You can enable Kerberos authentication for secure communication between IBM® Security Guardium® Key Lifecycle Manager and the Db2® database.
- Ensure that the computers that host the Kerberos server and the Kerberos client
(IBM Security Guardium Key Lifecycle Manager server) have the same operating
system.
- Ensure that the computer on which you install the Kerberos server is secure and does
not run any service other than KDC.
- Install the Kerberos (Key Distribution Center - KDC) server.
You need to set up an Active
Directory to install Kerberos server. If an Active Directory is already set up, you can skip this
step.
To set up the Active Directory, complete the following steps:
- Open Server Manager.
- On the Server Manager Dashboard, click Add roles and features.
- Select Role-based or feature-based installation and click
Next.
- Select the server and click Next.
- From the list of server roles, select Active Directory Domain Services,
and click Next.
- Click Add Features.
- Retain the default selections, and click Next.
- On the Active Directory Domain Services page, click Next.
- Review the selections, and click Install.
- After the installation completes, click Promote this server to a domain
controller.
- Select Add a new forest, and in the Root domain
name field, type in a domain name that you want to use (for example,
DOMAIN.TMP), then click Next.
- Enter the DSRM password, and click Next.
- On the DNS Options, Additional Options, Paths, and Review Options pages, retain the default
values, and click Next to move through the pages.
- On the Prerequisite Checks page, click Install. The installation
starts.
- After the installation completes, to verify Active Directory is set up, open Server
Manager.
- Click Tools, and select Active Directory Users and
Computers.
- Expand the domain root and then click Domain Controllers.
The new Active Directory server is displayed.
- On the IBM Security Guardium Key Lifecycle Manager server, install the
Kerberos client.
To do so, run the command:
yum install krb5-libs krb5-workstation
- On the Kerberos server, register service and client principals.
- To register a service principal, create an Active Directory user. For example,
db2serv.
- Open Server Manager.
- From the Tools menu, select Active Directory Administrative Center.
- In the left pane, expand ad (local) and select
Users.
- In the right pane, under Users, click New, and select
User from the menu.
- In the Create User dialog box, specify the required values, such as user name and password.
Note: Ensure that the following conditions are met:
- The valid characters are: 'A' through 'Z'; 'a' through 'z'; '0' through '9'; '# '; '@'; '$';
'_'; '!'; ' '('; ')'; '{'; '}'; '-'; '.'; and '^'. The following characters must be delimited with
quotation marks when entered through the command line processor: '!'; ' '('; ')'; '{'; '}'; '-';
'.'; and '^'. A delimited authorization ID must not contain lowercase letters.
- The name must not begin with the characters 'SYS', 'IBM', or 'SQL'. The name must not be:
'ADMINS', 'GUESTS', 'LOCAL', 'PUBLIC', or 'USERS'.
- To register a client principal, create another Active Directory user. For example,
klmdb411
.
- Configure the service principal name to use the Db2 service by using the SetSPN utility. To do so, open
the command-line interface and run the following command:
setspn -U -S db2instance1/FQDN_GKLMserver@REALMNAME user_name
For
example:
setspn -U -S klmdb411
/gklmserver@EXAMPLE.COM db2serv
- Generate Keytab file on the Active Directory Server. To do so, open the command-line
interface and run the following
command:
ktpass -out filename.keytab -mapuser service_principal -princ db2instance1/FQDN_GKLMserver@REALMNAME -pass password -ptype KRB5_NT_PRINCIPAL -target REALMNAME -kvno 0
For
example:
ktpass -out linux.keytab -mapuser db2serv -princ klmdb411
/gklmserver@EXAMPLE.COM -pass PASSWORD -ptype KRB5_NT_PRINCIPAL /Target SKLM.COM /kvno 0
- Upload the keytab file on the IBM Security Guardium Key Lifecycle Manager server.
You can use the
Upload File to Server REST Service. To run the
REST service, you can use the
Using Swagger UI.
Note: If you
are copying the file manually on the IBM Security Guardium Key Lifecycle Manager
server, ensure that the file owner is the process owner. For example, klmdb411
.
- Configure IBM Security Guardium Key Lifecycle Manager.
Complete this step on the IBM Security Guardium Key Lifecycle Manager server on
which you installed the Kerberos client.
- Navigate to the /opt/IBM/WebSphere/Liberty/products/sklm/kerberos directory and run the
db2ConfigureKerberos.sh script file as the process owner (Db2 Administrator user account; for example,
klmdb411
).
This script updates the Kerberos configuration (krb5.conf) file, which is
needed to connect to the KDC server.
Command to run the script file:
./db2ConfigureKerberos.sh path_krb5.conf path_krb5.keytab kserver_hostname REALMNAME db2servicename path_sqllib
For example:
./db2ConfigureKerberos.sh /opt/IBM/WebSphere/Liberty/products/sklm/kerberos/krb5.conf /opt/IBM/WebSphere/Liberty/products/sklm/data/krb5.keytab kdc.example.com EXAMPLE.COM klmdb411
/test.example.com@EXAMPLE.COM /home/klmdb411/sqllib
- Run the command:
echo 'export DB2_KRB5_PRINCIPAL=' >> ~/.bash_profile
. ~/.bash_profile
- Run the Configure Kerberos Authentication REST Service. To run
the REST service, you can use the Using Swagger UI.
IBM Security Guardium Key Lifecycle Manager is now configured to use Kerberos
as the authentication mechanism with Db2
database. You can use the Get Kerberos Configuration REST Service to obtain the configuration
details. To run the REST service, you can use the Using Swagger UI.