Configuring Kerberos on a stand-alone AIX server

You can enable Kerberos authentication for secure communication between IBM® Security Guardium® Key Lifecycle Manager and the Db2® database.

Before you begin

  • Ensure that the computers that host the Kerberos server and the Kerberos client (IBM Security Guardium Key Lifecycle Manager server) have the same operating system.
  • Ensure that the computer on which you install the Kerberos server is secure and does not run any service other than KDC.
  • Install the Kerberos (Key Distribution Center - KDC) server. If you want to use an existing Kerberos server, you can skip this step.
    To install the Kerberos server, run the following commands:
    tar -xvf NAS_1.4.0.10_aix_images.tar
cd /images
installp -ac -SvYXgd /images krb5.server
installp -ac -SvYXgd /images krb5.toolkit
export PATH=$PATH:/usr/krb5/sbin:/usr/krb5/bin
timed -M
hostname
mkkrb5srv -r REALMNAME -s kserverhostname -d REALMNAME -a root/admin
lsitab krb5kdc
lsitab kadm

    Where, REALMNAME is the realm of the Kerberos server, and, kserverhostname is the host name of the system on which the Kerberos server is being installed

Procedure

  1. On the IBM Security Guardium Key Lifecycle Manager server, install the Kerberos client.
    1. Open the following URL and download the latest NAS (Network Authentication Service pack) compatible with your version of AIX: https://www.ibm.com/services/forms/preLogin.do?source=dm-nas
    2. Open the command line and install the client using the installp command.
      For example:
      # /usr/sbin/installp -agYXd /path/to/apps/NAS1.4.0.10 all
    3. Include the LIBPATH to the Db2 profile file (for example: /home/klmdb421/sqllib/db2profile).
      For example:
      export LIBPATH=/usr/krb5/lib:$LIBPATH
    4. Include the path in the Database user (for example, klmdb421) profile (/home/klmdb421/.profile).
      For example:
      export PATH=$PATH:/usr/krb5/bin:/usr/krb5/sbin
  2. On the Kerberos server, register the service and client principals.
    1. Create a service principal. 
      kadmin -p root/admin -q "addprinc db2instance1/FQDN_GKLMserver@REALMNAME"
      For example:
      kadmin -p root/admin -q "addprinc klmdb421/gklmserver@EXAMPLE.COM"
    2. Specify a password for the service principal.
    3. Create client principal. 
      kadmin -p root/admin -q "addprinc db2instance1@REALMNAME"
      For example:
      kadmin -p root/admin -q "addprinc klmdb421@EXAMPLE.COM"
    4. Add service principal to the keytab file. 
      kadmin -p root/admin -q "ktadd -k /etc/filename.keytab db2instance1/FQDN_GKLMserver@REALMNAME"
      For example:
      kadmin -p root/admin -q "ktadd -k /etc/onprem.keytab klmdb421/gklmserver@EXAMPLE.COM"
    5. To verify that the principals are correctly added, run the following command: 
      kadmin.local -q "list_principals"
    6. Upload the keytab file on the IBM Security Guardium Key Lifecycle Manager server. You can use the Upload File to Server REST Service.
      To run the REST service, you can use the Swagger UI.
      Note: If you are copying the file manually on the IBM Security Guardium Key Lifecycle Manager server, ensure that the file owner is the process owner (For example, klmdb421sklmdb41).
  3. On the IBM Security Guardium Key Lifecycle Manager server, configure IBM Security Guardium Key Lifecycle Manager to use Kerberos authentication with Db2.
    1. Navigate to the /usr/IBM/WebSphere/Liberty/products/sklm/kerberos directory and run the db2ConfigureKerberos.sh script file as the process owner (Db2 Administrator user account).
      When you run this script file, it updates the Kerberos configuration (krb5.conf) file, which is needed to connect to the KDC server. Command to run the script file: 
      ./db2ConfigureKerberos.sh path_of_krb5.conf path_krb5.keytab kdc_server_hostname REALMNAME db2servicename path_sqllib
      For example: 
      ./db2ConfigureKerberos.sh  /usr/IBM/WebSphere/Liberty/products/sklm/kerberos/krb5.conf  /usr/IBM/WebSphere/Liberty/products/sklm/data/krb5.keytab kdc.example.com  EXAMPLE.COM sklmdb41/test.example.com@EXAMPLE.COM /home/klmdb421/sqllib
    2. Run the Configure Kerberos Authentication REST Service. To run the REST service, you can use the Swagger UI.

    IBM Security Guardium Key Lifecycle Manager is now configured to use Kerberos as the authentication mechanism with Db2 database. You can use the Get Kerberos Configuration REST Service to obtain the configuration details.