Release Notes

|48.3 Kerberos support

|DB2 Universal Database currently supports the Kerberos security protocol as |a means to authenticate users in the non-DRDA environment. Since |DB2/390 V7.1 will start to support Kerberos security, DB2 Connect will |add DRDA AR functionality to allow the use of Kerberos authentication to |connect to DB2/390.

|The Kerberos authentication layer which handles the ticketing system is |integrated into the Win2K Active Directory mechanism. The client and |server sides of an application communicate with the Kerberos SSP (Security |Support Provider) client and server modules respectively. The Security |Support Provider Interface (SSPI) provides a high level interface to the |Kerberos SSP and other security protocols

|Communication protocol support

|For SNA connection, you must use SECURITY=NONE when cataloging the APPC |node

|Typical setup

|The procedure to configure DB2 to use Kerberos authentication involves |setting up the following: |

|An authorization policy for DB2 (as a service) in the Active Directory |that is shared on a network, and
|Trust relationship between Kerberos Key Distribution Centers (KDCs) |

|In the simplest scenario, there is at least one KDC trust relationship to |configure, that is, the one between the KDC controlling the client |workstation, and the OS/390 system. OS/390 R10 provides Kerberos ticket |processing through its RACF facility which allows the host to act as an UNIX |KDC.

|DB2 Connect provides as usual the router functionality in the 3-tier |setting. It does not assume any role in authentication when Kerberos |security is used. Instead, it merely passes the client's security |token to DB2/390. Thus there is no need for the DB2 Connect gateway to |be a member of the client or the host's Kerberos realm.

|To use Kerberos, both the DB2 Connect gateway must catalog its connection |with authentication type KERBEROS. The client can either catalog with |authentication NOT_SPEC or Kerberos. Any other combinations of |authentication types on the client and the gateway results in sqlcode -1401 |(Authentication type mismatch).

|Downlevel compatibility

|DB2 requirements for Kerberos support: |

|DB2 UDB Client:: |Version 7.1 (OS: Win2K)
|DB2 Connect:: |Version 7.1 + Fix Pack 1 (OS: Any)
|DB2/390:: |Version 7.1 |

|DB2/390 also have a requirement to be run on OS/390 Version 2 Release 10 |or later. There are additional implied requirements on downlevel |DB2/390 systems when connecting from DB2 Connect Version 7.1 |clients. Although these DB2/390 systems do not support Kerberos, they |do not respond properly to unsupported DRDA SECMECs. To solve this |problem, apply the proper PTF: |

|UQ41941 (for DB2/390 V5.1)
|UQ41942 (for DB2/390 V6.1) |

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]