Setting up a Kerberos system to use with SAP Sybase IQ

You can configure Kerberos authentication to be used with SAP Sybase IQ.

1. If necessary, install and configure the Kerberos client software, including the GSS-API runtime library, on both the client and server.

   On Windows client computers using an Active Directory Key Distribution Center (KDC), SSPI can be used and you do not need to install the Kerberos client.

2. If necessary, create a Kerberos principal in the Kerberos KDC for each user.

   A Kerberos principal is a Kerberos user ID in the format user/instance@REALM, where /instance is optional. If you are already using Kerberos, the principal should already exist, so you do not need to create a Kerberos principal for each user.

   Principals are case sensitive and must be specified in the correct case. Mappings for multiple principals that differ only in case are not supported (for example, you cannot have mappings for both jjordan@MYREALM.COM and JJordan@MYREALM.COM).

3. Create a Kerberos principal in the KDC for the SAP Sybase IQ database server.

   The default Kerberos principal for the database server has the format server-name@REALM, where server-name is the SAP Sybase IQ database server name. To use a different server principal, use the -kp server option. Principals are case significant, and server-name cannot contain multibyte characters, or the characters /, \, or @.

   You must create a server service principal within the KDC because servers use a keytab file for KDC authentication. The keytab file is protected and encrypted.

4. Securely extract and copy the keytab for the principal server-name@REALM from the KDC to the computer running the SAP Sybase IQ database server. The default location of the keytab file depends on the Kerberos client and the platform. The keytab file's permissions should be set so that the SAP Sybase IQ server can read it, but unauthorized users do not have read permission.

Configure your SAP Sybase IQ database server and database to use Kerberos.