Setting up Kerberos for a Db2 server

Before you can use Kerberos authentication with a Db2® database system, you must install and configure the Kerberos layer on all computers. For a typical configuration, you must follow the instructions on this page.

Before you begin

If you are using a Linux® operating system, ensure that no Kerberos libraries other than the krb5 library are installed on your system. Otherwise, Kerberos authentication fails, and a message is logged in the db2diag log files.

If you are using a Linux operating system, uninstall any instances of the IBM® Network Authentication Service (NAS) Toolkit, and remove any reference to the NAS installation path locations from the system PATH variable.

About this task

The use of Kerberos authentication by a Db2 database depends on whether the security authentication was successfully created using the credentials provided by the connecting application. Furthermore, whenever available, Kerberos mutual authentication is supported, where the client and server must both prove their identities to use Kerberos. However, other Kerberos features, such as the signing or encryption of messages, are unavailable.

For additional details on installing and configuring Kerberos products on your systems, refer to the documentation provided with your Kerberos product.

Kerberos support for a Db2 database system is provided through the IBMkrb5 GSS-API security plug-in. This plug-in is used for both server and client authentication. The plug-in library is installed during Db2 installation in the following locations:
  • On UNIX and Linux 32-bit operating systems: the sqllib/security32/plugin/IBM/client and sqllib/security32/plugin/IBM/server directories
  • On UNIX and Linux 64-bit operating systems: the sqllib/security64/plugin/IBM/client and sqllib/security64/plugin/IBM/server directories
  • On Windows operating systems: the sqllib\security\plugin\IBM\client and sqllib\security\plugin\IBM\server directories
The source code for the UNIX and Linux plug-in, IBMkrb5.C, is available in the sqllib/samples/security/plugins directory. For 64-bit Windows operating systems, the plug-in library is called IBMkrb564.dll.

Kerberos and groups

Kerberos does not possess the concept of groups. As a result, the Db2 database instance relies upon the local operating system to obtain a group list for a Kerberos principal. For UNIX and Linux operating systems, this reliance requires an equivalent system account for each principal. For example, for the principal name@REALM, the Db2 database product collects group information by querying the local operating system for all group names to which the operating system user name belongs. If an operating system user name does not exist, the AUTHID belongs only to the PUBLIC group.

On Windows operating systems, a domain account is automatically associated with a Kerberos principal. The additional step of creating a separate operating system account is not required.

Kerberos keytab files

To accept security context requests, every Kerberos service on a UNIX or Linux operating system must place its credentials in a keytab file. This requirement applies to those principals that the Db2 database instance uses as server principals. Only the default keytab file is searched for the server key. For instructions on adding a key to the keytab file, see the documentation provided with the Kerberos product.

There is no concept of a keytab file on Windows operating systems; the system automatically handles storing and acquiring the credentials for a principal.

You can specify the default keytab file name by using the KRB5_KTNAME environment variable. However, because the server plug-in runs within a Db2 database engine process, this environment variable might not be accessible. To avoid this situation, add the KRB5_KTNAME environment variable to the DB2ENVLIST registry variable using the db2set command:
db2set DB2ENVLIST=KRB5_KTNAME
As keytab files are not used by Kerberos for Windows, this option is only available for a Linux or UNIX server.

Procedure

To set up Kerberos for a Db2 server:

  1. Install Kerberos by performing one of the following steps:
    • For AIX® operating systems, install the NAS (Network Authentication Services) Toolkit for Db2 on AIX, Version 1.4 or later. You can download the NAS package from https://www.ibm.com/services/forms/preLogin.do?source=dm-nas.
    • For Linux operating systems, install the Kerberos package, krb5, that is included on your operating system installation media.
    • For Windows operating systems, enable the Active Directory on your domain controller.
  2. Configure the Db2 product to use the Kerberos plug-in. See Deploying a Kerberos plug-in.
  3. Restart the Db2 server.