Setting up Kerberos for a Db2 server
Before you can use Kerberos authentication with a Db2® database system, you must install and configure the Kerberos layer on all computers. For a typical configuration, you must follow the instructions on this page.
Before you begin
If you are using a Linux® operating system, ensure that no Kerberos libraries other than the krb5 library are installed on your system. Otherwise, Kerberos authentication fails, and a message is logged in the db2diag log files.
If you are using a Linux operating system, uninstall any instances of the IBM® Network Authentication Service (NAS) Toolkit, and remove any reference to the NAS installation path locations from the system PATH variable.
About this task
For additional details on installing and configuring Kerberos products on your systems, refer to the documentation provided with your Kerberos product.
- On UNIX and Linux 32-bit operating systems: the sqllib/security32/plugin/IBM/client and sqllib/security32/plugin/IBM/server directories
- On UNIX and Linux 64-bit operating systems: the sqllib/security64/plugin/IBM/client and sqllib/security64/plugin/IBM/server directories
- On Windows operating systems: the sqllib\security\plugin\IBM\client and sqllib\security\plugin\IBM\server directories
Kerberos and groups
Kerberos does not possess the concept of groups. As a result, the Db2 database instance relies upon the local operating system to obtain a group list for a Kerberos principal. For UNIX and Linux operating systems, this reliance requires an equivalent system account for each principal. For example, for the principal name@REALM, the Db2 database product collects group information by querying the local operating system for all group names to which the operating system user name belongs. If an operating system user name does not exist, the AUTHID belongs only to the PUBLIC group.
On Windows operating systems, a domain account is automatically associated with a Kerberos principal. The additional step of creating a separate operating system account is not required.
Kerberos keytab files
To accept security context requests, every Kerberos service on a UNIX or Linux operating system must place its credentials in a keytab file. This requirement applies to those principals that the Db2 database instance uses as server principals. Only the default keytab file is searched for the server key. For instructions on adding a key to the keytab file, see the documentation provided with the Kerberos product.
There is no concept of a keytab file on Windows operating systems; the system automatically handles storing and acquiring the credentials for a principal.
db2set DB2ENVLIST=KRB5_KTNAME
As keytab files are not used by Kerberos
for Windows, this option is only available for a Linux or UNIX
server.Procedure
To set up Kerberos for a Db2 server: