The Java Authentication and Authorization Service (JAAS) login configuration file contains one or more entries that specify authentication technologies to be used by applications. To establish Kerberos connections with the driver, the JAAS login configuration file must include an entry specifically for the driver. In addition, the login configuration file must be referenced either by setting the java.security.auth.login.config system property or by setting up a default configuration using the Java security properties file.

Setting up a default configuration

To set up a default configuration, you must modify the Java security properties file to indicate the URL of the login configuration file with the login.config.url.n property where n is an integer connoting separate, consecutive login configuration files. When more than one login configuration file is specified, then the files are read and concatenated into a single configuration. The following steps summarize how to modify the security properties file.

  1. Open the Java security properties file. The security properties file is the java.security file in the /jre/lib/security directory of your Java installation.
  2. Find the line # Default login configuration file in the security properties file.
  3. Below the # Default login configuration file line, add the URL of the login configuration file as the value for a login.config.url.n property. For example:
    # Default login configuration file
login.config.url.1=file:${user.home}/.java.login.config
login.config.url.2=file:install_dir/lib/JDBCDriverLogin.conf

JAAS login configuration file entry for the driver

You can create your own JAAS login configuration file, or you can use the JDBCDriverLogin.conf file installed in the /lib directory of the product installation directory. In either case, the login configuration file must include an entry that specifies the Kerberos authentication technology to be used by the driver.

JAAS login configuration file entries begin with an entry name followed by one or more LoginModule items. Each LoginModule item contains information that is passed to the LoginModule. A login configuration file entry takes the following form.

entry_name {
  login_module flag_value module_options
};
where:
entry_name
is the name of the login configuration file entry. The driver's LoginConfigName connection property can be used to specify the name of this entry. JDBC_DRIVER_01 is the default entry name for the JDBCDriverLogin.conf file installed with the driver.
login_module
is the fully qualified class name of the authentication technology used with the driver.
flag_value
specifies whether the success of the module is required, requisite, sufficient, or optional.
module_options
specifies available options for the LoginModule. These options vary depending on the LoginModule being used.

The following examples show that the LoginModule used for a Kerberos implementation depends on your JVM.

Oracle JVM

JDBC_DRIVER_01 {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};

IBM JVM

JDBC_DRIVER_01 {
  com.ibm.security.auth.module.Krb5LoginModule required useDefaultCcache=true;
};

Refer to Java Authentication and Authorization Service documentation for information about the JAAS login configuration file and implementing authentication technologies.