Prepare for authentication

Prepare for Kerberos authentication

• •You can't use the Hosted Agent or serverless runtime environment.
• •Ensure that the Secure Agent and database server that you use are registered in the KDC server.
• •You can't add more than one KDC to a krb5.conf file.
• •Consider the following guidelines to generate a credential cache file:
• - On Linux, you can generate a credential cache file for more than one Kerberos principal user in a connection. However, you can use only one Kerberos principal user within a mapping.
• - On Windows, you can't generate a credential cache file for more than one Kerberos principal user in a connection.

Configuring Kerberos authentication

1. 1To configure the Java Authentication and Authorization Service configuration file (JAAS), perform the following tasks:
1. aCreate a JAAS configuration file on the Secure Agent machine.
2. bAdd the following entries to the JAAS configuration file:
JDBC_DRIVER_01 {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
Note: Ensure that you specify each key-value pair on a separate line.
2. 2To configure the krb5.conf file, perform the following tasks:
1. aCreate a krb5.conf file on the Secure Agent machine.
2. bAdd the details of the Key Distribution Center (KDC) and admin server to the krb5.conf file in the following format:
[libdefaults]
default_realm = <Realm name>
forwardable = true
ticket_lifetime = 24h

[realms]
<REALM NAME> = {
kdc = <Location where KDC is installed>
admin_server = <Location where KDC is installed>
}
[domain_realm]
<domain name or host name> = <Domain name or host name of Kerberos>
<domain name or host name> = <Domain name or host name of Kerberos>
3. 3Set the following environment variables on the Secure Agent machine.
For more information about the required environment variables, see Setting environment variables.
4. 4Restart the Secure Agent.
5. 5To generate the credential cache file on the Secure Agent machine and use Kerberos authentication to connect to Microsoft SQL Server, perform the following tasks:
1. aOn the Secure Agent machine, run the following command and specify the Microsoft SQL Server user name and realm name:
Kinit <user name>@<realm_name>
2. bOptionally, when you connect to DB2 databases on Linux, you can run the following command to generate the credential cache file with the specified file name and directory on the Secure Agent machine:
Kinit -c <Directory and file name where you want to create the credential cache> <user name>@<realm_name>
3. cWhen prompted, enter the password for the Kerberos principal user.

Setting environment variables

1. 1Set the following environment variables:
• - setenv KRB5CCNAME <Absolute path and file name of the credentials cache file>
• - setenv KRB5_CONFIG <Absolute path of the Kerberos configuration file>\krb5.conf
• - setenv JAASCONFIG <Absolute path of the JAAS config file>\<File name>.conf
2. 2Restart the Secure Agent.
3. 3Add the KRB5_CONFIG, KRB5CCNAME, and JAASCONFIG properties in the Metadata Advanced Connection Properties field in the Microsoft SQL Server connection.
For example, add the properties in the following format:
KRB5_CONFIG=<Absolute path of the Kerberos configuration file>\krb5.conf;KRB5CCNAME=<Absolute path of the credential cache file>/<File name>;JAASCONFIG=<Absolute path of the JAAS config file>\<File name>.conf
Note: Ensure that you separate each key-value pair with a semicolon.
4. 4Optionally, you can add the KRB5_CONFIG, KRB5CCNAME, and JAASCONFIG properties in the Runtime Advanced Connection Properties field in the Microsoft SQL Server connection.
For example, add the properties in the following format:
KRB5_CONFIG=<Absolute path of the Kerberos configuration file>\krb5.conf;KRB5CCNAME=<Absolute path of the credential cache file>/<File name>;JAASCONFIG=<Absolute path of the JAAS config file>\<File name>.conf
Note: Ensure that you separate each key-value pair with a semicolon.