Enabling kerberos authentication in Federation server for an ODBC wrapper
Kerberos is a secure network authentication protocol that employs a system of shared secret keys to authenticate a user in an unsecured network environment. Kerberos is designed for academic and enterprise organizations where there is a single source of truth regarding identify, authentication and authorization.
Before you begin
About this task
Kerberos authentication is managed by a three-tiered system in which encrypted service tickets, rather than a plain-text user ID and password pair, are exchanged between the application server and client. These encrypted service tickets, called credentials, are provided by a separate server called the Kerberos Key Distribution Center (KDC). Each user, or principal in Kerberos terms, possesses a private encryption key that is shared with the KDC.
One of key feature of Kerberos is that it provides a single sign-on environment that enables a user to connect to a federation server without providing a user ID or password.
- Driver for Apache Hive
- DB2® Wire Protocol
- Greenplum Wire Protocol
- Impala Wire Protocol
- Oracle Wire Protocol
- PostgreSQL Wire Protocol
- SQL Server Wire Protocol
- Sybase Wire Protocol
- Driver for the Teradata Database
The following procedure describes the steps required to enable kerberos authentication in a federation server for an ODBC wrapper. This method supports both Windows Active Directory Kerberos and MIT Kerberos environments.
- Configure Kerberos server.
- Install and configure the Kerberos Key Distribution
Center (KDC). Add principals to the KDC server by using the following
kadmin: addprinc username/full.hostname@realmname kadmin: ktadd -k username.keytab username/full.hostname@realmname
kadminis the administrative user and
usernameis the principal.
- Install and configure the Kerberos Key Distribution Center (KDC). Add principals to the KDC server by using the following commands:
- Configure Kerberos client.
- Install Kerberos client
The kerberos client must be installed on same server with Federation server.
- Get a ticket-granting-ticket (TGT). Note: In Federation, two options are accepted for initializing kerberos credential cache. One is the client principal name and the other is the key tab file that stores the password of client principal.
- Install Kerberos client
- Configure data source to use Kerberos authentication.
- Run the following commands on federation server.
create wrapper odbc library 'libdb2rcodbc.so' options(DB2_FENCED 'Y', module 'sqllib/federation/odbc/lib/libodbc.so') create server servername type type version ver authorization "uid" password "password" options(host 'hostname', port 'port', dbname 'database', SERVER_PRINCIPAL_NAME 'servicename/hostname@REALMNAME', password 'Y', pushdown 'Y'); create user mapping for user server servername options(remote_authid 'username/hostname@REALMNAME', CLIENT_PRINCIPAL_NAME 'username/hostname@REALMNAME', KERBEROS_KEYTAB '/path/to/user.keytab');