To customize the DB2® security
system's Kerberos authentication behavior, you can develop your own
Kerberos authentication plug-ins or buy one from a third party. Note
that the Kerberos security plug-in will not support IPv6.
Before you begin
Note: You must stop the DB2 server
or any applications using the plug-ins before you deploy a new version
of an existing plug-in. Undefined behavior including traps
will occur if a process is still using a plug-in when a new version
(with the same name) is copied over it. This restriction is not in
effect when you deploy a plugin for the first time or when the plug-in
is not in use.
After you acquire Kerberos authentication plug-ins
that are suitable for your database management system, you can deploy
them.
Procedure
- To deploy a Kerberos authentication plug-in on the database
server, perform the following steps on the server:
- Copy the Kerberos authentication plug-in library in
the server plug-in directory.
- Update the database manager configuration parameter srvcon_gssplugin_list,
which is presented as an ordered, comma delimited list, to include
the Kerberos server plug-in name. Only one plug-in in this list can
be a Kerberos plug-in. If this list is blank and authentication is
set to KERBEROS or KRB_SVR_ENCRYPT, the default DB2 Kerberos plug-in: IBMkrb5 will be used.
- If necessary, set the srvcon_auth database
manager configuration parameter to override the current authentication
type. If the srvcon_auth database
manager configuration parameter is not set, the DB2 database manager uses the value of the authentication configuration
parameter. If the authentication configuration
parameter is currently set to any of the following authentication
types, you can deploy and use a Kerberos plug-in:
- KERBEROS
- KRB_SERVER_ENCRYPT
- GSSPLUGIN
- GSS_SERVER_ENCRYPT
If you need to override the current
authentication type, set the srvcon_auth configuration
parameter to one of the following authentication types:
- KERBEROS
- KRB_SERVER_ENCRYPT
- GSSPLUGIN
- GSS_SERVER_ENCRYPT
- To deploy a Kerberos authentication plug-in on database
clients, perform the following steps on each client:
- Copy the Kerberos authentication plug-in library in
the client plug-in directory.
- Update the database manager configuration parameter clnt_krb_plugin with
the name of the Kerberos plug-in. If clnt_krb_plugin is
blank, DB2 assumes that the
client cannot use Kerberos authentication. This setting is only appropriate
when the server cannot support plug-ins. If both the server and the
client support security plug-ins, the default server plug-in, IBMkrb5 would
be used over the client value of clnt_krb_plugin.
For local authorization on a client, server, or gateway using a Kerberos
authentication plug-in, perform the following steps:
- Copy the Kerberos authentication plug-in library in the client
plug-in directory on the client, server, or gateway.
- Update the database manager configuration parameter clnt_krb_plugin with
the name of the plug-in.
- Set the authentication database manager configuration
parameter to KERBEROS, or KRB_SERVER_ENCRYPT.
- Optional: Catalog the databases that the client will
access, indicating that the client will only use a Kerberos authentication
plug-in. For example:
CATALOG DB testdb AT NODE testnode AUTHENTICATION KERBEROS
TARGET PRINCIPAL service/host@REALM
Results
Note: For platforms supporting Kerberos, the IBMkrb5 library
will be present in the client plug-in directory. The DB2 database manager recognizes
this library as a valid GSS-API plug-in, because Kerberos plug-ins
are implemented using GSS-API plug-in.