DSM configurations for enabling Kerberos JDBC security connection

Answer

The following is a configuration guide for enabling a Kerberos JDBC security connection using Data Server Manager. If DB2 databases are configured to enable Kerberos authentication, Data Server Manager needs to be configured to connect to these databases in Kerberos JDBC security mode.


Before you begin

The user needs to ensure that the KDC, DB2, and DSM servers are installed correctly, and that the Kerberos client is installed and configured correctly on the DB2 and DSM servers.

Procedure

1. Synchronize time for each server.
• Ensure that the time difference between each server does not exceed 5 minutes.
2. Configure DNS or host file.
• Ensure that each server can resolve the other two servers' hostnames.
3. Register the DB2 service principal on KDC by using the kadmin command.
• Use the kadmin command addprincs to register the service principal on KDC for the DB2 instance that connects to the database. The default service principal name of a db2 instance is <instance name>/<fully qualified hostname>@REALM. For example db2inst1/ubuntu.cn.ibm.com@CN.IBM.COM. Please see kadmin command for further reference.
4. Create keytab for DB2 service principal.
• Use the kadmin command ktadd to create keytab for the DB2 service principal. The entry of the keytab will restore to the directory of krb5.conf (krb5.ini on windows).
• Copy this file to the DB2 server and place it to the directory, where the environment variable KRB5_KTNAME indicates the default value is /etc.
• The user must ensure that other users have the appropriate read permission to it.
5. Register user principal on KDC.
• Use the addprincs command to add a user principal. The user principal's format could be name or name@CN.IBM.COM.
6. Update the dbm cfg file on your DB2 servers to enable DB2 Kerberos authentication.
Client Kerberos Plugin	(CLNT_KRB_PLUGIN) = IBMkrb5
Server List of GSS Plugins	(SRVCON_GSSPLUGIN_LIST) = IBMkrb5
Database manager authentication	(AUTHENTICATION) = KERBEROS

7. Configure DSM for a Kerberos JDBC connection using user/password mode:
1. Create a jaas.conf file at the Data Server Manager configuration directory ibm-datasrvrmgr/config/jaas.conf.
   
   The jaas.conf file content is:
   
   JaasClient{
   com.ibm.security.auth.module.Krb5LoginModule optional
   debug=true
   useDefaultCcache=false;
   };
2. Add java.security.auth.login.config to ibm-datasrvrmgr/Config/dswebserver.properties.
   
   java.security.auth.login.config=${dsserver_home}/Config/jaas.conf (for DSM on Linux).
   java.security.auth.login.config=${dsserver_home}/Config/jaas.conf (for DSM on Windows). Such as C\:\\DSMBuild\\ibm-datasrvrmgr0118\\Config\\jaas.conf.
3. Restart DSM.
4. Create a Kerberos connection profile in DSM. From the navigation bar, click on:
1. Settings.
2. Manage connections.
3. Add.
4. From the JDBC security drop-down list, select Kerberos.
5. Click Test connection.
6. If the connection was successful, click Ok.
8. Configure DSM for a Kerberos JDBC connection using ticket cache mode:
1. Kinit for user principal in Data Server Manager JVM environment.
• Go to the DSM JRE bin directory and run com.ibm.security.krb5.internal.tools.Kinit to get the TGT cache of user principal. To do this operation you should have a OS privilege to login and run the specified command:
  
  cd/opt/dsm/ibm-datasrvrmgr/java/jre/bin
  ./java com.ibm.security.krb5.internal.toos.Kinit -f -p db2inst1 (for DSM on Linux)
  
• cd c:\dsm\ibm-datasrvrmgr\java\jre\bin
  java com.ibm.security.krb5.internal.tools.Kinit -f -p db2inst1 (for DSM on Windows)
  
• Go to you ibm-datasrvrmgr/Configand open the dswebserver.properties file, and add the KRB5CCNAME property:
  
  KRB5CCNAME=/root/krb5cc_root (for DSM on Linux)
  KRB5CCNAME=C\:\\Users\\IBM_ADMIN\\krb5cc_bati (for DSM on Windows)
2. Restart DSM.
3. Create a Kerberos connection profile in DSM. From the navigation bar, click on:
1. Settings.
2. Manage connections.
3. Add.
4. From the JDBC security drop-down list, select Kerberos.
5. Check the Use cached ticket-granting ticket
6. Click Test connection.
7. If the connection was successful, click Ok.