Managing password-less authentication with the database by using Kerberos
You can enable Kerberos authentication for secure communication between IBM® Security Guardium® Key Lifecycle Manager and the Db2® database. Kerberos authentication removes the requirement of changing the database password when the operating system password changes.
About this task
Kerberos is a third-party authentication mechanism, in which users and services rely on the
Kerberos server for authentication. Kerberos uses Key Distribution Center (KDC). which is a central
repository of IDs that uniquely identify users or services. An ID is a string and is known as a
principal. A service is a resource that is provided to a user. For example, file server, application
server, database.
Note: The support for configuring Kerberos will be deprecated in the later
versions of IBM Security Guardium Key Lifecycle Manager.
Format of a principal is as follows:
serviceuser/FQDN_GKLMserver@REALMNAMEklmdb42/gklmserver@EXAMPLE.COMWhere,
serviceuseris the name of the service to be authenticated, such as the database service. For example:klmdb42FQDN_GKLMserveris the fully qualified dns name of the host system on which the IBM Security Guardium Key Lifecycle Manager server is installedREALMNAMEis the Kerberos realm name. A Kerberos realm is a domain or a group of systems. Kerberos has authority to authenticate a user to a service that is hosted on a computer in this domain. The REALMNAME value must be specified in uppercase characters only.
The following script files are available in the WAS_HOME\products\sklm\kerberos
directory:
| Operating system | Script files |
|---|---|
| Windows |
|
| Linux and AIX |
|