Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

HOWTO: Install, configure and test the Centrify IBM DB2 SSO Module

11 April,19 at 11:49 AM

Requirements

  • A Centrified Unix/Linux system running a DB2 Instance (we’ll be using DB2 10.5 on Linux)
    Setup is pretty much the same if you have an IBM AIX system. The only caveat is that if you’re using LAM instead of PAM, you’ll need to use the GSSAPI (SSO) plugin rather than the user/password plugin.
  • You need to know the DB2 Instance user name and password
  • You need to have the ability to create an AD service account or have an account prepared for you that can be adopted with AD Keytab (GSSAPI SSO plugin only).

 

Implementation Steps

Information and requirements gathering

  1. Collect the OS version, architecture, version of Centrify adclient.
    uname -a, adinfo -v and adinfo -C provide that information
  2. Collect the DB2 database version, architecture
    the db2level command provides this information
  3. Request an AD service account OR have credentials to run adkeytab.

 

$ cat /etc/redhat-release
CentOS release 6.6 (Final)

$ uname -a
Linux engcen8.centrifyimage.vms 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

$ adinfo -v
adinfo (CentrifyDC 5.2.0-218)

$ db2level
DB21085I This instance or install (instance name, where applicable:
"db2inst1") uses "64" bits and DB2 code release "SQL10050" with level identifier "0601010E".
Informational tokens are "DB2 v10.5.0.0", "s130528", "LINUXAMD64105", and Fix Pack "0".

Product is installed at "/opt/ibm/db2/V10.5".

 

 

My server is a 64 bit CentOS with DB2 10.5 64 bit, the instance name is db2inst1.  I will download the package DirectControl for IBM DB2 running on RHEL 4, 5, 6 x86_64 " the version is 4.4.4 as of the original post in November 2014.

 

Installation

 

Unpack and install the DB2 SSO plugin

$ tar xzvf centrifydc-db2-4.4.4-rhel3-x86_64.tgz

The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.

$ dzdo rpm -Uvh centrifydc-db2-4.4.4-rhel3-x86_64.rpm

Preparing...                ########################################### [100%]

   1:CentrifyDC-db2      ########################################### [100%]

 

Installing and Configuring the User/Password and Group Plugins

 

The user/password plugin allows for DB2 to use PAM to provide access to AD users. The group plugin allows the use of AD group memberships for the purposes of entitlements inside DB2.

 

The master script is called setupdb2.sh and it is on /usr/share/centrifydc/bin. The syntax is setupdb2.sh inst= In my case the instance is called db2inst1.  Here's a sample truncated output:

 

$ dzdo /usr/share/centrifydc/bin/setupdb2.sh inst=db2inst1

Is db2inst1 a DB2 server install?
Enter y for yes, n for no [y]: y

db2inst1 is a 64 bit instance
DB2 server and client setup will be done.


Is this DB2 version 9.5 or later?
Enter y for yes, n for no [n]: y
 

Which DB2 auth method do you want to use?
[1] Username/Password and Single sign-on
[2] Single Sign-on only
[3] Username/Password only
[4] Skip this step

Select a number from the menu [1]: 3

Which data sent to DB2 should be encrypted?
[1] Nothing
[2] The username and their password
[3] All data going to the server
[4] Encrypt and compress all data going to the server
[5] Skip this step

Select a number from the menu [2]: 3

Use the CentrifyDC group plugin?
Enter y for yes, n for no [y]: y

In order for the username/password plugin to work, the executable:
/usr/share/centrifydc/bin/db2userpass_checkpwd must be set uid and the instance users must be allowed to run it.

What group should be used as the group owner of this file? All DB2 instances that you want to use the username/password plugin must be in this group.

[db2iadm1]:

Are the following PAM settings OK for the centrifydc_db2userpass PAM service?
These settings will only affect the Centrify DB2 username/password module.
No other PAM services or DB2 plugins will be affected. If these settings are not OK, then you will have to set up PAM yourself.

 
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include     system-auth
account   required     pam_nologin.so
account   include     system-auth

Enter y for yes, n for no [y]: y



The DB2 configuration will be updated to:
SRVCON_AUTH = DATA_ENCRYPT
SRVCON_PW_PLUGIN = centrifydc_db2userpass
LOCAL_GSSPLUGIN = NULL
SRVCON_GSSPLUGIN_LIST = NULL
AUTHENTICATION = SERVER
GROUP_PLUGIN = centrifydc_db2group
 
Continuing will stop the DB2 instance: db2inst1, update the configuration and then start the instance.

Continue?
Enter y for yes, n for no [y]: y

Stopping instance: db2inst1

# db2stop

New configuration:
Group Plugin                             (GROUP_PLUGIN) = centrifydc_db2group
GSS Plugin for Local Authorization   (LOCAL_GSSPLUGIN) =
Server List of GSS Plugins     (SRVCON_GSSPLUGIN_LIST) =
Server Userid-Password Plugin       (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
Server Connection Authentication         (SRVCON_AUTH) = DATA_ENCRYPT

Database manager authentication       (AUTHENTICATION) = SERVER
Starting instance
# db2start

 

At this point DB2 has been configured for the user/password (PAM) and Group plugins and we’re ready to test.

 

Testing the User/Password & Group Plugins

 

In my environment I enabled the sample database.

 

Test 1: Sign-in with any AD account that is allowed to log into the system

 

Open the sample database

$ db2
db2 => connect to sample user fred.thomas
Enter current password for fred.thomas:

   Database Connection Information

Database server       = DB2/LINUXX8664 10.5.0
SQL authorization ID   = FRED.THO...
Local database alias   = SAMPLE

 

Note that Fred’s user ID is longer than 8 characters

 

Test 2: Enumerate group memberships.

 

First, use adquery user –A | grep MemberOf to see the group memberships in AD

$ adquery user fred.thomas -A | grep memberOf

memberOf:centrifyimage.vms/Groups/DBA Staff - Contract,centrifyimage.vms/Groups/Demo Users,centrifyimage.vms/Groups/Google Apps

 

As per Aquery, my user belongs to DBA Staff – Contract, Demo Users and Google Apps

 

Connect to DB2 again and type the query below

 

db2 => SELECT * FROM table (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID (CURRENT USER)) AS ST
 

GROUP                                                                                              
-----------------------------------------------------------------------------

DBA STAFF - CONTRACT                                                                              

DEMO USERS                                                                                        

DOMAIN USERS                                                                                      

GOOGLE APPS  

 

At this point we have verified that DB2 can enumerate the user’s groups from Active Directory.

 

Test 3:  DB2 Remote Client

You can use any IDE in a system that has the appropriate drivers to connect to DB2 on UNIX/Linux.  For example, I used the IBM Data Studio with the JDBC driver and was able to test Fred's active directory credentials against my newly Centrified DB2server.

 

IBM DB2 Data Studio - Connection.jpg

 

Where to next?

 

You can engage your DBAs to test this solution. The benefits are huge for organizations that are looking to consolidate processes in AD.  A follow-up post will discuss the SSO (GSSAPI) plugin.

 

 

Video Playlist

(2 videos, 10:36 total)

 

Appendix

Installing DB2 Express – C on CentOS 6.x

  1. DB2 Setup uses the X-Window system, if you don’t have it
    # yum groupinstall "Desktop" "X Window System" "Fonts" "Desktop Platform"
  1. Disable SELinux (this is a requirement of DB2)
    Set the following line in /etc/selinux/config
    SELINUX=disabled
    And reboot your system.
  1. Obtain the DB2 Express – C tarball from IBM
  1. Setup DB2 in graphical interface
    (I set up a database instance with all defaults – remember the instance user password)
  2. Install the sample database
    $ dzdo su –db2inst1
    $ db2sampl
  1. Test connectivity to the sample database
    $ db2 connect to sample user db2inst1
    Enter current password for db2inst1:
       Database Connection Information
    
    Database server       = DB2/LINUXX8664 10.5.0
    SQL authorization ID   = DB2INST1
    Local database alias   = SAMPLE

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.