DB2 Version 10.1 for Linux, UNIX, and Windows
DB2 Version 10.1 for Linux, UNIX, and Windows
Before you can use Kerberos with a DB2® database system, you must enable Kerberos authentication.
To enable Kerberos authentication on the client, set the clnt_krb_plugin database manager configuration parameter to the name of the Kerberos plug-in that you are using.
For local authorizations, the client will use Kerberos if the authentication configuration parameter is set to KERBEROS or KRB_SERVER_ENCRYPT. Otherwise, no client-side Kerberos support is assumed.
To enable Kerberos authentication on outbound connections to a DB2 server, you instead specify Kerberos as the authentication type when you catalog the database, as shown in the following example:
CATALOG DATABASE testdb AT NODE testnode
AUTHENTICATION KERBEROS TARGET PRINCIPAL
service/host@REALMHowever, if you do not provide authentication information, the server sends the name of the server principal to the client.
To enable Kerberos authentication on the server, include the specific Kerberos plug-in name in the list of plug-ins that you specify for the srvcon_gssplugin_list database manager configuration parameter on the server. Having the Kerberos plug-in name in this list enables the client to scan the server and select the Kerberos authentication method when making a connection.
If this configuration parameter is left empty and you set the authentication configuration parameter to KERBEROS or KRB_SERVER_ENCRYPT, the default Kerberos plug-in, IBMkrb5, is used instead. You can specify only one Kerberos plug-in.