DB2 Universal Database currently supports the Kerberos security protocol as a means to authenticate users in the non-DRDA environment. Since DB2/390 V7.1 will start to support Kerberos security, DB2 Connect will add DRDA AR functionality to allow the use of Kerberos authentication to connect to DB2/390.
The Kerberos authentication layer which handles the ticketing system is integrated into the Win2K Active Directory mechanism. The client and server sides of an application communicate with the Kerberos SSP (Security Support Provider) client and server modules respectively. The Security Support Provider Interface (SSPI) provides a high level interface to the Kerberos SSP and other security protocols
Communication protocol support
For SNA connection, you must use SECURITY=NONE when cataloging the APPC node
Typical setup
The procedure to configure DB2 to use Kerberos authentication involves setting up the following:
In the simplest scenario, there is at least one KDC trust relationship to configure, that is, the one between the KDC controlling the client workstation, and the OS/390 system. OS/390 R10 provides Kerberos ticket processing through its RACF facility which allows the host to act as an UNIX KDC.
DB2 Connect provides as usual the router functionality in the 3-tier setting. It does not assume any role in authentication when Kerberos security is used. Instead, it merely passes the client's security token to DB2/390. Thus there is no need for the DB2 Connect gateway to be a member of the client or the host's Kerberos realm.
To use Kerberos, both the DB2 Connect gateway must catalog its connection with authentication type KERBEROS. The client can either catalog with authentication NOT_SPEC or Kerberos. Any other combinations of authentication types on the client and the gateway results in sqlcode -1401 (Authentication type mismatch).
Downlevel compatibility
DB2 requirements for Kerberos support:
DB2/390 also have a requirement to be run on OS/390 Version 2 Release 10 or later. There are additional implied requirements on downlevel DB2/390 systems when connecting from DB2 Connect Version 7.1 clients. Although these DB2/390 systems do not support Kerberos, they do not respond properly to unsupported DRDA SECMECs. To solve this problem, apply the proper PTF: