The driver supports Kerberos authentication. Note that the driver no longer sets the java.security.krb5.conf system property to force the use of the krb5.conf file installed with the driver jar files in the /lib directory of the product installation directory.
Important: A properly configured Kerberos environment must include a means of obtaining a Kerberos Ticket Granting Ticket (TGT). For a Windows Active Directory implementation, Active Directory automatically obtains the TGT. However, for a non-Active Directory implementation, the means of obtaining the TGT must be automated or handled manually.
To configure the driver to use Kerberos:
1. Set the driver’s AuthenticationMethod property to auto (default) or kerberos. See "Using the AuthenticationMethod property" for more information about setting a value for this property.
Note: If your are configuring your environment for Kerberos Constrained Delegation (also known as impersonation), AuthenticationMethod must be set to kerberos.
2. Specify the JAAS login module in your JAAS login configuration file using either of the following methods.
Modify the JDBC_DRIVER_01 entry in the JDBCDriverLogin.conf file to include the JAAS login module information needed for your environment. The JDBCDriverLogin.conf file is installed in the /lib directory of the driver installation directory.
Specify a JAAS login configuration file directly in your application with the java.security.auth.login.config system property. The specified login configuration file must contain the JAAS login module information with the entry JDBC_DRIVER_01.
Whether you are using the JDBCDriverLogin.conf file or another file, the login configuration file must contain the entry JDBC_DRIVER_01 with JAAS login module information. The following examples show that the JAAS login module information depends on your JRE.
3. Set the default realm name and the KDC name for that realm using either of the following methods. (If using Windows Active Directory, the Kerberos realm name is the Windows domain name and the KDC name is the Windows domain controller name.)
Modify the krb5.conf file to include the default realm name and the KDC name for that realm. For example, if your Kerberos realm name is XYZ.COM and your KDC name is kdc1, your krb5.conf file would include the following entries.
During installation, a krb5.conf file is installed in the /lib directory of the product installation directory. The installed krb5.conf file contains generic syntax for setting the default realm name and the KDC name for that realm. If you are not already using another krb5.conf file for your Kerberos implementation, you can modify it to suit your environment. However, you will either need to specify the location of this file using the java.security.krb5.conf system property, or you will need to add the file to a directory where it may be found by your JVM. See "Keberos Requirements" in your Java documentation for details on the algorithm used to locate the krb5.conf file.
Specify the Java system properties, java.security.krb5.realm and java.security.krb5.kdc, in your application. For example, if the default realm name is XYZ.COM and the KDC name is kdc1, your application would include the following settings.
Even if you do not use the krb5.conf file to specify the realm and KDC names, you may need to modify your krb5.conf file to suit your environment. Refer to your database vendor documentation for detailed information.
4. If using Kerberos authentication with a Security Manager on a Java Platform, you must grant security permissions to the application and driver. See "Permissions for Kerberos authentication" for an example.
5. Optionally, set the GSSCredential connection property for Kerberos constrained delegation (sometimes referred to as impersonation).
Constrained delegation is a Kerberos mechanism that allows a client application to delegate authentication to a second service. See "Constrained delegation" for additional steps to configure your environment.
AuthenticationMethod must be set to kerberos to use constrained delegation.