Preserving Kerberos setup files

Deployment options: Netezza Performance Server for Cloud Pak for Data System

The Kerberos setup files are not preserved during the container upgrade. As a result, you are not able to connect to database with the Kerberos user.

Learn how to preserve the Kerberos setup files by creating a user's cache credential file in persistent storage.

Note: If you do not use Kerberos authentication, you can skip these steps.

Procedure

  1. Generate a credential cache file by running the kinit command from the host.
    While you are generating the cache file, mention the directory for the file. The directory must be located in persistent storage.
    [nz@ipshost1 /]$ kinit -c DIR:/nzscratch/KrbCache/ MYUSER
Password for MYUSER@NZSQA.IBM.COM:
  2. In /export/home/nz/.bashrc, export the following path in the KRB5CCNAME variable. 
    nz@ipshost1 /]$ export KRB5CCNAME=DIR:/nzscratch/KrbCache/
  3. Run klist to see the valid ticket. 
    [nz@ipshost1 /]$ klist
Ticket cache: DIR::/nzscratch/KrbCache/tkt
Default principal: MYUSER@NZSQA.IBM.COM
Valid starting Expires Service principal
02/25/2020 07:01:25 02/26/2020 07:01:25 krbtgt/NZSQA.IBM.COM@NZSQA.IBM.COM
 renew until 02/25/2020 07:01:25
  4. Connect to the database with a Kerberos user. 
    [nz@ipshost1 /]$ nzsql -db system -u MYUSER -w -c "show authentication all;"
 AUTH_OPTION | AUTH_VALUE
-------------------------+--------------------------------------
 AUTHENTICATION METHOD | KERBEROS
 AUTHMTHD KERBEROS KDC | sqa-rh65-kdc-server.swg.usma.ibm.com
 AUTHMTHD KERBEROS REALM | NZSQA.IBM.COM
(3 rows)
  5. Upgrade the container.
    Note: Make sure you added the /export/home/nz/.bashrc entry file to files_to_backup.conf to preserve the exported variables values.
  6. After you upgrade the container, run the following commands. 
    1. [nz@ipshost1 /]$ echo $KRB5CCNAME
DIR:/nzscratch/KrbCache/
[nz@ipshost1 /]$

[nz@ipshost1 /]$ klist
Ticket cache: DIR::/nzscratch/KrbCache/tkt
Default principal: MYUSER@NZSQA.IBM.COM

Valid starting Expires Service principal
02/25/2020 07:01:25 02/26/2020 07:01:25 krbtgt/NZSQA.IBM.COM@NZSQA.IBM.COM
renew until 02/25/2020 07:01:25

    2. [nz@ipshost1 /]$ klist -l
Principal name Cache name
-------------- ----------
MYUSER@NZSQA.IBM.COM DIR::/nzscratch/KrbCache/tkt
[nz@ipshost1 /]$ nzsql -db system -u MYUSER -w -c "show authentication all;"
AUTH_OPTION | AUTH_VALUE
------------------------+-------------------------------------
AUTHENTICATION METHOD | KERBEROS
AUTHMTHD KERBEROS KDC | sqa-rh65-kdc-server.swg.usma.ibm.com
AUTHMTHD KERBEROS REALM | NZSQA.IBM.COM
(3 rows)