Liberty support for kerberos authentication using Datasources

[atosak]

devWorks RFE 97557 When JDBC/JCA code was ported to Liberty, the code for supporting kerberos authentication on a DataSource was not completed. Traditional WAS supports this for both sqlserver and db2 JDBC drivers using two very different mechanisms (the former involves credentials being placed on the thread, the latter using typical driver properties). This feature will require work from the security squad to get the GSSCredentials into the Subject for the sqlserver driver and to potentially extend their existing kerb FAT to support this, so we'll need to consider that during prioritization. Based on requirements and feedback we've gotten, we need to support SQLServer, Db2 and Oracle on Liberty. For Liberty we'll address continuous testing with containerized envs for the 3 databases.

UFO link: https://ibm.box.com/s/tdmbjmkrtdtvt44s63bgo9r7lpvftjbm

[atosak]

---

List of Steps to complete or get approvals / sign-offs for Onboarding to the Liberty release (GM date)

Instructions:

• Do the actions below and mark them complete in the checklist when they are done.
• Make sure all feature readiness approvers put the appropriate tag on the epic to indicate their approval.

---

TARGET COMPLETION DATE Before Development Starts or 8 weeks before Onboarding

• [x] POC Design / WAD Review Scheduled (David Chang) or N/A.

• [x] POC Design / WAD Reviewed (Feature Owner) or N/A.

• [x] Complete any follow-ons from the POC Review.

• [x] Design / WAD Approval (Alasdair Nottingham) or N/A.

• [x] No Design / No WAD Approval (Arthur De Magalhaes - cloud / Alasdair Nottingham - server) or N/A.

• [x] SVT Requirements identified. (Epic owner / Feature owner with SVT focal point)

• [x] ID Requirements identified. (Epic owner / Feature owner with ID focal point)

• [x] Create a child task of the epic entitled "FAT Approval Test Summary". Add and fill in the template as described here: https://github.ibm.com/was-liberty/WS-CD-Open/wiki/Feature-Review-(Feature-Test-Summary-Process)

• ---

  TARGET COMPLETION DATE 3 weeks before Onboarding

• [x] Identify all open source libraries that are changing or are new. Work with Legal Release Services (Cass Tucker or Release PM) to get open source cleared and approved. Or N/A. (Epic Owner). New or changed open source impacts license and Certificate of Originality.

• ---

  TARGET COMPLETION DATE 3 weeks before Onboarding

• [x] All new or changed PII messages are checked into the integration branch, before the last translation shipment out. (Epic Owner)

• ---

  TARGET COMPLETION DATE 2 weeks before Onboarding

• [x] Implementation complete. (Epic owner / Feature owner)

• [x] All function tests complete. Ready for FAT Approval. (Epic owner / Feature owner)

• [x] Review all known issues for Stop Ship. (Epic owner / Feature owner / PM)

• ---

  APPROVALS with TARGET COMPLETION DATE 2 to 1 week before Onboarding

  Prereq: You must have the Design Approved or No Design Approved label on the GitHub Epic.

• [x] Accessibility - (Steven Zvonek). Accessibility testing is complete or N/A. Approver adds label focalApproved:accessibility to the Epic in Github.

• [x] FAT Liberty SOE - (Kevin Smith). SOE FATS are running successfully or N/A . Approver adds label focalApproved:fat to the Epic in Github.

• [x] Globalization (Sam Wong - Liberty / Simy Cheeran - tWAS). Translation is complete or N/A. TVT - complete or N/A. Approver adds label focalApproved:globalization to the Epic in Github.

• [ ] ID - (Kareen Deen). Documentation work is complete or N/A . Approver adds label focalApproved:id to the Epic in Github.

• [x] Performance - (Jared Anderson). Performance testing is complete with no high severity defects or N/A . Approver adds label focalApproved:performance to the Epic in Github.

• [x] Serviceability - (Don Bourne). Serviceability has been addressed.

• [x] STE - (Swati Kasundra). STE chart deck is complete or N/A . Approver adds label focalApproved:ste to the Epic in Github.

• [x] SVT - (Greg Ecock - Cloud, Brian Hanczaryk- APS). SVT is complete or N/A . Approver adds label focalApproved:svt to the Epic in Github.

• [ ] Demo - (Liberty only - Tom Evans or Chuck Bridgham). Demo is scheduled for an upcoming EOI. Approver adds label focalApproved:demo to the Epic in Github.

• ---

  TARGET COMPLETION DATE 1 week before Onboarding

• [ ] No Stop Ship issues for the feature. (Epic owner / Feature owner / Release PM)

• [ ] Ship Readiness Review and Release Notes completed (Epic owner / Feature owner / Release PM)

• [ ] Github Epic and Epic's issues are closed / complete. All PRs are committed to the master branch. (Epic owner / Feature owner / Backlog Subtribe PM)

• ---

  NOT REQUIRED FOR A FEATURE

• [x] OL Guides - (Yee-Kang Chang). Assessment for OL Guides is complete or N/A.

• [x] WDT - (Leonard Theivendra). WDT work complete or N/A.

• ---

  Related Deliverables TARGET COMPLETION DATE General Availability

• [ ] Blog article writeup (Epic owner / Feature owner / Laura Cowen)

[cthigh]

Notes from the UFO review meeting on June 16th. Mark Swatosh

Page 10 - Question - Why 5 in the name? Answer: Kerberos convention. Consistent with other Kerbersose naming. Krb5 around for a long time - no version 6.

• [ ] Page 18 - need offline discussion for outbound SPNEGO related configuration. Previous discussion was to not reply on the SPNEGO config.

• [ ] Page 20 - How does this work in binding file for mapping container auth data to data source resource references? Is it mapped by authentication Alias? Can we provide some example? Need discussion since an auth alias isn’t required.

• [ ] P20, 21 - update example to discourage use of krb5CCache=“/tmp/krb5cc”

• [ ] P21 - Why are you using krb5Principal instead of “username”? It was used to indicate using Kerberos. Could add a new flag instead. Follow up with Alasdair with his concern. User name and password are required. Might have top level configuration rather than nested.

• [ ] Page 22 - Example - bullet 4 -missing leading slash. /

• [ ] Page 22 - Speaker notes have OS examples - might want to include them - multiple questions.

• [ ] DD bindings will have an effect on Kerberos config processing order? Where would binding files be read for resolution. Also consider application element binding overrides are processed with is different than just server.xml config.

• [ ] Page 23 - Make bullet 2 with bullet 4 match for the example.

• [ ] Page 33 - Would it be helpful to contact Microsoft to see if they can do SQL Server changes more quickly? (Alasdair, Graham)

• [ ] Page 34 - SVT - can we give svt a container for testing? - No SQL Server doesn’t work in containers. Customers ask for db2 and oracle and better for testing. AndyG - light mode for DB2 available for testing.

• [ ] Page 40 - Can tWAS config be translated to Liberty for automated config? Would it move to config or reports? Follow up with the migration team.

• [ ] Alasdair asked about Oracle’s JDBC driver requiring use of Oracle’s Java? Mark - if you want it to do authentication automatically, it has to be on the Oracle Jaxa. The code is looking for the sun login module. Pretty sure this will work on openJ9 - get the credentials then pass them on. If this isn’t this case, then check back with Alasdair before shipping. I.e., Alasdair wants to know if IBM Java doesn’t work with the Oracle JDBBC driver.

[cthigh]

Recording file UFO-OL9008-Kerberos_using_datasources-20200616.mp4 added to this box folder: https://ibm.box.com/s/bhel8ue58hncxxk9qqlu1zsf32dw973y

[frowe]

@samwatibm May I get approvals for both accessibility and globalization? There is no user interface for this feature and the messages files are back from translation.

[samwatibm]

@frowe It's @steven1046 that does accessibility approvals. For globalization, can you confirm the translations were done in the prior iteration? 20.0.0.11 translations are NOT back yet.

[frowe]

@samwatibm Yes, message files were updated some time ago.

[frowe]

@hanczaryk Can I get SVT approval for this feature? Originally, we said in the UFO that we'd need SVT to execute a test on MS SQLServer since kerberos auth is performed via AD on Windows, and AD isn't available in a container that was suitable for test container env of FAT. We went ahead and set this up ourselves and executed the FATs, so we no longer need SVT to do so, and I've updated the UFO to indicate this change.

[donbourne]

Serviceability Approval Comment - Please answer the following questions for serviceability approval:

1. WAD -- does the WAD identify the most likely problems customers will see and identify how the feature will enable them to diagnose and solve those problems without resorting to raising a PMR? Have these issues been addressed in the implementation?

2. Test and Demo -- As part of the serviceability process we're asking feature teams to test and analyze common problem paths for serviceability and demo those problem paths to someone not involved in the development of the feature (eg. L2, test team, or another development team).
   a) What problem paths were tested and demonstrated? b) Who did you demo to? c) Do the people you demo'd to agree that the serviceability of the demonstrated problem scenarios is sufficient to avoid PMRs for any problems customers are likely to encounter, or that L2 should be able to quickly address those problems without need to engage L3?

3. SVT -- SVT team is often the first team to try new features and often encounters problems setting up and using them. Note that we're not expecting SVT to do full serviceability testing -- just to sign-off on the serviceability of the problem paths they encountered. a) Who conducted SVT tests for this feature? b) Do they agree that the serviceability of the problems they encountered is sufficient to avoid PMRs, or that L2 should be able to quickly address those problems without need to engage L3?

4. Which L2 / L3 queues will handle PMRs for this feature? Ensure they are present in the contact reference file and in the queue contact summary, and that the respective L2/L3 teams know they are supporting it. Ask Don Bourne if you need links or more info.

5. Does this feature add any new metrics or emit any new JSON events? If yes, have you updated the JMX metrics reference list / Metrics reference list / JSON log events reference list in the Open Liberty docs?

[aguibert]

1. Yes

2. Test And demo 2.A. What scenarios were demo'd?

   • Sceanrio 1: User configures <kerberos keytab="/does/not/exist"/> Outcome: Liberty emits the following error message: CWWKS4345E: The [keytab] attribute from the element is configured to a file that does not exist at: /does/not/exist
   • Scenario 2: User configures <kerberos configFile="/does/not/exist"/> Outcome: Liberty emits the following error message: CWWKS4345E: The [configFile] attribute from the element is configured to a file that does not exist at: /does/not/exist NOTE: For scenario 1/2, we will output an INFO level messag saying for the discovered keytab and configFile such as: CWWKS4346I: The Kerberos component is configured to use a keytab file located at /path/to/krb5.keytab CWWKS4346I: The Kerberos component is configured to use a conf file located at /path/to/krb5.conf
   • Scenario 3: User configures conflicting values for the Kerberos keytab in the element and the element

     <kerberos configFile="/first/path.conf"/>
     <spnego   krb5Config="/second/path.conf"/>

     Outcome: Liberty emits the following error message: CWWKS4323E: The [keytab] attribute from the element conflicts with the [krb5Keytab] attribute from the element. Specify a value only on either the or the element, not on both elements. It is suggested to specify the value only on the element.

   • Scenario 4: User configures conflicting values for the Kerberos conf file in the element and the element Outcome: Liberty emits the following error message: CWWKS4323E: The [configFile] attribute from the element conflicts with the [krb5Config] attribute from the element. Specify a value only on either the or the element, not on both elements. It is suggested to specify the value only on the element.
   • Scenario 5: User has misconfigured their Kerberos conf file, keytab, or backend database. Outcome: Liberty does not directly read the Kerberos conf file, keytab, or backend database configuration. Any invalid configurations in these categories will be raised by the code that is repsonsible for parsing and acting upon the configuration.
   • In the case of conf/keytab this is the Kerberos JDK APIs.
   • In the case of the backend database this would be the JDBC driver surfacing some form of SQLException, usually with a nested LoginException.
   • Scenario 6: User configures <authData> with 'user' instead of 'krb5Principal'

     <authData user="me" password="foo"/>
     <authData krb5Principal="me@EXAMPLE.COM" password="foo"/>

     Outcome A: If user has also configured 'password', then the authData would be used as a normal authData with basic user/password. Outcome B: If no 'password' is configured, then Liberty emits the following error message: CWWKS1301E: A configuration error has occurred. The attribute password must be defined.

   • Scenario 7: User configures an XA-capable datasource to use SPNEGO authentication. Since SPNEGO requires manual input from the user, XA recovery would not be able to authenticate a new connection if one was needed for an XA recovery. Outcome: Liberty emits the following warning upon obtaining a connection using SPNEGO auth on an XA-capable datasource: J2CA0695W: A connection request for XA resource jdbc/mySpnegoDS was made using SPNEGO authentication, but no recovery auth data alias was configured. The XA resource is not able to participate in automated XA recovery unless a recovery auth data alias is configured.
   • Scenario 8: User attempts to use Kerberos authentication for a DB type that is not supported (i.e. anything other than Oracle, DB2, SQLServer and PostgreSQL) Outcome: Liberty emits the following warning: DSRA9543W: The Application Server does not support Kerberos against the backend database that is being used. No user name and password will be used to get a connection.

2.B. Demo attendees: Fred Rowe, Jim Stephens, Kyle Aure, Mark Swatosh, Nathan Rauh 2.C. yes

3. No SVT for this feature

4. Problems with connection pooling will go to WAS L3: JCA, Connection Management. Problems related to Kerberos configuration or obtaining Kerberos tickets will go to WAS L3: Core Security.

5. No new metrics.

[KyleAure]

Skills transfer (STE) document uploaded to IBM internal box folder here: https://ibm.box.com/s/t5hwxy559ibaddyxtfj8d467d8tbdac5

[frowe]

@jhanders34 Can we get perf approval for this feature?

[aguibert]

For reference here is the content we will be adding for documentation: https://github.com/OpenLiberty/docs/issues/2460

[chirp1]

@frowe @aguibert Hi! The documentation update might occur after the code is released. Therefore, ensure that the blog post for the feature has enough information so that a customer can use the feature.

[frowe]

RFE closed.