IBM Integration Bus, Version 10.0.0.17 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Configuring IBM® Integration Bus to connect to SQL server with Kerberos: Part 2

The following task demonstrates the next steps in enabling Kerberos support for SQL server.

Before you begin

You must complete the steps in the previous task: Configuring IBM Integration Bus to connect to SQL server: Part 1

About this task

Now that the initial steps are complete, you must re-edit the odbc.ini file, and begin this next set of steps:

Procedure

  1. Update the previous entry that you made to the odbc.ini file with the following changes:
    [TESTDB]
    Driver=/opt/IBM/mqsi/10.0.0.n/server/ODBC/drivers/lib/UKsqls95.so
    Description=DataDirect SQL Server Wire Protocol
    Database=TESTDB
    HostName=sqlserver.ad.domain.company.com
    PortNumber=1433
    AnsiNPW=1
    LoginTimeout=0
    QueryTimeout=0
    AuthenticationMethod=4
    GSSClient=libgssapi_krb5.so
    In this example:
    • TESTDB is the name of a database.
    • sqlserver.ad.domain.company.com is the address of your SQL server in the Active Directory domain.
    • 1433 is the port number of your SQL server.
    • libgssapi_krb5.so is an existing Kerberos implementation on the system that is present and available through the library path. On AIX®, use the following format: GSSClient=libgssapi_krb5.a(libgssapi_krb5.a.so)
  2. Update the Kerberos configuration file, krb5.conf, on the Linux or UNIX machine. You can typically find the file in /etc or /etc/krb5. Add the following entries to the configuration file:
    [libdefaults]
      default_realm = AD.DOMAIN.COMPANY.COM
      default_tkt_enctypes = rc4-hmac
      default_tgs_enctypes = rc4-hmac
    
    [realms]
      AD.DOMAIN.COMPANY.COM = {
        kdc = adserver.ad.domain.company.com:88
        default_domain = ad.domain.company.com
      }
    
    [domain_realm]
      .domain.company.com = AD.DOMAIN.COMPANY.COM
    
    where the Kerberos realm is your Active Directory domain name, which you must specify in upper case. kdc=adserver.ad.domain.company.com is the name of your host that you are running the Key Distribution Center for the Kerberos realm.
  3. Use the kinit username command, where username is the user name that will be used to connect to the SQL server, to test that the krb5.conf file is set up to acquire a Ticket Granting Ticket for the user name.
  4. Ensure that a Service Principal Name (SPN) for the SQL Server service is registered in the Active Directory. On starting, the SQL Service database engine normally attempts to register an SPN but if the SPN has not already been registered, issue the setspn command on the Active Directory, as in the following example:
     setspn -S MSSQLSvc/sqlserver.ad.domain.company.com:1433 windowsDomain\accountName
    where sqlserver.ad.domain.company.com:1433 is the address and port number of your SQL server.
  5. Open SQL Server Management Studio, and grant SQL Server login permission to the domain user on the server and on the database that you specified in the odbc.ini file in a previous step.
  6. Run the following commands in a broker console:
    mqsisetdbparms IIBNODE -n odbc::TESTDB -u kerberos::username@AD.DOMAIN.COMPANY.COM -p N0chang3
    mqsichangeproperties IIBNODE -e integration_server -o ComIbmJVMMangaer -n kerberosConfigFile -v /location_of_krb_config_file/krb.conf
    where username is the domain user, and AD.DOMAIN.COMPANY.COM is the address of your Kerberos realm.
  7. Run the flow from Configuring IBM Integration Bus to connect to SQL server: Part 1 again. The broker now connects to SQL Server using the Kerberos ticket.

What to do next

Now that these steps are complete, you must continue to the next task as an administrator on your SQL Server machine.

ap12242_.htm | Last updated 2019-07-13 08:13:03