Enabling kerberos authentication in Federation server for an ODBC wrapper

Kerberos is a secure network authentication protocol that employs a system of shared secret keys to authenticate a user in an unsecured network environment. Kerberos is designed for academic and enterprise organizations where there is a single source of truth regarding identify, authentication and authorization.

Before you begin

The Kerberos authentication method in Federation requires knowledge of how to configure your Kerberos environment.

About this task

Kerberos authentication is managed by a three-tiered system in which encrypted service tickets, rather than a plain-text user ID and password pair, are exchanged between the application server and client. These encrypted service tickets, called credentials, are provided by a separate server called the Kerberos Key Distribution Center (KDC). Each user, or principal in Kerberos terms, possesses a private encryption key that is shared with the KDC.

One of key feature of Kerberos is that it provides a single sign-on environment that enables a user to connect to a federation server without providing a user ID or password.

The following data sources support Kerberos authentication in federation:
  • Driver for Apache Hive
  • DB2® Wire Protocol
  • Greenplum Wire Protocol
  • Impala Wire Protocol
  • Oracle Wire Protocol
  • PostgreSQL Wire Protocol
  • SQL Server Wire Protocol
  • Sybase Wire Protocol
  • Driver for the Teradata Database


The following procedure describes the steps required to enable kerberos authentication in a federation server for an ODBC wrapper. This method supports both Windows Active Directory Kerberos and MIT Kerberos environments.


  1. Configure Kerberos server.
    1. Install and configure the Kerberos Key Distribution Center (KDC). Add principals to the KDC server by using the following commands:
      kadmin: addprinc username/full.hostname@realmname
      kadmin: ktadd -k username.keytab username/full.hostname@realmname
      where kadmin is the administrative user and username is the principal.
  2. Configure Kerberos client.
    1. Install Kerberos client

      The kerberos client must be installed on same server with Federation server.

    2. Get a ticket-granting-ticket (TGT).
      Note: In Federation, two options are accepted for initializing kerberos credential cache. One is the client principal name and the other is the key tab file that stores the password of client principal.
  3. Configure data source to use Kerberos authentication.
  4. Run the following commands on federation server.
    create wrapper odbc library 'libdb2rcodbc.so' options(DB2_FENCED 'Y', module 'sqllib/federation/odbc/lib/libodbc.so')
    create server servername type type version ver authorization "uid" password "password" options(host 'hostname', port 'port', dbname 'database', SERVER_PRINCIPAL_NAME 'servicename/hostname@REALMNAME', password 'Y', pushdown 'Y');
    create user mapping for user server servername options(remote_authid 'username/hostname@REALMNAME', CLIENT_PRINCIPAL_NAME 'username/hostname@REALMNAME', KERBEROS_KEYTAB '/path/to/user.keytab');