To customize the Kerberos authentication behavior of the DB2® security system, you can develop
your own Kerberos authentication plug-ins or purchase one from a third
party.
Before you begin
If you want to deploy a new version of an existing plug-in,
you must stop the DB2 server
and any applications using the plug-in. Undefined behaviors, including
traps, occur if a process is using a plug-in when you deploy a new
version of that plug-in (with the same name).
About this task
The Kerberos authentication plug-in can be deployed on a
database server or a database client.
Procedure
- To deploy a Kerberos authentication plug-in on the database
server, perform the following steps on the server:
- Copy the Kerberos authentication plug-in library into
the server plug-in directory.
- Update the setting of the srvcon_gssplugin_list database
manager configuration parameter, which is an ordered, comma-delimited
list, to include the Kerberos server plug-in name. Only one plug-in
in this list can be a Kerberos plug-in. If there is no Kerberos plug-in
in the list, an error is returned. If there is more than one Kerberos
plug-in in the list, an error is returned. If the configuration parameter
value is blank and the authentication configuration
parameter is set to KERBEROS or KRB_SVR_ENCRYPT,
the default DB2 Kerberos plug-in, IBMkrb5,
is used.
- If necessary, set the value of the srvcon_auth database
manager configuration parameter. If you want to deploy
a Kerberos plug-in, the acceptable values for the srvcon_auth database
manager configuration parameter are as follows:
- KERBEROS
- KRB_SERVER_ENCRYPT
- GSSPLUGIN
- GSS_SERVER_ENCRYPT
- Blank, but only if the authentication configuration
parameter is set to one of the previous values in this list.
- To deploy a Kerberos authentication plug-in on a database
client, perform the following steps on the client:
- Copy the Kerberos authentication plug-in library into
the client plug-in directory.
- Set the clnt_krb_plugin database
manager configuration parameter to the name of the Kerberos plug-in.
If the value of the clnt_krb_plugin configuration
parameter is blank, the client cannot use Kerberos authentication.
On Windows, the default value
is IBMkrb5. It only needs to be altered for a customized
Kerberos plugin. On UNIX, the
value must be set since the default value is blank. For local authorization
on a client, server, or gateway using a Kerberos authentication plug-in,
perform the following steps:
- Copy the Kerberos authentication plug-in library in the client
plug-in directory on the client, server, or gateway.
- Set the clnt_krb_plugin database manager
configuration parameter to the name of the plug-in.
- Set the authentication database manager configuration
parameter to KERBEROS or KRB_SERVER_ENCRYPT.
- Optional: Catalog the databases that the client will
access, indicating that the client will use only a Kerberos authentication
plug-in. The following example catalogs the testdb database:
CATALOG DB testdb AT NODE testnode AUTHENTICATION KERBEROS
TARGET PRINCIPAL service/host@REALM