMAIN<br />
/mapuser myServiceAccount /ptype krb5_nt_principal /crypto rc4-hmac-nt<br />
/out spotfire.keytab /pass Password<br />
Replace the myServiceAccount, myHost<br />
appropriate values.<br />
mydomain, and Password variables with<br />
Example:<br />
Generate a keytab file for the <strong>Spotfire</strong> server spotserver.research.example.com running<br />
on port 8080 in the Windows domain RESEARCH.EXAMPLE.COM (note the upper<br />
case) with the password Pa55w0rd:<br />
> ktpass /princ HTTP/spotserver.research.example.com:8080@RESEARCH.EXAMPLE.COM<br />
/mapuser spotsvc /ptype krb5_nt_principal /crypto rc4-hmac-nt<br />
/out spotfire.keytab /pass Pa55w0rd<br />
Install Keytab Files<br />
Once the keytab files are created with the above examples you need to install them on<br />
the <strong>Spotfire</strong> <strong>Server</strong>s. For each <strong>Spotfire</strong> <strong>Server</strong>, the keytab file should be placed in the<br />
directory<br />
/jdk/jre/lib/security/<br />
Note: This file contains important security information that should not be shared. It is<br />
recommended that you use caution when copying the files to the destination servers. If<br />
possible, a memory stick or similar should be used to avoid insecure network file copy.<br />
You should also limit access to the file once in place. Only the Service and the<br />
Administrator accounts on the <strong>Spotfire</strong> <strong>Server</strong> need to be able to read and write to it.<br />
Also note that if, at any point, you change the password for <strong>Spotfire</strong> service account,<br />
Kerberos will stop working and you will have to re-create the keytab files with the<br />
new password.<br />
8.3.1.2 Configure the <strong>Spotfire</strong> <strong>Server</strong>(s) to Use Kerberos<br />
To enable Kerberos on the <strong>Spotfire</strong> <strong>Server</strong>(s) there is one configuration file that needs<br />
to be modified. This chapter will outline what changes need to be made to this file. For<br />
complete reference of the file, see the section “krb5.conf” on page 137.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 71 (144)