Setting up Kerberos for a Db2 server
Before you can use Kerberos authentication with a Db2® database system, you must install and configure the Kerberos layer on all computers. For a typical configuration, you must follow the instructions on this page.
Before you begin
If you are using a Linux® or Sun Solaris operating system, ensure that no Kerberos libraries other than the krb5 library are installed on your system. Otherwise, Kerberos authentication fails, and a message is logged in the db2diag log files.
If you are using a Linux or Sun Solaris operating system, uninstall any instances of the IBM® Network Authentication Service (NAS) Toolkit, and remove any reference to the NAS installation path locations from the system PATH variable.
About this task
For additional details on installing and configuring Kerberos products on your systems, see the documentation provided with your Kerberos product.
- On UNIX and Linux 32-bit operating systems: the sqllib/security32/plugin/IBM/client and sqllib/security32/plugin/IBM/server directories
- On UNIX and Linux 64-bit operating systems: the sqllib/security64/plugin/IBM/client and sqllib/security64/plugin/IBM/server directories
- On Windows operating systems: the sqllib\security\plugin\IBM\client and sqllib\security\plugin\IBM\server directories
Kerberos and groups
Kerberos does not possess the concept of groups. As a result, the Db2 database instance relies upon the local operating system to obtain a group list for a Kerberos principal. For UNIX and Linux operating systems, this reliance requires an equivalent system account for each principal. For example, for the principal name@REALM, the Db2 database product collects group information by querying the local operating system for all group names to which the operating system user name belongs. If an operating system user name does not exist, the AUTHID belongs only to the PUBLIC group.
On Windows operating systems, a domain account is automatically associated with a Kerberos principal. The additional step of creating a separate operating system account is not required.
Kerberos keytab files
To accept security context requests, every Kerberos service on a UNIX or Linux operating system must place its credentials in a keytab file. This requirement applies to those principals that the Db2 database instance uses as server principals. Only the default keytab file is searched for the server key. For instructions on adding a key to the keytab file, see the documentation provided with the Kerberos product.
There is no concept of a keytab file on Windows operating systems; the system automatically handles storing and acquiring the credentials for a principal.
As keytab files are not used by Kerberos for Windows, this option is only available for a Linux or UNIX server.
To set up Kerberos for a Db2 server:
- Install Kerberos by performing one of the following steps:
- For AIX® operating systems, install the NAS (Network Authentication Services) Toolkit for Db2 on AIX, Version 1.4 or later. You can download the NAS package from https://www.ibm.com/services/forms/preLogin.do?source=dm-nas.
- For Linux operating systems, install the Kerberos package, krb5, that is included on your operating system installation media.
- For Sun Solaris operating systems, the Kerberos service is included in the Solaris 10 release. No additional installation is required.
- For Windows operating systems, enable the Active Directory on your domain controller.
- Configure the Db2 product to use the Kerberos plug-in. See Deploying a Kerberos plug-in.
- Restart the Db2 server.