Kerberos configuration

PI SQL Client JDBC supports RFC 5896 and uses the Java Authentication and Authorization Service (JAAS) Krb5LoginModule to provide Kerberos authentication, which eliminates the need for Kerberos delegation configuration on the back-end machine or the domain controller for PI SQL Data Access Server (RTQP Engine). For more information, see the JAAS article Class Krb5LoginModule.

The configuration required to obtain the Kerberos ticket depends on the operating system. The ticket is obtained using file-based ticket cache, Local Security Authority (LSA), or a keytab (in that order).

OSIsoft recommends that you create a Kerberos configuration file or update it if it already exists, to specify your Key Distribution Center (KDC) as shown here. On Windows operating systems, the file is C:\WINDOWS\krb5.ini. On Linux, macOS, and Oracle Solaris the file is /etc/krb5.conf. Regardless of the method used to obtain the ticket, the KDC has to be known to JAAS. If the KDC is not specified, JAAS searches for it, and the driver performance may be affected.

[libdefaults]
forwardable = true
default_realm = MYREALM.INT
[realms]
MYREALM.INT = {
kdc = MY_KDC.MYREALM.INT
}

Caution: The tickets in the file-based cache have an expiration date. There is no fallback to the other ticket sources when the file cache contains expired tickets. Use the Java klist tool to ensure you have valid tickets in your cache, or delete the file cache. Additionally, the file-based cache and the keytab must be updated after a password change.