Kerberos authentication for JDBC clients
If your environment uses Kerberos to authenticate user access to the databases, configure the JDBC client to manage authorization tickets.
The JDBC driver is responsible for obtaining the Kerberos tickets to authenticate user access to the Netezza® database. This is different from the behavior in ODBC and OLE DB environments, where the client application is responsible for obtaining the tickets.
In a JDBC environment, your JDBC client must meet certain minimum requirements. Perform the following steps:
- Ensure that your client system has the following Java™
version installed:
- For 11.2.2.0 to 11.2.2.5 Java 1.7 or later.
- For 11.2.2.5 and above Java/OpenJDK 11.
- For 11.2.1.1. and lower Java 1.6.
- For 11.2.1.9 and above Java/OpenJDK 11.
- Change the login module class name in the login.conf file, based on the Java provider that you use:
- For IBM®
Java:
com.ibm.security.auth.module.Krb5LoginModule
- For Oracle Java:
com.sun.security.auth.module.Krb5LoginModule
- For IBM®
Java:
- Set the java.security.auth.login.config system property to the
login.conf file path through the application, or edit the
<JAVA_HOME>/jre/lib/security/java.security file to add
the following
line:
login.config.url.1=file:<LOGIN_CONF_FILE_PATH>
Note: In Windows, you can findjava.security
in the path <JAVA_HOME>\conf\security\java.security. - Specify the value of the krbLoginModule name in the data source connection
parameter as the name of the loginModule from the
login.conf file. You must provide this value because the login method of
loginContext reads this loginModule information from the
login.conf file and uses the class that is mentioned in it to authenticate
further.
Refer to the following sample login.conf and ensure that it is created on your system. In this example, the krbLoginModule name is
loginModuleName
.
The default login module name isloginModuleName { com.sun.security.auth.module.Krb5LoginModule required debug = true storeKey = false; };
EntryModuleName
.Note: In the case of Windows, in order to fetch the ticket from the specified cache, you need to use the optionuseTicketCache=true
in the login.conf. - Set the java.security.krb5.conf system property to the Kerberos
configuration file name, or copy the configuration file to the default location on the client
system. On UNIX and Linux® systems, the configuration file name is krb5.conf, and on Windows systems, the file name is krb5.ini. The following table shows the default locations for the Kerberos configuration file on various platforms:
Table 1. Default locations of Kerberos configuration files Platform Default location IBM AIX® /etc/krb HP Itanium /etc Linux not on System z® or PowerPC® /etc Linux on IBM System z /etc Linux on PowerPC /etc Oracle Solaris /etc/krb Windows C:\winnt or C:\windows Note: If MIT provided Kerberos is being used, then thekrb5.ini
is present by default at the location C:\ProgramData\MIT\Kerberos5.For more information, see The Kerberos configuration file (http://www.ibm.com/support/knowledgecenter/SS7JFU_7.0.0/com.ibm.websphere.express.doc/info/exp/ae/rsec_SPNEGO_config_krb5.html?cp=SS7JFU_7.0.0%2F1-15-2-314).
major string: General failure, unspecified at GSSAPI level
minor string: Error: java.lang.Exception: Error: java.lang.Exception: No credential
If
this occurs, update your client Kerberos configuration file to include a
[domain_realm]
definition that identifies all the domains that you need to access
and the Kerberos realm that controls the authentication requests. For example, if you have Netezza Performance Server systems that are configured within the
domains east.company.com and west.company.com and the Kerberos realm is MYKRB5.COMPANY.COM, add the
following [domain_realm]
definition to the Kerberos configuration
file:[domain_realm]
.company.com = MYKRB5.COMPANY.COM
company.com = MYKRB5.COMPANY.COM
You can specify an entry for both east.company.com and
west.company.com, but because there is a common part of the domain name (company.com), you can
specify the common domain. If the domain names are unique, such as east.com and west.com, specify
each unique domain for the locations where your Netezza Performance Server systems are present.For more information about configuring the Netezza Performance Server system to use Kerberos authentication, see the security section in the IBM Netezza System Administrator’s Guide.