The Kerberos authentication layer which handles the ticketing system is integrated into the Windows^® 2000 Active Directory mechanism. The client and server sides of an application communicate with the Kerberos SSP (Security Support Provider) client and server modules respectively. The Security Support Provider Interface (SSPI) provides a high level interface to the Kerberos SSP and other security protocols.

Typical setup

• An authorization policy for DB2 (as a service) in the Active Directory that is shared on a network, and

• A trust relationship between Kerberos Key Distribution Centers (KDCs)

In the simplest scenario, there is at least one KDC trust relationship to configure, that is, the one between the KDC controlling the client workstation, and the System i™, OS/390^® or z/OS^® system. OS/390 Version 2 Release 10 or z/OS Version 1 Release 2 provides Kerberos ticket processing through its RACF^® facility which allows the host to act as an UNIX^® KDC.

DB2 Connect™ provides as usual the router functionality in the 3-tier setting. It does not assume any role in authentication when Kerberos security is used. Instead, it merely passes the client's security token to DB2 for i5/OS or to DB2 for OS/390 and z/OS. There is no need for the DB2 Connect gateway to be a member of the client or the host's Kerberos realm.

Downlevel compatibility

IBM^® data server client:

Version 8

DB2 Connect:

Version 8

DB2 Universal Database (UDB) for OS/390 and z/OS:

Version 7

Parent topic: DB2 Connect authentication considerations