Deploying a Kerberos plug-in

To customize the Kerberos authentication behavior of the Db2® security system, you can develop your own Kerberos authentication plug-ins or purchase one from a third party.

Before you begin

If you want to deploy a new version of an existing plug-in, you must stop the Db2 server and any applications using the plug-in. Undefined behaviors, including traps, occur if a process is using a plug-in when you deploy a new version of that plug-in (with the same name).

About this task

The Kerberos authentication plug-in can be deployed on a database server or a database client.

Procedure

  • To deploy a Kerberos authentication plug-in on the database server, perform the following steps on the server:
    1. Copy the Kerberos authentication plug-in library into the server plug-in directory.
    2. Update the setting of the srvcon_gssplugin_list database manager configuration parameter, which is an ordered, comma-delimited list, to include the Kerberos server plug-in name. Only one plug-in in this list can be a Kerberos plug-in. If there is no Kerberos plug-in in the list, an error is returned. If there is more than one Kerberos plug-in in the list, an error is returned. If the configuration parameter value is blank and the authentication configuration parameter is set to KERBEROS or KRB_SVR_ENCRYPT, the default Db2 Kerberos plug-in, IBMkrb5, is used.
    3. If necessary, set the value of the srvcon_auth database manager configuration parameter.
      If you want to deploy a Kerberos plug-in, the acceptable values for the srvcon_auth database manager configuration parameter are as follows:
      • KERBEROS
      • KRB_SERVER_ENCRYPT
      • GSSPLUGIN
      • GSS_SERVER_ENCRYPT
      • Blank, but only if the authentication configuration parameter is set to one of the previous values in this list.
  • To deploy a Kerberos authentication plug-in on a database client, perform the following steps on the client:
    1. Copy the Kerberos authentication plug-in library into the client plug-in directory.
    2. Set the clnt_krb_plugin database manager configuration parameter to the name of the Kerberos plug-in. If the value of the clnt_krb_plugin configuration parameter is blank, the client cannot use Kerberos authentication. On Windows, the default value is IBMkrb5. It only needs to be altered for a customized Kerberos plugin. On UNIX, the value must be set since the default value is blank. For local authorization on a client, server, or gateway using a Kerberos authentication plug-in, perform the following steps:
      1. Copy the Kerberos authentication plug-in library in the client plug-in directory on the client, server, or gateway.
      2. Set the clnt_krb_plugin database manager configuration parameter to the name of the plug-in.
      3. Set the authentication database manager configuration parameter to KERBEROS or KRB_SERVER_ENCRYPT.
    3. Optional: Catalog the databases that the client will access, indicating that the client will use only a Kerberos authentication plug-in. The following example catalogs the testdb database: 
      CATALOG DB testdb AT NODE testnode AUTHENTICATION KERBEROS
        TARGET PRINCIPAL service/host@REALM