Enabling Kerberos authentication in TrueSight Capacity Optimization

This document contains information about instructions for manually enabling Kerberos authentication in TrueSight Capacity Optimization.

Prerequisites

Ensure that the following requirements are met:

1. You have administrator privileges for accessing TrueSight Capacity Optimization.
2. The TrueSight Capacity Optimization 20.02 patch 1 (20.02.01) is applied on all the components. For information about downloading and applying the patch, see 20-02-01-Patch-1-for-TrueSight-Capacity-Optimization-20-02.
3. Verify that the services for all installed components are RUNNING.

Enabling Kerberos authentication using the database SID

Configuration steps

1. Stop all the TrueSight Capacity Optimization services. For details on stopping the services, see System-level-administration-overview.
2. Perform the following configuration updates on each host computer that is running the Data Hub, Web component, and Scheduler (except Remote ETL Engine) component. 
   1. Take a backup of the $BCO_HOME/env.sh shell script.
   2. Edit the $BCO_HOME/env.sh shell script.
      1. Add following sections below the BCO_ORACLE_USE_LDAP property:

1. 1. 1. 1. Kerberos authentication properties:

            #Kerberos Authentication Properties
            DB_ORA_AUTH_SVC="( KERBEROS5 )"
            DB_ORA_MUTUAL_AUTH=true
            KERBEROS_CONF_FILE=<Location of the Kerberos configuration file>
            For example: KERBEROS_CONF_FILE=/etc/krb5.conf

         2. By default, Capacity Optimization looks for the Kerberos credential cache file in the /tmp folder. If this location is not customized, the -KERBEROS5_CC_NAME property need not be configured. If this location is customized (in sqlnet.ora), configure the KERBEROS5_CC_NAME parameter in the env.sh script.

            KERBEROS5_CC_NAME=<location of Kerberos credential cache file>
            export KERBEROS5_CC_NAME

         3. Add the DB_CONN_PROPS property:

            DB_CONN_PROPS="oracle.net.authentication_services=( KERBEROS5 );oracle.net.kerberos5_mutual_authentication=true;"
         4. Append the KERBEROS5_CC_NAME property in DB_CONN_PROPS:

1. 1. 1. 1. 1. If custom Kerberos credential cache file is configured:

               DB_CONN_PROPS="oracle.net.authentication_services=( KERBEROS5 );oracle.net.kerberos5_mutual_authentication=true;oracle.net.kerberos5_cc_name=<location on Kerberos CC File>"

            2. If custom Kerberos credential cache file is not used, no modifications are required.

               DB_CONN_PROPS="oracle.net.authentication_services=( KERBEROS5 );oracle.net.kerberos5_mutual_authentication=true;"

      2. Set the DBUSR variable to blank:

         DBUSR=

      3. Add the following section after the export BCO_ORACLE_USE_LDAP line in the env.sh script:

         export DB_ORA_AUTH_SVC
         export DB_ORA_MUTUAL_AUTH
         export KERBEROS_CONF_FILE
         export DB_CONN_PROPS
         if [ -n "$KERBEROS_CONF_FILE" ]; then
                  KERBEROS_JAVA_OPTS="-Djava.security.krb5.conf=$KERBEROS_CONF_FILE"
         else
                  KERBEROS_JAVA_OPTS=""
         fi

      4. Search for the following variables in the env.sh script and add the $KERBEROS_JAVA_OPTS to the initialization value of these variables:

         	Variable	Example
         1	DATAHUB_JAVA_OPTS	DATAHUB_JAVA_OPTS="-Dcpit.component=datahub -Xms$DATAHUB_HEAP_SIZE -Xmx$DATAHUB_HEAP_SIZE -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=$DATAHUB_HEAPDUMP_PATH $TRUSTSTORE_JAVA_OPTS $AUTH_TLS_OPTS $INTERNAL_TLS_OPTS  $KERBEROS_JAVA_OPTS  -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Djava.io.tmpdir=$TMPDIR -Dfile.encoding=UTF-8 -server $CLIENT_JVMFLAGS"
         2	SERVICECONTAINER_JAVA_OPTS	SERVICECONTAINER_JAVA_OPTS="-Dcpit.component=servicecontainer -Xms$SERVICECONTAINER_HEAP_SIZE -Xmx$SERVICECONTAINER_HEAP_SIZE -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=$SERVICECONTAINER_HEAPDUMP_PATH $TRUSTSTORE_JAVA_OPTS $AUTH_TLS_OPTS $INTERNAL_TLS_OPTS  $KERBEROS_JAVA_OPTS  -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Djava.io.tmpdir=$TMPDIR -Dfile.encoding=UTF-8 -server $CLIENT_JVMFLAGS"
         3	SCHEDULER_JAVA_OPTS	SCHEDULER_JAVA_OPTS="-Dcpit.component=scheduler -Xms$SCHEDULER_HEAP_SIZE -Xmx$SCHEDULER_HEAP_SIZE -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=$SCHEDULER_HEAPDUMP_PATH    $TRUSTSTORE_JAVA_OPTS $AUTH_TLS_OPTS $INTERNAL_TLS_OPTS   $KERBEROS_JAVA_OPTS  -Djava.awt.headless=true -Djava.io.tmpdir=$TMPDIR -Dfile.encoding=UTF-8 -server $CLIENT_JVMFLAGS"
         4	WEB_JAVA_OPTS	WEB_JAVA_OPTS="-Dcpit.component=web -Xms$WEB_HEAP_SIZE -Xmx$WEB_HEAP_SIZE -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=$WEB_HEAPDUMP_PATH  $TRUSTSTORE_JAVA_OPTS $AUTH_TLS_OPTS $INTERNAL_TLS_OPTS   $KERBEROS_JAVA_OPTS  -Djava.awt.headless=true -Dweb.base=$WEBBASE -Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false -Dfile.encoding=UTF-8 -server -Djava.io.tmpdir=$TMPDIR $CLIENT_JVMFLAGS"
         5	ETL_JAVA_OPTS	ETL_JAVA_OPTS="-Dcpit.component=etl -Xmx$ETL_HEAP_SIZE -Djava.awt.headless=true   $TRUSTSTORE_JAVA_OPTS   $KERBEROS_JAVA_OPTS  -Djava.io.tmpdir=$TMPDIR -Dfile.encoding=UTF-8"
         6	DYN_OPTIMIZER_JAVA_OPTS	DYN_OPTIMIZER_JAVA_OPTS=" -Xmx$DYN_OPTIMIZER_HEAP_SIZE -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=$DYN_OPTIMIZER_HEAPDUMP_PATH $KERBEROS_JAVA_OPTS "

      5. Comment out the following line that loads the secure passwords:
         . $CPITBASE/.secdbpwd

   2. Data Source properties configuration: Add or update the following to all the property files listed in the table: 

      Name of the file	Required updates
      $BCO_HOME/web/conf/ds.properties $BCO_HOME/scheduler/conf/ds.properties $BCO_HOME/datahub/conf/ds.properties $BCO_HOME/datahub/conf/ds_wh.properties $BCO_HOME/servicecontainer/conf/ds.properties	Take a backup of all the files before updating them. Append the : character in the username and securePassword property: username=${DBUSR:} securePassword=${SECDBPWD:} Add the connectionProperties property: connectionProperties=${DB_CONN_PROPS:}

2. Execute the following queries using admin user (sys) to set BCO_OWN as external user.

   ALTER USER BCO_OWN IDENTIFIED EXTERNALLY AS 'BCO_OWN@BMC.COM' DEFAULT TABLESPACE BCO TEMPORARY TABLESPACE TEMP QUOTA UNLIMITED ON BCO;
   GRANT BCO_OWN_ROLE TO BCO_OWN;
   GRANT BCO_REP_ROLE TO BCO_OWN;
   ALTER USER BCO_OWN DEFAULT ROLE ALL;
   ALTER USER BCO_OWN QUOTA UNLIMITED ON BCO;
   ALTER USER BCO_OWN QUOTA UNLIMITED ON BCO_IDX;
   ALTER USER BCO_OWN QUOTA UNLIMITED ON BCO_DATA;
   ALTER USER BCO_OWN QUOTA UNLIMITED ON BCO_DATA_IDX;
   ALTER USER BCO_REP IDENTIFIED EXTERNALLY AS 'BCO_REP@BMC.COM' TEMPORARY TABLESPACE TEMP;
   GRANT BCO_REP_ROLE TO BCO_REP;
   ALTER USER BCO_REP DEFAULT ROLE ALL;
   
3. Ensure that the BCO_OWN user is an external user in the Capacity Optimization database and this user is able to login to the TrueSight Capacity Optimization host using Kerberos authentication.
4. Ensure that an active Kerberos session is available on all the TrueSight Capacity Optimization hosts which is accessible to Capacity Optimization service user. 
   For example, if TrueSight Capacity Optimization is running with cpit user privileges, the Kerberos session should be initiated by cpit user.
5. Restart all the TrueSight Capacity Optimization services on all the host computers. For details on stopping the services, see System-level-administration-overview.

Enabling Kerberos authentication using the database service name

Prerequisites

On the machine where you have installed the database, ensure that the following requirements are met:

1. Check the service name used in the database.

   show parameter service_names;

2. If the service name is not set to your domain name, modify the service name property. 

   alter system set service_names='ORA121DB.bmc.com' scope=spfile;
3. (Optional) If you do not need domain name in the service, use the following steps to remove the domain name.

   1. Check the service domain used in the database.

      show parameters db_domain;

   2. Modify the service domain and set it to an empty string.

      alter system set db_domain= ‘’ scope=spfile;

Configuration steps

1. Stop all the TrueSight Capacity Optimization services. For details on stopping the services, see System-level-administration-overview.
2. Perform the following configuration updates on the client (Application Server) and the database machine. 

   1. Add the service name property in the $ORACLE_HOME/network/admin/tnsnames.ora file.

      ORA121DB.bmc.com =
      (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCP)(HOST = <HOST NAME>)(PORT = 1521))
          (CONNECT_DATA =
          (SERVER = DEDICATED)
          (SERVICE_NAME = <service_name>)
          )
      )

   2. (Optional. Required only if you are using an external database connection) Change the service_name with SID in the BCO_HOME/dbconn/tnsnames.ora file. 

      ORA121DB.bmc.com=
        (DESCRIPTION=
          (ADDRESS=
          (PROTOCOL=TCP)
      (HOST=abc.xyz.BMC.COM)
           PORT=1521)
      )
         
      (CONNECT_DATA=
      (SERVER=default)
      (SID=<DB_SID>)
      (SERVICE_NAME= <service_name>)
       )
       )

   3. Edit the $BCO_HOME/env.sh shell script.

      1. If you are using the database SID, verify and update the values of the JDBCURL, ORACLE_SID, ORACLE_SERVICENAME, and DBSID in the env.sh file as shown below:

         JDBCURL="jdbc:oracle:thin:@//pqr.zzz.bmc.com:1521:SID"
         ORACLE_SID=<SID>
         ORACLE_SERVICENAME=service_name
         DBSID=$ORACLE_SID

      2. If you are using the database service name, verify and update the values of the JDBCURL, ORACLE_SID, ORACLE_SERVICENAME, and DBSID in the env.sh file as shown below:

         JDBCURL="jdbc:oracle:thin:@<DB_SERVER>:<PORT>/service_name"
         (Ex: JDBCURL="jdbc:oracle:thin:@abc.xyz.BMC.COM:1521/ORA121DB.bmc.com")
         ORACLE_SID=<SID>
         ORACLE_SERVICENAME=service_name
         DBSID=$ORACLE_SERVICENAME
         

   4. Restart all the TrueSight Capacity Optimization services on all the host computers. For details on stopping the services, see System-level-administration-overview.