To use Kerberos authentication for your Db2
instance, you first need to install and configure the Kerberos layer on all
affected clients.
Before you begin
Ensure that the following prerequisites are met before attempting to set up Kerberos
authentication on a Db2® client:
- The remote data source or the Db2 Server must be
properly configured for Kerberos authentication.
- A valid Kerberos principal and ticket (TGT) must be available to the Db2 instance owner.
About this task
This procedure explains how to configure Db2 as a client to use
Kerberos authentication when connecting to a remote Kerberized Db2 server. This
procedure is different from that used to configure Db2 as a Kerberos server
and requires careful handling of Kerberos credentials and permissions.
Procedure
-
Set the Kerberos Credential Cache environment variable, KRB5CCNAME.
export KRB5CCNAME=/tmp/krb5cc_db2client
The KRB5CCNAME
environment variable specifies the location of the Kerberos credential cache file. The
Db2 client needs access
to this file to run Kerberos authentication.
- Initialize Kerberos credentials. As the Db2 instance owner,
first, obtain a Kerberos ticket:
kinit db2inst1@EXAMPLE.COM
- Verify the ticket:
klist
Important: The credential cache file, located at in the
/tmp/krb5cc_db2client folder, must be readable by the Db2 instance owner. If
the ticket is created by another user, such as the root user or a system account, then the Db2 client might not be
able to access the ticket. As a result, you might see permission errors, such as No
Kerberos credentials available: Credentials cache permissions incorrect.