Configuring the loader controller on a Linux® host
with IBM® Spectrum Symphony Advanced
Edition for a Kerberos-enabled IBM
DB2® database server involves generating the keytab file for
the database user's principal, creating a JAAS configuration file to be used by services, and
updating the configuration for these services.
Before you begin
- IBM
DB2 database server must be installed and configured on a Linux management host.
- IBM Spectrum Symphony Advanced
Edition and Kerberos
must be installed and configured on a Linux management host,
with the following Kerberos environment configurations:
- Kerberos
authentication must be enabled for the DB2 database
server.
- The krb5.conf and kdc.conf files must have the correct
configuration.
- The generated keytab must not be empty and has the correct configuration.
- The Kerberos
principal in the keytab file must match the database authentication user. The database
authentication user is the user name on the database server that is used to update the database from
the reporting framework.
Procedure
-
Generate the keytab file for the database user's principal,
which is defined in Kerberos as db_user/db_host@REALM.
Ensure that the db_user/db_host matches
the user name on the database server:
-
Log in to the Key Distribution Center (KDC) as administrator
(kadmin).
-
Generate the keytab file:
% kadmin
kadmin> ktadd -k db.keytab dbuserabc/dbhost1@EXAMPLE.COM
Note: If you use the default JRE that is provided with
IBM Spectrum Symphony, or a later version of JRE
1.6, ensure you include the
-e des-cbc-crc:normal
setting. Specifically, to
generate the keytab,
run:
ktadd -e des-cbc-crc:normal -k db.keytab dbuserabc/dbhost1@EXAMPLE.COM
-
Confirm if the generated keytab is correct. For example:
% kinit -k -t /tmp/db.keytab dbuserabc/dbhost1@EXAMPLE.COM
% klist
The keytab is generated in the specified location.
-
Create a JAAS configuration file that will be used by the loader controller, purger, and WEBGUI services:
-
Prepare the configuration file (datasource_jaas.conf) to specify the following authentication parameters:
- debug: Enables or disables debugging.
- useKeyTab: Whether the Kerberos keytab file must be used to acquire authentication credentials.
- keyTab: Location of the keytab file. Ensure that the file is accessible on all management hosts that run the dbconfig tool, the loader controller, purger, and WEBGUI services. The file must also be readable by the execution user of these services.
- principal: Database user's principal.
- doNotPrompt: Whether to prompt the user for input during authentication.
For example:
JaasClient
{
com.ibm.security.auth.module.Krb5LoginModule required
debug=false
credsType=both
forwardable=true
proxiable=true
moduleBanner=false
useKeytab="file:tmp/db.keytab"
principal="dbuserabc/dbhost1@EXAMPLE.COM"; };
-
Copy the datasource_jaas.conf file to ${PERF_CONF}.
-
Update the configuration for the loader controller, purger, and WEBGUI services:
-
Stop EGO services for the loader controller, purger, and WEBGUI:
% egosh service stop plc purger WEBGUI
-
Update ${PERF_CONFDIR}/profile.perf (used by the loader controller, purger, and database configuration) to include the JAAS configuration file to the PERF_ENV environment variable. For example:
JAVA_HOME=""
PERF_ENV="-DPERF_TOP=${PERF_TOP} -DPERF_CONFDIR=${PERF_CONFDIR}
-DPERF_WORKDIR=${PERF_WORKDIR} -DPERF_LOGDIR=${PERF_LOGDIR}
-DPERF_DATADIR=${PERF_DATADIR}"
JAAS_CONF="${PERF_CONFDIR}/datasource_jaas.conf"
if [ -f ${JAAS_CONF} ]; then
PERF_ENV="${PERF_ENV} -Djava.security.auth.login.config=${JAAS_CONF}"
fi
-
To configure Java™ environment options, update the
JVM_ARGS parameter in $EGO_CONFDIR/wsm.conf (used by the
WEBGUI service) to include the JAAS configuration file.
- In wsm.conf, locate the line starting with
JVM_ARGS=
.
- At the end of this line, include your JAAS configuration
file:
JVM_ARGS="-Djava.security.auth.login.config=file_path/datasource_jaas.conf"
where
file_path specifies the location to your
datasource_jaas.conf file.
-
Update /etc/krb5.conf to add the default_tkt_enctypes and default_tgs_enctypes options. For example:
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1-kd
default_tgs_enctypes = des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1-kd
dns_lookup_realm = false
-
Use the dbconfig tool to configure and verify the database connection parameters.
-
Start EGO services for the loader controller, purger, and WEBGUI:
% egosh service start plc purger WEBGUI