Preparing the HCL OneDB DBMS for Kerberos authentication
Configure your login process and user authentication to function with a Kerberos 5 mechanism before you set up HCL OneDB™ for single sign-on.
Before you begin
About this task
Important: Use a secure computer for the Key
Distribution Center to ensure the safety of the passwords and encryption
keys. Limit access to specific users and, if possible, do not use
the computer for other tasks.
For JDBC Driver client sites, read Configuring JDBC Driver for SSO before you do the following steps.
You must have kadmin privileges (UNIX™ and Linux™) or domain administrator rights (Windows™) to complete steps 3, 4, and 5.
Procedure
- For sites that are enabling a new Kerberos 5 setup for SSO, run the sample client and server programs if they are available with your Kerberos product. This task helps eliminate setup errors in the network infrastructure.
- Verify that the clocks of all computers to be involved with SSO authentication are synchronized. Kerberos typically does not function when there is a clock discrepancy of five minutes or more between computers.
- Create the HCL
OneDB service
and client principals on the Key Distribution Center (KDC) with the kadmin utility
(UNIX and Linux) or with Active Directory (Windows). Remember the following rules as
you create principals:
- All principals to be used with HCL OneDB must be in the same realm or trusted realms.
- All principals must map to database server user IDs. For example, if you have user5@payroll.jkenterprises as a principal, user5 must exist as an operating system user and payroll.jkenterprises.com as a fully qualified host name.
- UNIX and Linux only: Add the server service principal key to the keytab file and transfer the file to the HCL OneDB host computer.
- UNIX and Linux only: Put the keytab file into the default keytab file location.