Kerberos authentication for JDBC clients

If your environment uses Kerberos to authenticate user access to the IBM® Netezza® databases, configure the JDBC client to manage authorization tickets.

The JDBC driver is responsible for obtaining the Kerberos tickets to authenticate user access to the Netezza database. This is different from the behavior in ODBC and OLE DB environments, where the client application is responsible for obtaining the tickets.

In a JDBC environment, your JDBC client must meet certain minimum requirements. Perform the following steps:

Ensure that your client system has Java™ 1.6 or later installed.
Change the login module class name in the login.conf file, based on the Java provider that you use:
- For IBM Java: com.ibm.security.auth.module.Krb5LoginModule
- For Oracle Java: com.sun.security.auth.module.Krb5LoginModule
Set the java.security.auth.login.config system property to the login.conf file path through the application, or edit the <JAVA_HOME>/jre/lib/security/java.security file to add the following line:
```
login.config.url.1=file:<LOGIN_CONF_FILE_PATH>
```
Specify the value of the krbLoginModule name in the data source connection parameter as the name of the loginModule from the login.conf file. You must provide this value because the login method of loginContext reads this loginModule information from the login.conf file and uses the class that is mentioned in it to authenticate further.
A sample login.conf file follows. In this example, the krbLoginModule name is loginModuleName.
```
loginModuleName {
     com.sun.security.auth.module.Krb5LoginModule required
     debug = true storeKey = false;
};
```
The default login module name is EntryModuleName.

Set the java.security.krb5.conf system property to the Kerberos configuration file name, or copy the configuration file to the default location on the client system.

On UNIX and Linux® systems, the configuration file name is krb5.conf, and on Windows systems, the file name is krb5.ini. The following table shows the default locations for the Kerberos configuration file on various platforms:

Table 1. Default locations of Kerberos configuration files
Platform	Default location
IBM AIX®	/etc/krb
HP Itanium	/etc
Linux not on System z® or PowerPC®	/etc
Linux on IBM System z	/etc
Linux on PowerPC	/etc
Oracle Solaris	/etc/krb
Windows	C:\winnt or C:\windows

For more information, see The Kerberos configuration file (http://www.ibm.com/support/knowledgecenter/SS7JFU_7.0.0/com.ibm.websphere.express.doc/info/exp/ae/rsec_SPNEGO_config_krb5.html?cp=SS7JFU_7.0.0%2F1-15-2-314).

In addition, if you use the IBM Java runtime environment and you have several Netezza appliances that are in different domains, your JDBC client connection to some of the systems might fail with the following error:

major string: General failure, unspecified at GSSAPI level
minor string: Error: java.lang.Exception: Error: java.lang.Exception: No credential

If this occurs, update your client Kerberos configuration file to include a [domain_realm] definition that identifies all the domains that you need to access and the Kerberos realm that controls the authentication requests. For example, if you have Netezza systems that are configured within the domains east.company.com and west.company.com and the Kerberos realm is MYKRB5.COMPANY.COM, add the following [domain_realm] definition to the Kerberos configuration file:

[domain_realm]
.company.com = MYKRB5.COMPANY.COM
company.com = MYKRB5.COMPANY.COM

You can specify an entry for both east.company.com and west.company.com, but because there is a common part of the domain name (company.com), you can specify the common domain. If the domain names are unique, such as east.com and west.com, specify each unique domain for the locations where your Netezza systems are present.

For more information about configuring the Netezza appliance to use Kerberos authentication, see the security section in the IBM Netezza System Administrator’s Guide.