Professional Documents
Culture Documents
NOTE
This document is confidential and proprietary of Denodo Technologies.
No part of this document may be reproduced in any form by any means without
prior written authorization of Denodo Technologies.
Contents
Contents 2
User Authentication: 3
Creating a new user 3
User Authorization 5
Creating roles 5
Assigning roles in Solution Manager 8
LDAP Authentication 12
Create a data source from Active Directory 12
Import roles from MS Active Directory 13
Configure database with LDAP authentication 17
Enabling LDAP Authentication in Solution Manager 19
Advanced Privileges 22
Assign advanced privileges to LDAP users 22
Single Sign On 26
Configuring Single Sign On using Keycloak 26
Security in Transit 34
Enabling TLS using the TLS Configurator Script 34
Connecting to a secure data server using TLS 38
Further work 42
User Authentication
Reference: DEN80EDU21S01
The aim of this lab is to understand the different types of the Users and authentication available
in Denodo Platform. You will have to:
1. Open the Virtual DataPort Administration Tool and login with credentials
● Username: admin
● Password: admin
2. Navigate to the Administration from Menu bar and choose User Management.
● Login: local_user
● Authentication: Normal
● Password: local
● Password : local
7. What is the output? Why is there an error what does the error signify?
8. We will look at how to get past this error in the upcoming lab.
User Authorization
Reference: DEN80EDU21S02
Creating roles
Reference: DEN80EDU22ADS04LAB01
The Aim of this lab is to explore the user privileges and roles which is a collection of the
assignment of privileges to users. We will continue from the previous lab, where we created a
user called local_user whom we will grant privileges to connect to the Virtual DataPort. Let's get
started, we will,
3. Click New option provide below values to create the new role.
a. Name: vdp_developer
5. Select the role vdp_developer and click Assign Privileges to access the privilege menu.
a. Connect
b. Metadata
c. Execute
d. Write
8. Assign the role to the user we created in the previous lab to allow the user to inherit this
privilege. You have to:
a. Login: local_user
b. Password: local
Aim of the this lab is to help us understand the authorization settings available on Solution
Manager for the users, in this lab we are going to setup a user and role to access various
environments in Solution Manager, the steps are:
a. Login: admin
b. Password: admin
a. Name: developer_solution_manager
b. Description: Developer.
5. Lets create a user for the Solution Manager to inherit the role
● Name: solution_manager_user
● Password: denodo
6. Now that we have the user and a role assigned, let's continue to configure the
permissions for the role
b. Click the Key symbol in the Training environment and provide all privileges.
7. We have all the required user, role and permissions, let's test it.
● User: solution_manager_user
● Password: denodo
c. Choose the environment from the My Applications area to see the tools for
specific environments.
LDAP Authentication
Reference: DEN80EDU21S03
Aim of this lab is to explore the set up required by the Virtual DataPort to successfully integrate
with a LDAP in the organization. To achieve this we are going to create a LDAP datasource that
will allow us to communicate with LDAP. The steps are:
a. Login: admin
b. Password: admin
2. Click File > New > Datasource > LDAP and enter the below details.
a. Name: ds_active_directory
c. Login: uid=admin,ou=system
d. Password: admin
Aim of this lab is to further explore the integration of Denodo Platform with LDAP, in the previous
lab we created the connection to the LDAP from the Virtual DataPort. Lets import the
entitlements, that is, roles for the LDAP Server simplifying the management of the role, we will,
Note: Please check that these roles do not have any other roles or privileges assigned other
than the once mentioned above.
a. Login: admin
b. Password: admin
a. Database: denodo_training
b. Datasource: ds_active_directory
4. Select all the roles of the LDAP and click Create roles.
Aim of this lab is to configure the Virtual Database to allow login using LDAP. Continuing with
previous labs, that is, integrating with the LDAP for Authorization, so far we have created a
datasource to connect to LDAP and imported the existing groups as roles, to finish the setup we
will configure the Virtual Database to delegate authentication to LDAP. We will
a. Database: denodo_training
b. Datasource: ds_active_directory
6. We have setup the LDAP Authentication successfully, lets validate the settings
b. Login with the user with IT role, use the below credentials.
● cward3 / Denodo00
● rmurray2 / Denodo00
● hrice23 / Denodo00
Aim of this lab is to outline the steps for configuring the LDAP authentication with Solution
Manager. Similar to Virtual DataPort you can perform the LDAP integration with Solution Manager
as well, including importing roles and providing relevant permissions, the steps are
1. Open Solution Manager Administration tool and login with default admin credentials.
a. Login: admin
b. Password: admin
c. Login: uid=admin,ou=system
d. Password: admin
3. Import the roles from the LDAP, follow the below steps
b. Click on Import Roles from LDAP, provide the below details for the fields,
4. Inherit a role we have configured in the previous lab to setup permissions, do:
a. Login: mcrawford9
b. Password: Denodo00
Advanced Privileges
Reference: DEN80EDU21S04
Aim of this lab is to configure advanced column and row restrictions for the views to ensure the
data privacy requirements are met, we will
1. Login to Virtual DataPort Administration Tool with the default admin credentials.
6. Choose the fields ‘employee id’, ‘first name’, ‘last name’, ‘email’, ‘salary’, ‘manager id’,
‘department id’ and 'salary' and click ok
8. Add conditions by clicking the “Plus” icon and add the below condition
a. concat(getsession('user'),'@mail.com
10. Choose Salary as a sensitive field by clicking the plus icon next to the field.
● rmurray2 / Denodo00
● What views can you see? Can you execute all the views?
● dcox19 / Denodo00
● Lets execute the same view but with selected fields, execute the below in
VQL Shell.
● Further lets try to access the sensitive field and see what is the results
Single Sign On
Reference: DEN80EDU21S06
Aim of this lab is to walk through the steps required to set up the Single Sign On with Keycloak in
Virtual DataPort. Starting Denodo 8.0, Single Sign On is possible with external iDP using various
schemas, like OAuth, OpenID and SAML, along with the existing Kerberos SSO. Let's go through
the steps, the steps are:
c. Credentials:
d. Click the Clients on the explorer on the left side of Administration Console
g. Select the user cward3 and click evaluate to generate a sample token.
2. Configure the Solution Manager to use the KeyCloak to use for SSO.
Note: Get the client ID by clicking on Client in the left side, choose Denodo 80 and copy the
client ID, paste in SM.
Note: Get the client ID by clicking on Client in the left side, choose Denodo 80, navigate to
Credentials and copy the client secret, paste in SM.
● Issuer: http://data-server:8585/auth/realms/denodo
● JWKS URL :
http://data-server:8585/auth/realms/denodo/protocol/openid-
connect/certs
Note: Go to the Realm Settings (available in the left side of the admin console). Click on
OpenID Endpoint configuration. Then enter the values for User authorization URL, Access
token URL, Issuer and JWKS URL from this configuration (mostly based on above format)
● Scopes: openid,profile,email,roles
3. Validate the roles with permissions to enable users with the role to login.
b. Ensure that the LDAP roles are present with appropriate privileges were present
as per previous lab
d. Ensure that the appropriate permissions are given to the role “IT” which is going
to be used
4. Logout of Solution Manager Administration Tool and log back in using the Single Sign On
option, instead of admin use the below credentials on the KeyClock login page
5. Launch Design Studio from the My Applications to bring up the Design Studio and access
the tool without again logging in.
Security in Transit
Reference: DEN80EDU21S08
Aim of this lab is to configure the TLS using the TLS Configurator Script, which is a new utility
introduced in Denodo 8 to simplify the Secure connection setup in Denodo Platform. The steps
are:
1. Stop all the servers that are running on the Denodo Platform.
2. Change to the Denodo Home Folder and launch the command prompt by typing cmd on
the address bar.
3. Generate a KeyPair, public and private key using the keytool utility of the JRE, use the
below command.
● What is your first and last name?: Denodo Virtual DataPort Server
● Press enter to confirm to use the same password as Keystore for the
private key.
Note: The above values are suggestions, enter the values that suit your case.
Ignore the warning about the JKS and PKCS12 keystores, as the PKCS12 is not compatible with
the Web Tools.
4. Export the Public certificate out of the keystore, use the below command.
b. Enter the password, denodo, to initiate the export. If you have used a different
password while generating the keypair, please use it.
6. Encrypt the keystore password and truststore password using the Encrypt script located
under the <DENODO_HOME>/bin folder. Execute the below command
a. encrypt_password.bat denodo
b. encrypt_password.bat changeit
a. keystore.password=<encryped_value>
b. truststore.password=<encrypted_value>
9. Open a CMD from <DENODO_HOME>/bin folder and execute the following command to
enable TLS (modify accordingly the DENODO_HOME):
a. denodo_tls_configurator.bat --keystore
<DENODO_HOME>\denodo_server_key_store.jks --cert-cer-file
<DENODO_HOME>\denodo_server_public_key.cer --truststore
<DENODO_HOME>\jre\lib\security\cacerts --credentials-file
<DENODO_HOME>\tls.properties --denodo-home <DENODO_HOME>
10. Restart the servers and open the Denodo Platform Control Center.
Aim of this lab is to configure a web based datasource to check TLS certificates while
establishing the connection. Let's get started, the steps are,
a. WSDL: https://data-server:8443/product-ws/services/products-ws?wsdl
2. As this is a SOAP Web service data source, you have to source_refresh the
bv_product_by_category base view in order to get the new URL configuration.
3. Execute a query over the view bv_product_by_category and check there’s an error (as
the wrapper was not correctly initialized).
a. cd <DENODO_HOME>/jre/bin
c. Password: changeit
7. Source refresh again the bv_product_by_category base view and execute a query to get
the results.
Further work
Check the full training offering at https://www.denodo.com/en/services/education/courses
If you want to start using the Denodo Platform for creating your own scenarios, you can do that
following different ways:
● http://www.denodo.com/en/denodo-platform/denodo-express
● https://www.denodo.com/en/denodo-platform/test-drives
● Denodo Test Drives enables anyone to quickly and easily explore the benefits of
using data virtualization with Denodo Platform on the cloud. It is completely free of
charge for demonstration, education and evaluation purposes.
● https://www.denodo.com/en/denodo-platform/denodo-platform-for-aws
● https://www.denodo.com/en/denodo-platform/denodo-platform-for-azure
● https://www.denodo.com/en/denodo-platform/denodo-platform-google-cloud-platform