Before you can use Kerberos with a DB2® database system, you must enable Kerberos authentication.
To enable Kerberos authentication on the client, set the clnt_krb_plugin database manager configuration parameter to the name of the Kerberos plug-in that you are using.
For local authorizations, the client will use Kerberos if the authentication configuration parameter is set to KERBEROS or KRB_SERVER_ENCRYPT. Otherwise, no client-side Kerberos support is assumed.
To enable Kerberos authentication on outbound connections to a DB2 server, you instead specify Kerberos as the authentication type when you catalog the database, as shown in the following example:
CATALOG DATABASE testdb AT NODE testnode
AUTHENTICATION KERBEROS TARGET PRINCIPAL
service/host@REALM
However, if you do not provide authentication information, the server sends the name of the server principal to the client.
To enable Kerberos authentication on the server, include the specific Kerberos plug-in name in the list of plug-ins that you specify for the srvcon_gssplugin_list database manager configuration parameter on the server. Having the Kerberos plug-in name in this list enables the client to scan the server and select the Kerberos authentication method when making a connection.
If this configuration parameter is left empty and you set the authentication configuration parameter to KERBEROS or KRB_SERVER_ENCRYPT, the default Kerberos plug-in, IBMkrb5, is used instead. You can specify only one Kerberos plug-in.