Kerberos authentication for JDBC clients
If your environment uses Kerberos to authenticate user access to the IBM® Netezza® databases, configure the JDBC client to manage authorization tickets.
The JDBC driver is responsible for obtaining the Kerberos tickets to authenticate user access to the Netezza database. This is different from the behavior in ODBC and OLE DB environments, where the client application is responsible for obtaining the tickets.
In a JDBC environment, your JDBC client must meet certain minimum requirements. Perform the following steps:
- Ensure that your client system has Java™ 1.6 or later installed.
- Change the login module class name in the login.conf file, based on the Java provider that you use:
- For IBM
Java:
com.ibm.security.auth.module.Krb5LoginModule
- For Oracle Java:
com.sun.security.auth.module.Krb5LoginModule
- For IBM
Java:
- Set the java.security.auth.login.config system property to the
login.conf file path through the application,
or edit the
<JAVA_HOME>/jre/lib/security/java.security file to add
the following
line:
login.config.url.1=file:<LOGIN_CONF_FILE_PATH>
- Specify the value of the krbLoginModule name in the data source connection
parameter as the name of the loginModule from the
login.conf file. You must provide this value because the login method of
loginContext reads this loginModule information from the
login.conf file and uses the class that is mentioned in it to authenticate
further.
A sample login.conf file follows. In this example, the krbLoginModule name is
loginModuleName
.
The default login module name isloginModuleName { com.sun.security.auth.module.Krb5LoginModule required debug = true storeKey = false; };
EntryModuleName
. - Set the java.security.krb5.conf system
property to the Kerberos
configuration file name, or copy the configuration file to the default
location on the client
system. On UNIX and Linux® systems, the configuration file name is krb5.conf, and on Windows systems, the file name is krb5.ini. The following table shows the default locations for the Kerberos configuration file on various platforms:
Table 1. Default locations of Kerberos configuration files Platform Default location IBM AIX® /etc/krb HP Itanium /etc Linux not on System z® or PowerPC® /etc Linux on IBM System z /etc Linux on PowerPC /etc Oracle Solaris /etc/krb Windows C:\winnt or C:\windows For more information, see The Kerberos configuration file (http://www.ibm.com/support/knowledgecenter/SS7JFU_7.0.0/com.ibm.websphere.express.doc/info/exp/ae/rsec_SPNEGO_config_krb5.html?cp=SS7JFU_7.0.0%2F1-15-2-314).
major string: General failure, unspecified at GSSAPI level
minor string: Error: java.lang.Exception: Error: java.lang.Exception: No credential
If
this occurs, update your client Kerberos configuration file to include
a
[domain_realm]
definition that identifies all the
domains that you need to access
and the Kerberos realm that controls the authentication requests.
For example, if you have Netezza systems that are configured within the
domains east.company.com and west.company.com and the Kerberos realm
is MYKRB5.COMPANY.COM, add the
following [domain_realm]
definition to the Kerberos
configuration
file:[domain_realm]
.company.com = MYKRB5.COMPANY.COM
company.com = MYKRB5.COMPANY.COM
You
can specify an entry for both east.company.com and west.company.com,
but because there is a common
part of the domain name (company.com), you can specify the common
domain. If the domain names are
unique, such as east.com and west.com, specify each unique domain
for the locations where your
Netezza systems are present.For more information about configuring the Netezza appliance to use Kerberos authentication, see the security section in the IBM Netezza System Administrator’s Guide.