The Kerberos authentication mechanism can be used when both WebSphere® Application Server and the DB2 Server are configured for Kerberos
authentication. Kerberos authentication provides single-sign-on (SSO) end-to-end interoperable
solutions and preserves the original requester identity.
Before you begin
You can configure a Db2 data source and the application server to interoperate by using delegated
end-to-end Kerberos credentials for database access by an application. Two different options are
available to set up this configuration.
- Option 1: Enable Db2 Kerberos authentication with credentials that are delegated
from the application server.
- Option 2: Enable Db2 Kerberos authentication with credentials that are specified in
a J2C authentication alias, which the Db2 JDBC driver uses to obtain its own Kerberos
credentials.
To enable option 1, you must configure both Db2 and the application server to use Kerberos as the
authentication mechanism. To learn how to set up Kerberos as the authentication mechanism in this
version of the application server, see the following topic: Kerberos (KRB5) authentication
mechanism support for security.
Note:
You can use Kerberos credentials to authenticate with Db2 data sources for XA recovery by
specifying the Krb5RecoveryPrincipal
custom property in your data source
configuration. For more information, see Table 1.
The test connection service of the application server cannot supply delegated Kerberos
credentials to the data source. Situations might also exist where the application server security
component is unable to supply delegated Kerberos credentials for a connection request, including
during recovery of failed XA transactions. To account for these cases, you can configure a Db2
connection by using option 2. For this option, a user ID and password must be supplied to the JDBC
driver. The driver uses these resources to obtain its own Kerberos credentials. To use this option,
you must configure a J2C authentication data alias on the application server. This configuration
defines the user ID and password that the Db2 JDBC driver uses to request a Kerberos Ticket Granting
Ticket (TGT). The TGT is used for Kerberos authentication to a DB2 Server. To the application
server, this configuration looks like the typical user ID and password authentication.
You must use a Db2 JDBC driver that supports Kerberos authentication and is operating in type 4
mode. The supported JDBC driver is the IBM Data Server Driver for JDBC and SQLJ, which is identified
in the application server as Db2 using IBM JCC Driver.
About this task
Use the following steps to configure the application server and Db2 to authenticate with
Kerberos:
Procedure
- Configure the DB2 Server for Kerberos authentication.
Refer to Db2 Kerberos security documentation in the Db2 documentation, for example, the
Kerberos authentication details topic. Verify that Db2 Kerberos authentication is
working.
- Configure the application server to use Kerberos security.
For more
information, see the following topic: Configuring Kerberos as the authentication mechanism
using the administrative console. Verify that application server Kerberos authentication is
working.
- Configure the Db2 data source in the application server to use Kerberos authentication.
- Add or edit the datasource properties listed in Table 1 to allow the datasource to use
Kerberos authentication and to pass Kerberos credentials to the JDBC driver.
For more
information, see the Configuring a data source using the administrative console topic.
- For option 2, set the
Mapping-configuration alias option to
DefaultPrincipalMapping
, or
another login configuration that does not generate credentials. Set the Container-managed
authentication alias option to reference an alias to use for Kerberos login by the JDBC
driver. If no component-managed authentication alias is configured, the test connection
service also uses this alias.
- For option 1, delegated
Kerberos credentials, set the Mapping-configuration alias option to
KerberosMapping
. This configuration indicates that the resource adapter
in the application server must provide delegated credentials to the Db2 JDBC driver. The test
connection service is not able to supply delegated Kerberos credentials, but can revert to option 2
authentication. If you do not need this feature, you can select
none for each of
the authentication aliases. If test connection is used and a valid authentication alias is
configured, an informational message, DSRA8221I, is logged. This message indicates that test
connection is not able to offer Kerberos credentials. If no alias is configured, then the test
connection service fails and a Kerberos invalid credentials error is reported by the JDBC driver.
Important: If Kerberos mapping is configured, but the security component cannot provide
credentials for a connection request, you can configure the resource adapter to revert to connection
authentication by using Default Principle Mapping. To configure this fallback, select an alias from
the container-managed authentication alias list. To disable this fallback, select
none from the container-managed authentication alias list.
- To enable Kerberos mapping (option
1), you also must specify container-managed authentication. To specify container-managed
authentication, the application must use a resource reference to look up the data source.
The resource reference must specify KerberosMapping
as the login
configuration. For application access through that resource reference, the specified login
configuration takes precedence over the mapping-configuration alias that is specified on the data
source. A container-managed authentication alias can also be specified on the resource
reference.
Table 1. Custom properties and values for Kerberos authentication of a Db2 data
source. The following table lists custom security properties for Kerberos authentication
with a Db2 data source that you can configure from the administrative console or by wsadmin
scripting:
Name |
Value |
Description |
kerberosServerPrincipal
|
Type="java.lang.String"
Value=""
For example, user@REALM or service_name/hostname@REALM
|
This property specifies the principal name that the database server registers with a Kerberos
Key Distribution Center (KDC). |
SecurityMechanism |
Type="java.lang.String"
Value="11"
|
This property specifies Kerberos authentication. A value of 11 for this property indicates
that the JDBC driver needs to use Kerberos authentication when it connects to the DB2
Server. |
krb5RecoveryPrincipal
|
Type="java.lang.String"
Value=""
|
This property specifies the Kerberos principal that is used for XA recovery. If neither the
krb5RecoveryKeytab or the krb5RecoveryCCache properties are
specified, the operating system default credential cache (ccache) is checked for
credentials. |
krb5RecoveryKeytab
|
Type="java.lang.String"
Value=""
|
This property specifies the location of the Kerberos keytab file with credentials for the
recovery principal. If the krb5RecoveryCCache property is also specified, this
property is ignored. |
krb5RecoveryCCache
|
Type="java.lang.String"
Value=""
|
This property specifies the location of the Kerberos credential cache file with credentials
for the recovery principal. |