Kerberos support

Kerberos is a third-party network authentication protocol that employs a system of shared secret keys to securely authenticate a user in an unsecured network environment. Ensure that you have the minimum requirements to use Kerberos support on your database.

The Kerberos authentication layer which handles the ticketing system is integrated into the Windows 2000 Active Directory mechanism. The client and server sides of an application communicate with the Kerberos SSP (Security Support Provider) client and server modules. The Security Support Provider Interface (SSPI) provides a high level interface to the Kerberos SSP and other security protocols.

Typical setup

To configure Db2® database products with Kerberos authentication, set up:

An authorization policy for Db2 (as a service) in the Active Directory that is shared on a network, and
A trust relationship between Kerberos Key Distribution Centers (KDCs)

In the simplest scenario, there is at least one KDC trust relationship to configure, that is, the one between the KDC controlling the client workstation, and the IBM® Power Systems, or System z®. OS/390® Version 2 Release 10 or z/OS® Version 1 Release 2 provides Kerberos ticket processing through its RACF® facility which allows the host to act as an UNIX KDC.

Db2 Connect provides as usual the router functionality in the 3-tier setting. It does not assume any role in authentication when Kerberos security is used. Instead, it merely passes the client's security token to IBM Db2 for IBM i or to Db2 for z/OS. There is no need for the Db2 Connect gateway to be a member of the client or the host's Kerberos realm.

Downlevel compatibility

Minimum requirements for Kerberos support in Db2 database products:

IBM data server client:: Version 8
Db2 Connect:: Version 8
Db2 for z/OS:: Version 7