DB2 10.5 for Linux, UNIX, and Windows

Kerberos authentication

Kerberos is a third-party network authentication protocol that employs a system of shared secret keys to securely authenticate a user in an unsecured network environment. The DB2® database system provides support for the Kerberos authentication protocol on AIX®, HP-UX, Solaris, Linux IA32 and AMD64, and Windows operating systems.


Kerberos authentication is managed by a three-tiered system in which encrypted service tickets, rather than a plain-text user ID and password pair, are exchanged between the application server and client. These encrypted service tickets, called credentials, are provided by a separate server called the Kerberos Key Distribution Center (KDC). Credentials have a finite lifetime and are understood only by the client and the server. These features reduce the risk of a security exposure, even if the ticket is intercepted from the network. Each user, or principal in Kerberos terms, possesses a private encryption key that is shared with the KDC. Collectively, the principals and computers that are registered with a KDC are known as a realm.

One key feature of Kerberos is that it provides a single sign-on environment: a user must verify identity only once to access the resources within the Kerberos realm. This single sign-on environment means that a user can connect or attach to a DB2 database server without providing a user ID or password. Another advantage is that the administration of user identification is simplified because Kerberos uses a central repository for principals. Finally, Kerberos supports mutual authentication, which enables the client to validate the identity of the server.


Before you can use Kerberos with a DB2 database system, you must install and configure the Kerberos layer on all computers. For a typical configuration, you must meet the following requirements:
  • Create the appropriate principals.
  • Ensure that the client and server computers and principals belong to the same realm or to trusted realms. Trusted realms are known as trusted domains in Windows terminology.
  • Where appropriate, create server keytab files.
  • Synchronize the time clocks on all computers. Kerberos typically permits a 5-minute time skew; if there is more than a 5-minute time skew, a preauthentication error occurs during an attempt to obtain credentials.