Kerberos authentication
- Last Updated: May 9, 2024
- 3 minute read
- DataDirect Connectors
- ODBC
- IBM Db2 8.0
- Documentation
Kerberos authentication
If you are using Kerberos, verify that your environment meets the requirements listed in the following table before you configure the driver for Kerberos authentication.
| Component | Requirements |
|---|---|
| Database server | The database server must be running one of the
following database versions:
|
| Kerberos server | The Kerberos server is the machine where the user IDs
for authentication are administered. The Kerberos server is also the location of the
Kerberos KDC. Network authentication must be provided by one of the following
methods:
|
Kerberos authentication can take advantage of the user name and password maintained by the operating system to authenticate users to the database or use another set of user credentials specified by the application.
The Kerberos method requires knowledge of how to configure your Kerberos environment. This method supports both Windows Active Directory Kerberos and MIT Kerberos environments.
To use Kerberos authentication, the application user first must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The Kerberos server verifies the identity of the user and controls access to services using the credentials contained in the TGT.
If the application uses Kerberos authentication from a Windows
client, the application user does not explicitly need to obtain
a TGT. Windows Active Directory automatically obtains a TGT for
the user.
If the application uses Kerberos authentication from a UNIX or
Linux client, the user must explicitly obtain a TGT. To obtain a
TGT explicitly, the user must log onto the Kerberos server using
the kinit command. For example, the following command requests a
TGT from the server with a lifetime of 10 hours, which is renewable
for 5 days:
kinit -l 10h -r 5d userwhere user is the application user.
Refer to your Kerberos documentation for more information about using the kinit command and obtaining TGTs for users.
- Set the Authentication Method (AuthenticationMethod) option to
4. - Set the IP Address (IPAddress) option to specify the host name or the IP address of the machine where catalog tables are stored.
- Set the TCP Port (TCPPort) option to specify the port number that is assigned to the Db2 DRDA listener process on the server host machine.
- Set the Database Name (Database) option to specify the name of the database to which you want to connect. Valid only on Db2 for Linux, UNIX, and Windows.
- Set the name of the Db2 location that you want to access. Valid only on Db2 for z/OS.
- Set the current collection or library. Valid only on Db2 for z/OS.
- Set the GSS Client Library (GSSClient) option to specify the name of the GSS client library that the driver uses to communicate with the Key Distribution Center (KDC).
The following examples show the connection information required to establish a connection using Kerberos authentication.
Connection string
DRIVER=DataDirect 8.0 Db2 Wire Protocol;AuthenticationMethod=4;
IPAddress=123.456.78.90;TCPPort=50000;Database=Payroll;GSSClient=gss123;odbc.ini
[Db2]
Driver=ODBCHOME/lib/xxdb228.yy
...
AuthenticationMethod=4
...
IPAddress=123.456.78.90
...
TCPPort=50000
...
Database=Payroll
...
GSSClient=gss123
...