The driver supports Kerberos authentication. Note that the driver no longer sets the java.security.krb5.conf system property to force the use of the krb5.conf file installed with the driver jar files in the /lib directory of the product installation directory.
Important: A properly configured Kerberos environment must include a means of obtaining a Kerberos Ticket Granting Ticket (TGT). For a Windows Active Directory implementation, Active Directory automatically obtains the TGT. However, for a non-Active Directory implementation, the means of obtaining the TGT must be automated or handled manually.

To configure the driver to user Kerberos:

  1. Set the driver’s AuthenticationMethod property to auto (default) or kerberos. See Using the AuthenticationMethod Property for more information about setting a value for this property.
  2. Specify the JAAS login module in your JAAS login configuration file using either of the following methods.
    • Modify the JDBC_DRIVER_01 entry in the JDBCDriverLogin.conf file to include the JAAS login module information needed for your environment. The JDBCDriverLogin.conf file is installed in the /lib directory of the driver installation directory.
    • Specify a JAAS login configuration file directly in your application with the java.security.auth.login.config system property. The specified login configuration file must contain the JAAS login module information with the entry JDBC_DRIVER_01.

    Whether you are using the JDBCDriverLogin.conf file or another file, the login configuration file must contain the entry JDBC_DRIVER_01 with JAAS login module information. The following examples show that the JAAS login module information depends on your JRE.

    Oracle JRE 

    JDBC_DRIVER_01 {com.sun.security.auth.module.Krb5LoginModule
required useTicketCache=true;};

    IBM JRE Example

    JDBC_DRIVER_01 {com.ibm.security.auth.module.Krb5LoginModule
required useDefaultCcache=true;};
  3. Set the default realm name and the KDC name for that realm using either of the following methods. (If using Windows Active Directory, the Kerberos realm name is the Windows domain name and the KDC name is the Windows domain controller name.)
    • Modify the krb5.conf file to include the default realm name and the KDC name for that realm. For example, if your Kerberos realm name is XYZ.COM and your KDC name is kdc1, your krb5.conf file would include the following entries.
      [libdefaults]
   default_realm = XYZ.COM
[realms]
   XYZ.COM = {
   kdc = kdc1
   }
      Note: During installation, a krb5.conf file is installed in the /lib directory of the product installation directory. The installed krb5.conf name for that realm. If you are not already using another krb5.conf file for your Kerberos implementation, you can modify it to suit your environment. However, you will either need to specify the location of this file using the java.security.krb5.conf system property, or you will need to add the file to a directory where it may be found by your JVM. See "Keberos Requirements" in your Java documentation for details on the algorithm used to locate the krb5.conf file.
    • Specify the Java system properties, java.security.krb5.realm and java.security.krb5.kdc, in your application. For example, if the default realm name is XYZ.COM and the KDC name is kdc1, your application would include the following settings.
      System.setProperty("java.security.krb5.realm","XYZ.COM");
      System.setProperty("java.security.krb5.kdc","kdc1")
      Note: Even if you do not use the krb5.conf file to specify the realm and KDC names, you may need to modify your krb5.conf file to suit your environment. Refer to your database vendor documentation for detailed information.
  4. For Java SE 13 and higher, set the GSS client library to be used when communicating with the KDC. By default, the driver uses the GSS library and mechanisms provided by the JDK. However, you can also use the native GSS library for your platform by configuring the following Java system properties as described:
    Important: If you are using Windows Defender Credential Guard, you must set the Java system properties as described in this step.
    • Set sun.security.jgss.native to true.
    • For Microsoft SSPI, set javax.security.auth.useSubjectCredsOnly to false.
    • Optionally, set sun.security.jgss.lib to specify the absolute path of the native library file. If you do not provide a value, the JVM will load the default GSS library file for the platform.
      Note: Starting with Java SE 13, the native Windows interface will be Microsoft SSPI, and the GSS client library will be the sspi.bridge.dll file.
  5. If using Kerberos authentication with a Security Manager on a Java Platform, you must grant security permissions to the application and driver. See Permissions for Kerberos Authentication for an example.