Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3040: How to run setupdb2.sh to configure Centrify DB2 plugin

Centrify DirectControl ,   Centrify DirectControl Plugins ,  

12 April,16 at 11:40 AM

Applies to: All versions of Centrify DB2 for Applications on AIX platform.
 
Question:
 
Using Centrify Db2 plugin, how does one install and configure Centrify DB2 plugin?.
 
Answer:
 
1) Make sure IBM's DB2 server is installed and already functional. (Please contact the vendor for how to do this).
 
2) Depending on the platform, download the plugins from the following link:
 
 
3) As root, navigate to /usr/share/centrifydc/bin and run setupdb2.sh as follows
 
# ./setupdb2.sh inst=db2inst1 
 
Where db2inst1 is the name of the instance used. DBA should know the instance name.
 
4) Is db2inst1 a DB2 server install?
 
This is asking if DB2 server component is being run. Answering yes will also install DB2 client component
 
5) db2inst1 is a 64 bit instance. DB2 server and client setup will be done.
(This is a message from script after detecting if instance is 32 or 64 bit)
 
6) Is this DB2 version 9.5 or later?
 
DBA should know the version of DB2 by running db2licm -l as instance owner.
 
7) Which DB2 auth method do you want to use?
 
[1] Username/Password and Single sign-on
[2] Single Sign-on only
[3] Username/Password only
[4] Skip this step
 
Select a number from the menu [1]:
 
Choose 1) or 2) or 3). 
 
8) Use the CentrifyDC group plugin?
 
Install the Group plug-in centrifydc_db2group, to retrieve the list of groups to which a user belongs for authorization. The group plugin is called automatically after user authentication by DB2. The group info retrieved is used by DB2 to check a user's access rights and determine whether the user has privilege to do specific task; for example, connect, query, db management, etc. The Group plug-in queries Active Directory first for the groups to which the user belongs and then it looks in the local groups on the host. The two lists are then merged with duplicates removed and returned to DB2.
 
9) Do you want to configure the instance user db2inst1 as a service account?
 
You must do this step if you want to use the GSS-Plugin.  If you already did this step for this instance, select the option to indicate the keytab file name.
 
[1] Use adkeytab to create a service account in Active Directory and keytab
    file.  NOTE: You need to specify a user name with administrator privileges
    on the domain to use adkeytab.
 
[2] Provide the name of an already existing keytab file.
 
[3] Skip this step
 
If starting from scratch, please choose 1) otherwise choose 2).
 
10) What is the file name that adkeytab should use when creating the keytab file?  Full path please.  Note: the file needs to be accessible to the db2inst1 user.
[ /home/db2inst1/db2inst1.keytab ]:
 
Choose the default, or any location.
 
11) Enter the password for db2inst1.
 
Create a new password for db2inst1 or enter an existing password (if configured earlier)
 
12) Enter a user name that has administrator privileges for the domain
 
Do NOT need to use Administrator. It has to be a SamAccount name. 
 
13) Enter the container where to store the db2inst1 user
[CN=Users]:
 
The default OU is CN=Users
 
PAM setup not required for AIX. Skipping...
 
In order for the username/password plugin to work, the executable: /usr/share/centrifydc/bin/db2userpass_checkpwd must be setuid and the instance users must be allowed to run it.
 
14) What group should be used as the group owner of this file? All DB2 instances that you want to use the username/password plugin must be in this group.[db2iadm1]:
 
Use the default or specify the group name.
 
(Example output)
*********** adkeytab setup (required for GSS-plugin) ***********
Using /home/db2inst1/db2inst1.keytab for the keytab file for instance: db2inst1
 
NOTE: adkeytab will prompt you for the password of the Active Directory admin user: rsriniva.
 
# adkeytab -n -c CN=Users -u rsriniva -K /home/db2inst1/db2inst1.keytab -P db2inst1/vaix61-2.corp.contoso.com db2inst1
rsriniva@CORP.CONTOSO.COM's password:
Success: New Account: db2inst1
 
NOTE: adkeytab will prompt you for the password of the Active Directory admin user: rsriniva again.
 
# adkeytab -C db2inst1 -u rsriniva -w XXX-PASS-NOT-DISPLAYED-XXX -K /home/db2inst1/db2inst1.keytab
rsriniva@CORP.CONTOSO.COM's password:
Success: Change Password: db2inst1
# chmod 600 /home/db2inst1/db2inst1.keytab
 
# chown db2inst1 /home/db2inst1/db2inst1.keytab
 
# db2set DB2ENVLIST=KRB5_KTNAME
 
adkeytab setup successfully!
 
************* username/password plugin setup *************
# chmod 750 /usr/share/centrifydc/bin/db2userpass_checkpwd
 
# chown root:db2iadm1 /usr/share/centrifydc/bin/db2userpass_checkpwd
 
# chmod u+s /usr/share/centrifydc/bin/db2userpass_checkpwd
 
username/password setup successfully
 
******* Installing the plugins into instance: db2inst1 *******
Installing client side auth plugin
# rm -f sqllib/security32/plugin/client/centrifydc_db2gsskrb5.so
 
# cp /usr/share/centrifydc/lib/libcentrifydc_db2gsskrb5.so sqllib/security32/plugin/client/centrifydc_db2gsskrb5.so
 
Installing group plugin
 
# rm -f sqllib/security32/plugin/group/centrifydc_db2group.so
 
# cp /usr/share/centrifydc/lib/libcentrifydc_db2group.so sqllib/security32/plugin/group/centrifydc_db2group.so
 
 
Installing server side auth plugin
 
# rm -f sqllib/security64/plugin/server/centrifydc_db2gsskrb5.so
 
# rm -f sqllib/security64/plugin/server/centrifydc_db2userpass.so
 
# cp /usr/share/centrifydc/lib64/libcentrifydc_db2gsskrb5.so sqllib/security64/plugin/server/centrifydc_db2gsskrb5.so
 
# cp /usr/share/centrifydc/lib64/libcentrifydc_db2userpass95.so sqllib/security64/plugin/server/centrifydc_db2userpass.so
 
Installing client side auth plugin
 
# rm -f sqllib/security64/plugin/client/centrifydc_db2gsskrb5.so
 
# cp /usr/share/centrifydc/lib64/libcentrifydc_db2gsskrb5.so sqllib/security64/plugin/client/centrifydc_db2gsskrb5.so
 
Installing group plugin
 
# rm -f sqllib/security64/plugin/group/centrifydc_db2group.so
 
# cp /usr/share/centrifydc/lib64/libcentrifydc_db2group.so sqllib/security64/plugin/group/centrifydc_db2group.so
 
******* Updating settings for DB2 instance: db2inst1 ******
 
Old configuration (You may want to copy these settings down in case you need to revert to the old settings):
 
 Group Plugin                             (GROUP_PLUGIN) =
 GSS Plugin for Local Authorization    (LOCAL_GSSPLUGIN) =
 Server List of GSS Plugins      (SRVCON_GSSPLUGIN_LIST) =
 Server Userid-Password Plugin        (SRVCON_PW_PLUGIN) =
 Server Connection Authentication          (SRVCON_AUTH) = NOT_SPECIFIED
 Database manager authentication        (AUTHENTICATION) = SERVER
 
The DB2 configuration will be updated to:
 
LOCAL_GSSPLUGIN  =  centrifydc_db2gsskrb5
SRVCON_GSSPLUGIN_LIST  =  centrifydc_db2gsskrb5
SRVCON_PW_PLUGIN  =  centrifydc_db2userpass
SRVCON_AUTH  =  GSS_SERVER_ENCRYPT
AUTHENTICATION  =  SERVER
GROUP_PLUGIN  =  centrifydc_db2group
 
15) Continuing will stop the DB2 instance: db2inst1, update the configuration and then start the instance.
 
Stopping instance: db2inst1
 
# db2stop
04/19/2013 21:11:24     0   0   SQL1025N  The database manager was not stopped because databases are still active.
SQL1025N  The database manager was not stopped because databases are still active.
 
# db2 update dbm config using LOCAL_GSSPLUGIN centrifydc_db2gsskrb5
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
 
# db2 update dbm config using SRVCON_GSSPLUGIN_LIST centrifydc_db2gsskrb5
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
 
# db2 update dbm config using SRVCON_PW_PLUGIN centrifydc_db2userpass
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
 
# db2 update dbm config using SRVCON_AUTH GSS_SERVER_ENCRYPT
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
 
# db2 update dbm config using AUTHENTICATION SERVER
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
 
# db2 update dbm config using GROUP_PLUGIN centrifydc_db2group
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
 
New configuration:
 Group Plugin                             (GROUP_PLUGIN) = centrifydc_db2group
 GSS Plugin for Local Authorization    (LOCAL_GSSPLUGIN) = centrifydc_db2gsskrb5
 Server List of GSS Plugins      (SRVCON_GSSPLUGIN_LIST) = centrifydc_db2gsskrb5
 Server Userid-Password Plugin        (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
 Server Connection Authentication          (SRVCON_AUTH) = GSS_SERVER_ENCRYPT
 Database manager authentication        (AUTHENTICATION) = SERVER
 
16) Verify if the setup completed properly or not by running the command as the DB2 instance user:
 
db2 get dbm config |egrep -i "auth|gss|group|srvcon"
 
A sample output of the above command for a scenario where all three DirectControl for DB2 security plug-ins have been configured is as follows. 
The lines of interest are highlighted in bold. 
 
SYSADM group name (SYSADM_GROUP) = DB2GRP1
SYSCTRL group name (SYSCTRL_GROUP) =
SYSMAINT group name (SYSMAINT_GROUP) =
SYSMON group name (SYSMON_GROUP) =
Group Plugin (GROUP_PLUGIN) = centrifydc_db2group
GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) = centrifydc_db2gsskrb5
Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) = centrifydc_db2gsskrb5
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
Server Connection Authentication (SRVCON_AUTH) = GSS_SERVER_ENCRYPT
Database manager authentication (AUTHENTICATION) = SERVER
Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
Bypass federated authentication (FED_NOAUTH) = NO

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.