Managing password-less authentication with the database by using Kerberos

You can enable Kerberos authentication for secure communication between IBM® Security Guardium® Key Lifecycle Manager and the Db2® database. Kerberos authentication removes the requirement of changing the database password when the operating system password changes.

About this task

Kerberos is a third-party authentication mechanism, in which users and services rely on the Kerberos server for authentication. Kerberos uses Key Distribution Center (KDC). which is a central repository of IDs that uniquely identify users or services. An ID is a string and is known as a principal. A service is a resource that is provided to a user. For example, file server, application server, database.
Note: The support for configuring Kerberos will be deprecated in the later versions of IBM Security Guardium Key Lifecycle Manager.
Format of a principal is as follows:
For example: klmdb42/gklmserver@EXAMPLE.COM


  • serviceuser is the name of the service to be authenticated, such as the database service. For example: klmdb42
  • FQDN_GKLMserver is the fully qualified dns name of the host system on which the IBM Security Guardium Key Lifecycle Manager server is installed
  • REALMNAME is the Kerberos realm name. A Kerberos realm is a domain or a group of systems. Kerberos has authority to authenticate a user to a service that is hosted on a computer in this domain. The REALMNAME value must be specified in uppercase characters only.
The following script files are available in the WAS_HOME\products\sklm\kerberos directory:
Table 1. Kerberos configuration script files
Operating system Script files
  • db2ConfigureKerberos.bat
  • db2RemoveKerberos.bat
Linux and AIX