Configure your login process and user authentication to
function with a Kerberos 5 mechanism before you set up Informix® for single
sign-on.
Informix SSO
requires installation and setup of a Kerberos 5 authentication mechanism
on the client and server computers of your network. For details on
setting up your network according to the Kerberos standard, see the
documentation provided with the installed Kerberos product.
Important: Use a secure computer for the Key
Distribution Center to ensure the safety of the passwords and encryption
keys. Limit access to specific users and, if possible, do not use
the computer for other tasks.
For JDBC Driver client sites,
read Configuring JDBC Driver for SSO before you do the following
steps.
You must have kadmin privileges (UNIX and Linux)
or domain administrator rights (Windows)
to complete steps 3, 4, and 5.
- For sites that are enabling a new Kerberos 5 setup for
SSO, run the sample client and server programs if they are available
with your Kerberos product. This task helps eliminate setup errors
in the network infrastructure.
- Verify that the clocks of all computers to be involved
with SSO authentication are synchronized. Kerberos typically does
not function when there is a clock discrepancy of five minutes or
more between computers.
- Create the Informix service
and client principals on the Key Distribution Center (KDC) with the kadmin utility
(UNIX and Linux) or with Active Directory (Windows). Remember the following rules as
you create principals:
- All principals to be used with Informix must
be in the same realm or trusted realms.
- All principals must map to database server user IDs.
For example, if you have user5@payroll.jkenterprises as a principal,
user5 must exist as an operating system user and payroll.jkenterprises.com as
a fully qualified host name.
- UNIX and Linux only: Add the server
service principal key to the keytab file and
transfer the file to the Informix host
computer.
- UNIX and Linux only: Put the keytab file
into the default keytab file location.