Configuring the loader controller on Linux for Kerberos-enabled DB2

Configuring the loader controller on a Linux® host with IBM® Spectrum Symphony Advanced Edition for a Kerberos-enabled IBM DB2® database server involves generating the keytab file for the database user's principal, creating a JAAS configuration file to be used by services, and updating the configuration for these services.

Before you begin

  • IBM DB2 database server must be installed and configured on a Linux management host.
  • IBM Spectrum Symphony Advanced Edition and Kerberos must be installed and configured on a Linux management host, with the following Kerberos environment configurations:
    • Kerberos authentication must be enabled for the DB2 database server.
    • The krb5.conf and kdc.conf files must have the correct configuration.
    • The generated keytab must not be empty and has the correct configuration.
    • The Kerberos principal in the keytab file must match the database authentication user. The database authentication user is the user name on the database server that is used to update the database from the reporting framework.

Procedure

  1. Generate the keytab file for the database user's principal, which is defined in Kerberos as db_user/db_host@REALM. Ensure that the db_user/db_host matches the user name on the database server:
    1. Log in to the Key Distribution Center (KDC) as administrator (kadmin).
    2. Generate the keytab file:
      % kadmin
      kadmin> ktadd -k db.keytab dbuserabc/dbhost1@EXAMPLE.COM
      Note: If you use the default JRE that is provided with IBM Spectrum Symphony, or a later version of JRE 1.6, ensure you include the -e des-cbc-crc:normal setting. Specifically, to generate the keytab, run:
      ktadd -e des-cbc-crc:normal -k db.keytab dbuserabc/dbhost1@EXAMPLE.COM
    3. Confirm if the generated keytab is correct. For example:
      % kinit -k -t /tmp/db.keytab dbuserabc/dbhost1@EXAMPLE.COM
      % klist

      The keytab is generated in the specified location.

  2. Create a JAAS configuration file that will be used by the loader controller, purger, and WEBGUI services:
    1. Prepare the configuration file (datasource_jaas.conf) to specify the following authentication parameters:
      • debug: Enables or disables debugging.
      • useKeyTab: Whether the Kerberos keytab file must be used to acquire authentication credentials.
      • keyTab: Location of the keytab file. Ensure that the file is accessible on all management hosts that run the dbconfig tool, the loader controller, purger, and WEBGUI services. The file must also be readable by the execution user of these services.
      • principal: Database user's principal.
      • doNotPrompt: Whether to prompt the user for input during authentication.
        For example:
        JaasClient
        {
                com.ibm.security.auth.module.Krb5LoginModule required
                debug=false
                credsType=both
                forwardable=true
                proxiable=true
                moduleBanner=false
                useKeytab="file:tmp/db.keytab"
                principal="dbuserabc/dbhost1@EXAMPLE.COM"; };
        
    2. Copy the datasource_jaas.conf file to ${PERF_CONF}.
  3. Update the configuration for the loader controller, purger, and WEBGUI services:
    1. Stop EGO services for the loader controller, purger, and WEBGUI:
      % egosh service stop plc purger WEBGUI
    2. Update ${PERF_CONFDIR}/profile.perf (used by the loader controller, purger, and database configuration) to include the JAAS configuration file to the PERF_ENV environment variable. For example:
      JAVA_HOME=""
      PERF_ENV="-DPERF_TOP=${PERF_TOP} -DPERF_CONFDIR=${PERF_CONFDIR} 
      -DPERF_WORKDIR=${PERF_WORKDIR} -DPERF_LOGDIR=${PERF_LOGDIR} 
      -DPERF_DATADIR=${PERF_DATADIR}"
      
      JAAS_CONF="${PERF_CONFDIR}/datasource_jaas.conf"
      if [ -f ${JAAS_CONF} ]; then
       PERF_ENV="${PERF_ENV} -Djava.security.auth.login.config=${JAAS_CONF}"
      fi
    3. To configure Java™ environment options, update the JVM_ARGS parameter in $EGO_CONFDIR/wsm.conf (used by the WEBGUI service) to include the JAAS configuration file.
      1. In wsm.conf, locate the line starting with JVM_ARGS=.
      2. At the end of this line, include your JAAS configuration file:
        JVM_ARGS="-Djava.security.auth.login.config=file_path/datasource_jaas.conf"

        where file_path specifies the location to your datasource_jaas.conf file.

    4. Update /etc/krb5.conf to add the default_tkt_enctypes and default_tgs_enctypes options. For example:
      default_realm = EXAMPLE.COM
        default_tkt_enctypes = des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1-kd
        default_tgs_enctypes = des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1-kd
       dns_lookup_realm = false
    5. Use the dbconfig tool to configure and verify the database connection parameters.
      • User ID: This field is not used in Kerberos authentication but must not be empty. Set to none.
      • Password: This field is not used in Kerberos authentication mode but must not be empty. Set to none.
      • Cipher: Leave to the default (DES56).
      • JDBC driver: Set to com.ibm.db2.jcc.DBDriver.
      • JDBC URL: Set to jdbc:db2://host[:port]/databaseName:securityMechanism=11;

        In case of connection issues, edit the JAAS configuration file with "debug=true" to view additional debugging information.

    6. Start EGO services for the loader controller, purger, and WEBGUI:
      % egosh service start plc purger WEBGUI