Configuring Kerberos on a stand-alone Linux server

You can enable Kerberos authentication for secure communication between IBM® Security Guardium® Key Lifecycle Manager and the Db2® database.

Before you begin

  • Ensure that the computers that host the Kerberos server and the Kerberos client (IBM Security Guardium Key Lifecycle Manager server) have the same operating system.
  • Ensure that the computer on which you install the Kerberos server is secure and does not run any service other than KDC.
  • Install the Kerberos (Key Distribution Center - KDC) server. If you want to use an existing Kerberos server, you can skip this step.
    1. Install the required packages for the KDC server:
      yum install krb5-server krb5-libs krb5-workstation
    2. Specify the realm name and the domain-to-realm mappings by editing the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files. For example:
      [libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
      Where, EXAMPLE.COM and example.com refer to the realm name; and kerberos.example.com is the name of the Kerberos server.
      Note: Enter all realm names in uppercase characters and all dns host names and domain names in lowercase.
    3. Create the database by using the kdb5_util utility.
      kdb5_util create -s

      The database stores keys for a Kerberos realm.

    4. Edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access. For example:
      */admin@EXAMPLE.COM *
    5. Create the first principal with the kadmin.local command.
    6. Start Kerberos using the following commands: 
      systemctl start krb5kdc.service systemctl start kadmin.service

Procedure

  1. On the IBM Security Guardium Key Lifecycle Manager server, install the Kerberos client.
    To do so, run the command: 
    yum install krb5-libs krb5-workstation
  2. On the Kerberos server, register service and client principals.
    1. Create service principal. 
      kadmin -p root/admin -q "addprinc db2instance1/FQDN_GKLMserver@REALMNAME"
      For example:
      kadmin -p root/admin -q "addprinc sklmdb41/gklmserver@EXAMPLE.COM"
    2. Specify a password for the service principal.
    3. Create client principal. 
      kadmin -p root/admin -q "addprinc db2instance1@REALMNAME"
      For example:
      kadmin -p root/admin -q "addprinc sklmdb41@EXAMPLE.COM"
    4. Specify a password for the client principal.
    5. Add service principal to the keytab file. 
      kadmin -p root/admin -q "ktadd -k /etc/filename.keytab db2instance1/FQDN_GKLMserver@REALMNAME"
      For example:
      kadmin -p root/admin -q "ktadd -k /etc/onprem.keytab sklmdb41/gklmserver@EXAMPLE.COM"
    6. To verify that the principals are correctly added, run the following command: 
      kadmin.local -q "list_principals"
    7. Upload the keytab file on the IBM Security Guardium Key Lifecycle Manager server. You can use the Upload File to Server REST Service.
      To run the REST service, you can use the Swagger UI.
      Note: If you are copying the file manually on the IBM Security Guardium Key Lifecycle Manager server, ensure that the file owner is the process owner (For example, klmdb42sklmdb41).
  3. To register a client principal, create another user. For example, sklmdb41.
  4. On the IBM Security Guardium Key Lifecycle Manager server, configure Guardium Key Lifecycle Manager to use Kerberos authentication with Db2.
    1. Navigate to the SKLM_INSTALL_HOME\kerberos directory and run the db2ConfigureKerberos.sh script file as the process owner (Db2 Administrator user account).
      When you run this script file, it updates the kerberos configuration (krb5.conf) file, which is needed to connect to the KDC server. Command to run the script file: 
      ./db2ConfigureKerberos.sh path_of_krb5.conf path_krb5.keytab kdc_server_hostname REALMNAME db2servicename path_sqllib
      For example: 
      ./db2ConfigureKerberos.sh  /opt/IBM/WebSphere/Liberty/products/sklm/kerberos/krb5.conf  /opt/IBM/WebSphere/Liberty_1/products/sklm/data/krb5.keytab kdc.example.com  EXAMPLE.COM sklmdb41/test.example.com@EXAMPLE.COM /home/sklmdb2/sqllib
    2. Run the Configure Kerberos Authentication REST Service. To run the REST service, you can use the Swagger UI.

    IBM Security Guardium Key Lifecycle Manager is now configured to use Kerberos as the authentication mechanism with Db2 database. You can use the Get Kerberos Configuration REST Service to obtain the configuration details.