Setting up Kerberos authentication for Db2 systems

Kerberos is a third-party network authentication protocol that employs a system of shared secret keys to securely authenticate a user in an unsecured network environment. Before you can use Kerberos authentication with a Db2® database system, you must install and configure the Kerberos layer on all affected servers and clients.

The use of Kerberos authentication by a Db2 database depends on whether the security authentication was successfully created using the credentials provided by the connecting application. Furthermore, whenever available, Kerberos mutual authentication is supported, where the client and server must both prove their identities to use Kerberos. However, other Kerberos features, such as the signing or encryption of messages, are unavailable.

For additional details on installing and configuring Kerberos products on your systems, refer to the documentation provided with your Kerberos product.

Kerberos support for a Db2 database system is provided through the IBMkrb5 GSS-API security plug-in. This plug-in is used for both server and client authentication. The plug-in library is installed during Db2 installation in the following locations:

On UNIX and Linux® 32-bit operating systems: the sqllib/security32/plugin/IBM/client and sqllib/security32/plugin/IBM/server directories
On UNIX and Linux 64-bit operating systems: the sqllib/security64/plugin/IBM/client and sqllib/security64/plugin/IBM/server directories
On Windows operating systems: the sqllib\security\plugin\IBM\client and sqllib\security\plugin\IBM\server directories

The source code for the UNIX and Linux plug-in, IBMkrb5.C, is available in the sqllib/samples/security/plugins directory. For 64-bit Windows operating systems, the plug-in library is called IBMkrb564.dll.