Enabling Kerberos for the IBM® Db2 Warehouse image container

In Db2® Warehouse, Kerberos can be used with Microsoft Active Directory. By enabling Kerberos for the image container, you enable Kerberos for the web console.

Before you begin

  1. Set up an Active Directory server. In the following procedure, you specify this Active Directory server as the Kerberos server.
  2. Ensure that all the node hosts are defined in their own and each other's /etc/hosts files as described in IBM Db2 Warehouse prerequisites.
  3. Synchronize the system clocks of the node hosts and the Active Directory server.

Procedure

  1. On the Active Directory server, for each host node, create a user account to represent that node on the Active Directory server. Fill in the Full name and User SamAccountName logon fields only.
  2. For each Db2 Warehouse node host, generate a krb5.keytab file by issuing the following command on the system that is to host the Active Directory server: 
    ktpass /princ db2inst1/host_name@uppercase_realm /pass password /mapuser node_AD_account@realm /ptype KRB5_NT_PRINCIPAL /out krb5.keytab
    where:
    • host_name represents the name of the node host that is specified in the file /mnt/blumeta0/nodes.json.
    • node_AD_account represents one of the accounts created in the previous step.
    For example:
    ktpass /princ db2inst1/user1.test.ibm.com@TEST.IBM.COM /pass 1qaz!QAZ2wsx@WSX /mapuser user1principal@TEST.IBM.COM /ptype KRB5_NT_PRINCIPAL /out krb5.keytab
  3. On each Db2 Warehouse node host, copy the krb5.keytab file to the /etc folder inside the container by issuing the following command: 
    docker cp krb5.keytab container_name:/etc
    For example: 
    docker cp krb5.keytab Db2wh:/etc
  4. On the Active Directory server, create two accounts with the names db2inst1 and dsadm, and add them to the bluadmin group. For more information, see Setting up a Microsoft Active Directory server.
  5. On the Active Directory server, issue the following commands to generate db2inst1.keytab and dsadm.keytab files for the db2inst1 and dsadm principals: 
    ktpass /princ db2inst1@realm /pass password /ptype KRB5_NT_PRINCIPAL /out db2inst1.keytab
ktpass /princ dsadm@realm /pass password /ptype KRB5_NT_PRINCIPAL /out dsadm.keytab
    For example:
    ktpass /princ db2inst1@TEST.IBM.COM /pass temp4now123 /ptype KRB5_NT_PRINCIPAL /out db2inst1.keytab
ktpass /princ dsadm@TEST.IBM.COM /pass temp4now123 /ptype KRB5_NT_PRINCIPAL /out dsadm.keytab
  6. On each node host, issue the following commands to copy the db2inst1.keytab and dsadm.keytab files to the /etc folder inside the container: 
    docker cp db2inst1.keytab container_name:/etc
docker cp dsadm.keytab container_name:/etc
    For example: 
    docker cp db2inst1.keytab Db2wh:/etc
docker cp dsadm.keytab Db2wh:/etc
  7. Configure Kerberos in one of the following ways:
    • As root, issue the following command on the head node host:
      docker exec -it Db2wh configure_kerberos -d domain -n Kerberos_server_name
      For example: 
      docker exec -it Db2wh configure_kerberos -d TEST.IBM.COM -n Db2wh-test-2018-04
      To confirm that you enabled Kerberos, check the /var/log/enable_kerberos.log file.
    • Use the web console:
      1. Click SETTINGS > External User Management. The Kerberos button should be enabled.
      2. Enter the host name, host domain, and password, and click Save.
      3. To monitor the progress, check the /var/log/enable_kerberos.log file from inside the container.