Establishing Kerberos authentication through RACF

Kerberos security is a network security technology that was developed at the Massachusetts Institute of Technology. The Kerberos security technology does not require passwords to flow in readable text because it uses encrypted tickets that contain authentication information for the users.

About this task

Db2 can use Kerberos security services to authenticate remote users. With Kerberos security services, remote users need to issue their Kerberos name and password to access Db2. They can use the same name and password for access throughout the network, which makes a separate password to access Db2 unnecessary.

A remote user who is authenticated to Db2 by means of Kerberos authentication must be registered in RACF® profiles. An organization that runs a Kerberos server establishes its own realm. The name of the realm in which a client is registered is part of the client's name and can be used by the application server to accept or reject a request.

Procedure

To authenticate and register a remote user in RACF profiles:

  1. Define the Kerberos realm to RACF by issuing the following command: 
    RDEFINE REALM KERBDFLT KERB(KERBNAME(localrealm) PASSWORD(mykerpw)

    You must specify the name of the local realm in the definition. You must also specify a Kerberos password for RACF to grant Kerberos tickets.

  2. Define local principals to RACF by issuing the following command: 
    AU RONTOMS KERB(KERBNAME(rontoms)) 
ALU RONTOMS PASSWORD(new1pw) NOEXPIRE

    Make sure to change RACF passwords before the principals become active Kerberos users.

  3. Map foreign Kerberos principals by defining KERBLINK profiles to RACF with a command similar to the following: 
    RDEFINE KERBLINK /.../KERB390.ENDICOTT.IBM.COM/RWH APPLDATA('RONTOMS')
    You must also define a principal name for the user ID that is used in the ssnmDIST started task address space, as shown in the following example: 
    ALU SYSDSP PASSWORD(pw) NOEXPIRE KERB(KERBNAME(SYSDSP))
    The ssnmDIST address space must have the RACF authority to use its SAF ticket parsing service. The user ID that is used for the ssnmDIST started task address space is SYSDSP.
  4. Define foreign Kerberos authentication servers to the local Kerberos authentication server by issuing the following command: 
    RDEFINE REALM /.../KERB390.ENDICOTT.IBM.COM/KRBTGT/KER2000.ENDICOTT.IBM.COM +
KERB(PASSWORD(realm0pw))

    You must supply a password for the key to be generated. REALM profiles define the trust relationship between the local realm and the foreign Kerberos authentication servers. PASSWORD is a required keyword, so all REALM profiles have a KERB segment.

What to do next

Data sharing environments: Data sharing sysplex environments that use Kerberos security must have a Kerberos Security Server instance running on each system in the sysplex. The instances must either be in the same realm and share the same RACF database, or have different RACF databases and be in different realms.