Configuring Kerberos on IBM Security Guardium Key Lifecycle Manager in a Multi-Master setup

You can configure Kerberos on a server before or after setting up the Multi-Master cluster.

Before you begin

Review the following considerations and requirements before you proceed with the Kerberos configuration:
Note: The support for configuring Kerberos will be deprecated in the later versions of IBM® Security Guardium® Key Lifecycle Manager.
  • Based on your requirements, you can configure Kerberos before or after you set up a Multi-Master cluster.
  • Ensure that the Kerberos client is installed on all master servers.
  • For a cluster, install only one instance of the Kerberos server.
  • Register a client principal with the same details on all master servers.
  • Register a unique service principal for every master server.
  • Only for Linux and AIX: Create a separate keytab file for every master server and add only that master server's service principal to it.
  • After you run the db2ConfigureKerberos.sh script, you must manually copy the krb5.conf file in the /opt/IBM/WebSphere/Liberty/products/sklm/kerberos directory to the WAS_HOME/java/8.0/jre/lib/security directory to ensure that the Agent service gets the Kerberos configuration details.

Procedure

  • Configure Kerberos before a Multi-Master cluster is set up
    1. On every IBM Security Guardium Key Lifecycle Manager server that you plan to add to the cluster: Configure Kerberos.
    2. Copy the krb5.conf file from the /opt/IBM/WebSphere/Liberty/products/sklm/kerberos directory to the WAS_HOME/java/8.0/jre/lib/security directory to ensure that the Agent service is notified of the Kerberos configuration.
    3. Configure the Multi-Master cluster.
      For more information, see Setting up a Multi-Master cluster.
  • Configure Kerberos on an existing Multi-Master cluster setup
    Complete the following steps on every master server of the cluster:
    1. Navigate to the /opt/IBM/WebSphere/Liberty/products/sklm/kerberos directory and run the db2ConfigureKerberos.bat or db2ConfigureKerberos.sh script file as the process owner (Db2 Administrator user account).
      When you run this script file, it updates the Kerberos configuration (krb5.conf) file, which is needed to connect to the KDC server. Command to run the script file:
      On Windows:
      
      "path\db2cmd.exe" db2ConfigureKerberos.bat path_of_krb5.conf kdc_server REALMNAME 
      
      On Linux and AIX:
      
      ./db2ConfigureKerberos.sh path_of_krb5.conf path_krb5.keytab kdc_server_hostname REALMNAME db2servicename path_sqllib
    2. Copy the krb5.conf file from /opt/IBM/WebSphere/Liberty/products/sklm/kerberos directory to the WAS_HOME/java/8.0/jre/lib/security directory to ensure that the Agent service gets the Kerberos configuration details.
    3. On the primary master server, run the Configure Kerberos Authentication REST Service. To run the REST service, you can use the Swagger UI.