Configuring Kerberos on IBM Security Guardium Key Lifecycle Manager in a Multi-Master setup
You can configure Kerberos on a server before or after setting up the Multi-Master cluster.
Before you begin
Note: The support for configuring Kerberos will be deprecated in the later
versions of IBM® Security Guardium® Key Lifecycle Manager.
- Based on your requirements, you can configure Kerberos before or after you set up a Multi-Master cluster.
- Ensure that the Kerberos client is installed on all master servers.
- For a cluster, install only one instance of the Kerberos server.
- Register a client principal with the same details on all master servers.
- Register a unique service principal for every master server.
- Only for Linux and AIX: Create a separate keytab file for every master server and add only that master server's service principal to it.
- After you run the db2ConfigureKerberos.sh script, you must manually copy the krb5.conf file in the /opt/IBM/WebSphere/Liberty/products/sklm/kerberos directory to the WAS_HOME/java/8.0/jre/lib/security directory to ensure that the Agent service gets the Kerberos configuration details.