Requirements for Kerberos security under the IBM Data Server Driver for JDBC and SQLJ

To set up the Kerberos security environment for the IBM® Data Server Driver for JDBC and SQLJ, you need to set JDBC driver properties and Kerberos Java Authentication and Authorization Service (JAAS) properties.

Basic requirements

Specify the location of the Java Authentication and Authorization Service (JAAS) login configuration file and Kerberos configuration file in your JVM properties settings. For example, specify settings like these in the JVM properties file:
java.security.auth.login.config=path1/jaas.conf
java.security.krb5.conf=path2/krb5.conf
Set IBM Data Server Driver for JDBC and SQLJ properties:
  • Set the securityMechanism property to com.ibm.db2.jcc.DB2BaseDataSource.KERBEROS_SECURITY or 11.
  • Set the user and password properties if you are using Kerberos security with user and password authentication.

The JAAS login module name that is used by the IBM Data Server Driver for JDBC and SQLJ depends on whether you specify the user property name. If you do not specify the user property name, the login module name is specified by the configuration named com.ibm.security.jgss.krb5.initiate for an IBM JVM, or com.sun.security.jgss.krb5.initiate for an Oracle JVM. If you specify the user property name, the JAAS login module name is specified through a JaasClient in the JAAS configuration file. The preferred method is to specify the user property name, and to specify the JAAS login module name through a JaasClient.

JAAS configuration keywords

The following examples show some common JAAS configuration keywords that you need to set. You can find complete explanations of keywords here:
Include this entry to indicate that the JAAS login module is required:
  • For an IBM JVM:
    JaasClient {
 com.ibm.security.auth.module.Krb5LoginModule required;
}
  • For an Oracle JVM:
    JaasClient {
 com.sun.security.auth.module.Krb5LoginModule required;
}

The IBM Data Server Driver for JDBC and SQLJ does not put a ticket in the ticket cache. To specify in the JAAS login module that the default ticket cache will be used, include one of the following entries:

  • For an IBM JVM:
    JaasClient {
 com.ibm.security.auth.module.Krb5LoginModule required useDefaultCcache=true;
}
  • For an Oracle JVM:
    JaasClient {
 com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true 
doNotPrompt=true;
}

To specify in the JAAS login module that a specific ticket cache will be used, include one of the following entries:

  • For an IBM JVM:
    JaasClient {
 com.ibm.security.auth.module.Krb5LoginModule required useCcache="url1";
}
  • For an Oracle JVM:
    JaasClient {
 com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true
 ticketCache="url1" doNotPrompt=true;
}

To specify in the JAAS login module that a Kerberos key table file will be used, include one of the following entries:

  • For an IBM JVM:
    JaasClient {
 com.ibm.security.auth.module.Krb5LoginModule required credsType=both 
 useKeytab="url2" principal="kerberos-principal-domain";
}
  • For an Oracle JVM:
    JaasClient {
 com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true 
 keyTab="url2" principal="kerberos-principal-domain" doNotPrompt=true;
}

In the previous examples, url1 and url2 have the following formats:

  • The url1 format, for the ticket cache file location, is:
    • For a Linux or UNIX environment: FILE:full path to file

      For example: useCcache="FILE:/folder1/folder2/mycachefile"

    • For a Windows environment: FILE:drive letter:full path to file

      For example: useCcache="FILE:c:/folder1/folder2/mycachefile"

  • The url2 format, for the key table file location, is:
    • For a Linux or UNIX environment: full path to file

      For example: useKeytab="/folder3/folder4/mykeytabfile"

    • For a Windows environment: drive letter:full path to file

      For example: useKeytab="c:/folder3/folder4/mykeytabfile"