版本注意事項

|47.3 Kerberos support

|DB2 Universal Database currently supports the Kerberos security protocol |as a means to authenticate users in the non-DRDA environment. Since DB2/390 |V7.1 will start to support Kerberos security, DB2 Connect will add DRDA AR |functionality to allow the use of Kerberos authentication to connect to DB2/390.

|The Kerberos authentication layer which handles the ticketing system is |integrated into the Win2K Active Directory mechanism. The client and server |sides of an application communicate with the Kerberos SSP (Security Support |Provider) client and server modules respectively. The Security Support Provider |Interface (SSPI) provides a high level interface to the Kerberos SSP and other |security protocols

|Communication protocol support

|For SNA connection, you must use SECURITY=NONE when cataloging the APPC |node

|Typical setup

|The procedure to configure DB2 to use Kerberos authentication involves |setting up the following: |

• |An authorization policy for DB2 (as a service) in the Active Directory |that is shared on a network, and
• |Trust relationship between Kerberos Key Distribution Centers (KDCs) |

|In the simplest scenario, there is at least one KDC trust relationship |to configure, that is, the one between the KDC controlling the client workstation, |and the OS/390 system. OS/390 R10 provides Kerberos ticket processing through |its RACF facility which allows the host to act as an UNIX KDC.

|DB2 Connect provides as usual the router functionality in the 3-tier setting. |It does not assume any role in authentication when Kerberos security is used. |Instead, it merely passes the client's security token to DB2/390. Thus there |is no need for the DB2 Connect gateway to be a member of the client or the |host's Kerberos realm.

|To use Kerberos, both the DB2 Connect gateway must catalog its connection |with authentication type KERBEROS. The client can either catalog with authentication |NOT_SPEC or Kerberos. Any other combinations of authentication types on the |client and the gateway results in sqlcode -1401 (Authentication type mismatch).

|Downlevel compatibility

|DB2 requirements for Kerberos support: |

|DB2 UDB Client:

|Version 7.1 (OS: Win2K)

|DB2 Connect:

|Version 7.1 + Fix Pack 1 (OS: Any)

|DB2/390:

|Version 7.1 |

|DB2/390 also have a requirement to be run on OS/390 Version 2 Release |10 or later. There are additional implied requirements on downlevel DB2/390 |systems when connecting from DB2 Connect Version 7.1 clients. Although these |DB2/390 systems do not support Kerberos, they do not respond properly to unsupported |DRDA SECMECs. To solve this problem, apply the proper PTF: |

• |UQ41941 (for DB2/390 V5.1)
• |UQ41942 (for DB2/390 V6.1) |