Kerberos authentication for JDBC clients

If your environment uses Kerberos to authenticate user access to the databases, configure the JDBC client to manage authorization tickets.

The JDBC driver is responsible for obtaining the Kerberos tickets to authenticate user access to the Netezza® database. This is different from the behavior in ODBC and OLE DB environments, where the client application is responsible for obtaining the tickets.

In a JDBC environment, your JDBC client must meet certain minimum requirements. Perform the following steps:

  • Ensure that your client system has the following Java™ version installed:
    • For 11.2.2.0 to 11.2.2.5 Java 1.7 or later.
    • For 11.2.2.5 and above Java/OpenJDK 11.
    • For 11.2.1.1. and lower Java 1.6.
    • For 11.2.1.9 and above Java/OpenJDK 11.
  • Change the login module class name in the login.conf file, based on the Java provider that you use:
    • For IBM® Java: com.ibm.security.auth.module.Krb5LoginModule
    • For Oracle Java: com.sun.security.auth.module.Krb5LoginModule
  • Set the java.security.auth.login.config system property to the login.conf file path through the application, or edit the <JAVA_HOME>/jre/lib/security/java.security file to add the following line:
    login.config.url.1=file:<LOGIN_CONF_FILE_PATH>
    Note: In Windows, you can find java.security in the path <JAVA_HOME>\conf\security\java.security.
  • Specify the value of the krbLoginModule name in the data source connection parameter as the name of the loginModule from the login.conf file. You must provide this value because the login method of loginContext reads this loginModule information from the login.conf file and uses the class that is mentioned in it to authenticate further.

    Refer to the following sample login.conf and ensure that it is created on your system. In this example, the krbLoginModule name is loginModuleName.

    loginModuleName {
         com.sun.security.auth.module.Krb5LoginModule required
         debug = true storeKey = false;
    };
    
    The default login module name is EntryModuleName.
    Note: In the case of Windows, in order to fetch the ticket from the specified cache, you need to use the option useTicketCache=true in the login.conf.
  • Set the java.security.krb5.conf system property to the Kerberos configuration file name, or copy the configuration file to the default location on the client system.
    On UNIX and Linux® systems, the configuration file name is krb5.conf, and on Windows systems, the file name is krb5.ini. The following table shows the default locations for the Kerberos configuration file on various platforms:
    Table 1. Default locations of Kerberos configuration files
    Platform Default location
    IBM AIX® /etc/krb
    HP Itanium /etc
    Linux not on System z® or PowerPC® /etc
    Linux on IBM System z /etc
    Linux on PowerPC /etc
    Oracle Solaris /etc/krb
    Windows C:\winnt or C:\windows
    Note: If MIT provided Kerberos is being used, then the krb5.ini is present by default at the location C:\ProgramData\MIT\Kerberos5.

    For more information, see The Kerberos configuration file (http://www.ibm.com/support/knowledgecenter/SS7JFU_7.0.0/com.ibm.websphere.express.doc/info/exp/ae/rsec_SPNEGO_config_krb5.html?cp=SS7JFU_7.0.0%2F1-15-2-314).

In addition, if you use the IBM Java runtime environment and you have several Netezza Performance Server systems that are in different domains, your JDBC client connection to some of the systems might fail with the following error:
major string: General failure, unspecified at GSSAPI level
minor string: Error: java.lang.Exception: Error: java.lang.Exception: No credential
If this occurs, update your client Kerberos configuration file to include a [domain_realm] definition that identifies all the domains that you need to access and the Kerberos realm that controls the authentication requests. For example, if you have Netezza Performance Server systems that are configured within the domains east.company.com and west.company.com and the Kerberos realm is MYKRB5.COMPANY.COM, add the following [domain_realm] definition to the Kerberos configuration file:
[domain_realm]
.company.com = MYKRB5.COMPANY.COM
company.com = MYKRB5.COMPANY.COM
You can specify an entry for both east.company.com and west.company.com, but because there is a common part of the domain name (company.com), you can specify the common domain. If the domain names are unique, such as east.com and west.com, specify each unique domain for the locations where your Netezza Performance Server systems are present.

For more information about configuring the Netezza Performance Server system to use Kerberos authentication, see the security section in the IBM Netezza System Administrator’s Guide.