Configuring Kerberos on a stand-alone Linux server with Windows Active Directory

You can enable Kerberos authentication for secure communication between IBM® Security Guardium® Key Lifecycle Manager and the Db2® database.

Before you begin

Ensure that the computers that host the Kerberos server and the Kerberos client (IBM Security Guardium Key Lifecycle Manager server) have the same operating system.
Ensure that the computer on which you install the Kerberos server is secure and does not run any service other than KDC.
Install the Kerberos (Key Distribution Center - KDC) server.
You need to set up an Active Directory to install Kerberos server. If an Active Directory is already set up, you can skip this step.

To set up the Active Directory, complete the following steps:
1. Open Server Manager.
2. On the Server Manager Dashboard, click Add roles and features.
3. Select Role-based or feature-based installation and click Next.
4. Select the server and click Next.
5. From the list of server roles, select Active Directory Domain Services, and click Next.
6. Click Add Features.
7. Retain the default selections, and click Next.
8. On the Active Directory Domain Services page, click Next.
9. Review the selections, and click Install.
10. After the installation completes, click Promote this server to a domain controller.
11. Select Add a new forest, and in the Root domain name field, type in a domain name that you want to use (for example, DOMAIN.TMP), then click Next.
12. Enter the DSRM password, and click Next.
13. On the DNS Options, Additional Options, Paths, and Review Options pages, retain the default values, and click Next to move through the pages.
14. On the Prerequisite Checks page, click Install. The installation starts.
15. After the installation completes, to verify Active Directory is set up, open Server Manager.
16. Click Tools, and select Active Directory Users and Computers.
17. Expand the domain root and then click Domain Controllers.
The new Active Directory server is displayed.

Procedure

On the IBM Security Guardium Key Lifecycle Manager server, install the Kerberos client.
To do so, run the command:
```
yum install krb5-libs krb5-workstation
```
On the Kerberos server, register service and client principals.
1. To register a service principal, create an Active Directory user. For example, db2serv.
  1. Open Server Manager.
  2. From the Tools menu, select Active Directory Administrative Center.
  3. In the left pane, expand ad (local) and select Users.
  4. In the right pane, under Users, click New, and select User from the menu.
  5. In the Create User dialog box, specify the required values, such as user name and password.
  Note: Ensure that the following conditions are met:
  
  The valid characters are: 'A' through 'Z'; 'a' through 'z'; '0' through '9'; '# '; '@'; '$'; '_'; '!'; ' '('; ')'; '{'; '}'; '-'; '.'; and '^'. The following characters must be delimited with quotation marks when entered through the command line processor: '!'; ' '('; ')'; '{'; '}'; '-'; '.'; and '^'. A delimited authorization ID must not contain lowercase letters.
  
  The name must not begin with the characters 'SYS', 'IBM', or 'SQL'. The name must not be: 'ADMINS', 'GUESTS', 'LOCAL', 'PUBLIC', or 'USERS'.
2. To register a client principal, create another Active Directory user. For example, klmdb411.
3. Configure the service principal name to use the Db2 service by using the SetSPN utility. To do so, open the command-line interface and run the following command:
```
setspn -U -S db2instance1/FQDN_GKLMserver@REALMNAME user_name
```
  For example:
```
setspn -U -S klmdb411/gklmserver@EXAMPLE.COM db2serv
```
4. Generate Keytab file on the Active Directory Server. To do so, open the command-line interface and run the following command:
```
ktpass -out filename.keytab -mapuser service_principal -princ db2instance1/FQDN_GKLMserver@REALMNAME -pass password -ptype KRB5_NT_PRINCIPAL -target REALMNAME -kvno 0
```
  For example:
```
ktpass -out linux.keytab -mapuser db2serv -princ klmdb411/gklmserver@EXAMPLE.COM -pass PASSWORD -ptype KRB5_NT_PRINCIPAL /Target SKLM.COM /kvno 0
```
5. Upload the keytab file on the IBM Security Guardium Key Lifecycle Manager server.
  You can use the Upload File to Server REST Service. To run the REST service, you can use the Using Swagger UI.
  Note: If you are copying the file manually on the IBM Security Guardium Key Lifecycle Manager server, ensure that the file owner is the process owner. For example, klmdb411.
Configure IBM Security Guardium Key Lifecycle Manager.

Complete this step on the IBM Security Guardium Key Lifecycle Manager server on which you installed the Kerberos client.
1. Navigate to the /opt/IBM/WebSphere/Liberty/products/sklm/kerberos directory and run the db2ConfigureKerberos.sh script file as the process owner (Db2 Administrator user account; for example, klmdb411).
  
  This script updates the Kerberos configuration (krb5.conf) file, which is needed to connect to the KDC server.
  
  Command to run the script file:
```
./db2ConfigureKerberos.sh path_krb5.conf path_krb5.keytab kserver_hostname REALMNAME db2servicename path_sqllib
```
  For example:
```
./db2ConfigureKerberos.sh  /opt/IBM/WebSphere/Liberty/products/sklm/kerberos/krb5.conf            /opt/IBM/WebSphere/Liberty/products/sklm/data/krb5.keytab           kdc.example.com         EXAMPLE.COM               klmdb411/test.example.com@EXAMPLE.COM                 /home/klmdb411/sqllib
```
2. Run the command:
```
echo 'export DB2_KRB5_PRINCIPAL=' >> ~/.bash_profile
. ~/.bash_profile
```
3. Run the Configure Kerberos Authentication REST Service. To run the REST service, you can use the Using Swagger UI.
  
  IBM Security Guardium Key Lifecycle Manager is now configured to use Kerberos as the authentication mechanism with Db2 database. You can use the Get Kerberos Configuration REST Service to obtain the configuration details. To run the REST service, you can use the Using Swagger UI.