Configuring the application server and Db2 to authenticate with Kerberos

The Kerberos authentication mechanism can be used when both WebSphere® Application Server and the DB2 Server are configured for Kerberos authentication. Kerberos authentication provides single-sign-on (SSO) end-to-end interoperable solutions and preserves the original requester identity.

Before you begin

You can configure a Db2 data source and the application server to interoperate by using delegated end-to-end Kerberos credentials for database access by an application. Two different options are available to set up this configuration.

  • Option 1: Enable Db2 Kerberos authentication with credentials that are delegated from the application server.
  • Option 2: Enable Db2 Kerberos authentication with credentials that are specified in a J2C authentication alias, which the Db2 JDBC driver uses to obtain its own Kerberos credentials.

To enable option 1, you must configure both Db2 and the application server to use Kerberos as the authentication mechanism. To learn how to set up Kerberos as the authentication mechanism in this version of the application server, see the following topic: Kerberos (KRB5) authentication mechanism support for security.

[9.0.5.11 or later]Tip: You can use Kerberos credentials to authenticate with Db2 data sources for XA recovery by specifying the Krb5RecoveryPrincipal custom property in your data source configuration. For more information, see Table 1.

The test connection service of the application server cannot supply delegated Kerberos credentials to the data source. Situations might also exist where the application server security component is unable to supply delegated Kerberos credentials for a connection request, including during recovery of failed XA transactions. To account for these cases, you can configure a Db2 connection by using option 2. For this option, a user ID and password must be supplied to the JDBC driver. The driver uses these resources to obtain its own Kerberos credentials. To use this option, you must configure a J2C authentication data alias on the application server. This configuration defines the user ID and password that the Db2 JDBC driver uses to request a Kerberos Ticket Granting Ticket (TGT). The TGT is used for Kerberos authentication to a DB2 Server. To the application server, this configuration looks like the typical user ID and password authentication.

You must use a Db2 JDBC driver that supports Kerberos authentication and is operating in type 4 mode. The supported JDBC driver is the IBM Data Server Driver for JDBC and SQLJ, which is identified in the application server as Db2 using IBM JCC Driver.

About this task

Use the following steps to configure the application server and Db2 to authenticate with Kerberos:

Procedure

  1. Configure the DB2 Server for Kerberos authentication.
    Refer to Db2 Kerberos security documentation in the Db2 documentation, for example, the Kerberos authentication details topic. Verify that Db2 Kerberos authentication is working.
  2. Configure the application server to use Kerberos security.
    For more information, see the following topic: Configuring Kerberos as the authentication mechanism using the administrative console. Verify that application server Kerberos authentication is working.
  3. Configure the Db2 data source in the application server to use Kerberos authentication.
    1. Add or edit the datasource properties listed in Table 1 to allow the datasource to use Kerberos authentication and to pass Kerberos credentials to the JDBC driver.
      For more information, see the Configuring a data source using the administrative console topic.
    2. For option 2, set the Mapping-configuration alias option to DefaultPrincipalMapping, or another login configuration that does not generate credentials. Set the Container-managed authentication alias option to reference an alias to use for Kerberos login by the JDBC driver.
      If no component-managed authentication alias is configured, the test connection service also uses this alias.
    3. For option 1, delegated Kerberos credentials, set the Mapping-configuration alias option to KerberosMapping.
      This configuration indicates that the resource adapter in the application server must provide delegated credentials to the Db2 JDBC driver. The test connection service is not able to supply delegated Kerberos credentials, but can revert to option 2 authentication. If you do not need this feature, you can select none for each of the authentication aliases. If test connection is used and a valid authentication alias is configured, an informational message, DSRA8221I, is logged. This message indicates that test connection is not able to offer Kerberos credentials. If no alias is configured, then the test connection service fails and a Kerberos invalid credentials error is reported by the JDBC driver.
      Important: If Kerberos mapping is configured, but the security component cannot provide credentials for a connection request, you can configure the resource adapter to revert to connection authentication by using Default Principle Mapping. To configure this fallback, select an alias from the container-managed authentication alias list. To disable this fallback, select none from the container-managed authentication alias list.
  4. To enable Kerberos mapping (option 1), you also must specify container-managed authentication. To specify container-managed authentication, the application must use a resource reference to look up the data source.
    The resource reference must specify KerberosMapping as the login configuration. For application access through that resource reference, the specified login configuration takes precedence over the mapping-configuration alias that is specified on the data source. A container-managed authentication alias can also be specified on the resource reference.
    Table 1. Custom properties and values for Kerberos authentication of a Db2 data source . The following table lists custom security properties for Kerberos authentication with a Db2 data source that you can configure from the administrative console or by wsadmin scripting:
    Name Value Description
    kerberosServerPrincipal

    Type="java.lang.String"

    Value=""

    For example, user@REALM or service_name/hostname@REALM

    		 This property specifies the principal name that the database server registers with a Kerberos Key Distribution Center (KDC).
    SecurityMechanism

    Type="java.lang.String"

    Value="11"

    		 This property specifies Kerberos authentication. A value of 11 for this property indicates that the JDBC driver needs to use Kerberos authentication when it connects to the DB2 Server.
    [9.0.5.11 or later]

    krb5RecoveryPrincipal

    		 [9.0.5.11 or later]

    Type="java.lang.String"

    Value=""

    		 [9.0.5.11 or later]This property specifies the Kerberos principal that is used for XA recovery. If neither the krb5RecoveryKeytab or the krb5RecoveryCCache properties are specified, the operating system default credential cache (ccache) is checked for credentials.
    [9.0.5.11 or later]

    krb5RecoveryKeytab

    		 [9.0.5.11 or later]

    Type="java.lang.String"

    Value=""

    		 [9.0.5.11 or later]This property specifies the location of the Kerberos keytab file with credentials for the recovery principal. If the krb5RecoveryCCache property is also specified, this property is ignored.
    [9.0.5.11 or later]

    krb5RecoveryCCache

    		 [9.0.5.11 or later]

    Type="java.lang.String"

    Value=""

    		 [9.0.5.11 or later]This property specifies the location of the Kerberos credential cache file with credentials for the recovery principal.