Configuring SAP Sybase IQ databases to use Kerberos

You can configure SAP Sybase IQ databases to use Kerberos logins.

Prerequisites

You must have the SET ANY PUBLIC OPTION and MANAGE ANY USER system privileges.

You must already have Kerberos configured before SAP Sybase IQ can use it.

Task

The Kerberos login feature allows you to maintain a single user ID and password for database connections, operating systems, and network logins.

  1. Start the SAP Sybase IQ database server with the -krb or -kr option to enable Kerberos authentication, or use the -kl option to specify the location of the GSS-API library and enable Kerberos.
  2. Change the public or temporary public option login_mode to a value that includes Kerberos. As database options apply only to the database in which they are found, different databases can have a different Kerberos login setting, even if they are loaded and running on the same database server. For example:
    SET OPTION PUBLIC.login_mode = 'Kerberos,Standard';
    Warning!   Setting the login_mode database option to Kerberos restricts connections to only those users who have been granted a Kerberos login mapping. Attempting to connect using a user ID and password generates an error unless you are a user with SYS_AUTH_DBA_ROLE system role.
  3. Create a database user ID for the client user. You can use an existing database user ID for the Kerberos login, as long as that user has the correct privileges. For example:
    CREATE USER "kerberos-user"
IDENTIFIED BY abc123;
  4. Execute a GRANT KERBEROS LOGIN TO statement to create a mapping from the client's Kerberos principal to an existing database user ID. For example:
    GRANT KERBEROS LOGIN TO "pchin@MYREALM.COM" 
AS USER "kerberos-user";

    To connect when a Kerberos principal is used that does not have a mapping, ensure the Guest database user ID exists and has a password.

  5. Ensure the client user has already logged on (has a valid Kerberos ticket-granting ticket) using their Kerberos principal and that the client's Kerberos ticket has not expired. A Windows user logged in to a domain account already has a ticket-granting ticket, which allows them to authenticate to servers, providing their principal has enough permissions.

    A ticket-granting ticket is a Kerberos ticket encrypted with the user's password that is used by the Ticket Granting Service to verify the user's identity.

  6. Connect from the client, specifying the KERBEROS connection parameter (Often KERBEROS=YES, but KERBEROS=SSPI or KERBEROS=GSS-API-library-file can also be used). If the user ID or password connection parameters are specified, they are ignored. For example:
    dbisql -c "KERBEROS=YES;Server=my_server_princ"

The SAP Sybase IQ database is configured to use Kerberos authentication.

Next

You can use Kerberos authentication to connect from a client. Optionally, you can create a Kerberos login mapping.

Parent topic: Kerberos authentication