Run the setupdb2.sh script

Perform the steps described in this section to run the setupdb2.sh script now.

In the example used here, db2inst1 is the name of a DB2 database instance, you want to run the script in verbose mode, and you do not want to run the script in debug mode.

To run the setupdb2.sh script:

  1. Change to the /usr/share/centrifydc/bin directory:

    cd /usr/share/centrifydc/bin
  2. Run the setupdb2.sh script. The instance name that you specify with the setupdb2.sh command cannot exceed 8 bytes. In this example, the database instance is named db2inst1, verbose mode is invoked so that all prompts for different installation and setup options are displayed, and debug mode is not invoked.

    ./setupdb2.sh inst=db2inst1 verbose=1

    In this example, the database instance is named db2inst1, verbose mode is invoked so that all prompts for different installation and setup options are displayed, and debug mode is not invoked.

  3. Type y or n at the prompt, Is db2inst1 a DB2 server install?

    In this example, db2inst1 is a server installation, so select the default (y, for yes).

    This is confirming if the running component is a DB2 server. Entering yes directs the script to also install the DB2 client component. A message indicates if the script determined the instance is 32 or 64 bit.

    db2inst1 is a 64 bit instance. DB2 server and client setup will be done.
  4. Enter a number at the prompt, Which DB2 auth method do you want to use?

    Select an authentication method, from the listed choices, enter the corresponding number.

    [1]	Username/Password and Single sign-on
    [2]	Single Sign-on only
    [3]	Username/Password only
    [4]	Skip this step
    Select a number from the menu [1]:

    See Username/password plug-in and GSSAPI plug-in for details about these choices. In this example, select username/password only.

  5. Enter a number at the prompt, Which data sent to DB2 should be encrypted?

    Select if or which data sent to DB2 should be encrypted. This step is optional.

    [1]	Nothing
    [2]	The username and their password
    [3]	All data going to the server
    [4]	Encrypt and compress all data going to the server
    [5]	Skip this step
    • In this example, select [1] Nothing.
    • Selecting [2], [3], or [4] changes the SRVCON_AUTH to Server_Encrypt.
    • Selecting [5] Skip this step, exits the plug-in setup program.
  6. Type y or n at the prompt, Use the CentrifyDC group plugin?

    Specify whether to use the CentrifyDC group plug-in. See Group plug-in for details about this choice.

    Install the Group plug-in centrifydc_db2group, to retrieve the list of groups to which a user belongs for authorization. The group plug-in is called automatically after user authentication by DB2.

    The group information retrieved is used by DB2 to check a user's access rights and determine whether the user has privilege to do specific tasks. For example: connect, query, db management, and so forth.

    The Group plug-in queries Active Directory first for the groups to which the user belongs and then it looks in the local groups on the host. The two lists are then merged with duplicates removed and returned to DB2.

    In this example, select yes.

  7. Enter a number at the prompt, Do you want to configure the instance user db2inst1 as a service account?

    Specify whether to configure the instance user as a service account.

    You must do this step if you want to use the GSS-Plugin. If you already did this step for this instance, select the option to indicate the keytab file name.
    [1]	Use adkeytab to create a service account in Active Directory and keytab file.
    NOTE: You need to specify a user name with administrator privileges on the domain to use adkeytab.
    [2]	Provide the name of an already existing keytab file.
    [3]	Skip this step

    Generally, if you are starting from nothing, enter 1, otherwise enter 2.

    If you are setting up the GSSAPI plug-in (that is, if you selected a single sign-on option in Step 5) and you have not yet configured the instance user as a service account, you must select option 1, “Use adkeytab to create a service account in Active Directory and keytab file” in this step. You will be prompted later for the Active Directory Administrator password.

    If you have already configured the instance user as a service account, the necessary keytab file already exists. If this is the case, select option 2, “Provide the name of an already existing keytab file,” and provide the full path and file name of the keytab file.

    If you are not setting up the GSSAPI plug-in, you can optionally skip this step.

    In this example, even though the GSSAPI plug-in is not being set up (that is, a single sign-on option was not selected in Step 5), you can still choose to configure the instance user as a service account. To do so, select option 1.

  8. Enter a filename or press return to accept the default, at the prompt, What is the file name that adkeytab should use when creating the keytab file?

    Choose the default or specify any location.

    Full path please.	Note: the file needs to be accessible to the db2inst1 user.
    [ /home/db2inst1/db2inst1.keytab ]
  9. Enter at the prompt, Enter the password for db2inst1.

    Provide the password for the database instance that you specified in Step 2.

    Create a new password for db2inst1 or enter an existing password (if configured earlier).

  10. Enter at the prompt, Enter a user name that has administrator privileges for the domain.

    Specify a user name (for example, hnerman@centrify.com). The username has to be a SamAccount, and has to have administrator privileges for the domain (that is, Active Directory Administrator privileges).

  11. Enter at the prompt, Enter the container where to store the db2inst1 user.

    Specify the container object in which to create the service account.

    [CN=Users]:
    The default OU is CN=Users
    PAM setup not required for AIX. Skipping...

    Note:   If a service account name other than the DB2 instance name is chosen to adopt and build the Kerberos keytab file, this service account needs to meet the following two requirements:

    • The account name has to be 8 characters or less in length. This is required by the DB2 server.
    • This account needs to have the same permission granted as the instance owner in DB2 server

    The setupdb2.sh script can use only the container objects in the domain to which the computer is currently joined. You cannot specify another domain for the container object when you use the setupdb2.sh script to install and configure plug-ins. If you want to specify a different domain, you must install the plug-ins manually without using the setupdb2.sh script. See Step 2 in Set up for the GSSAPI plug-in for details about specifying a different domain.

    Type the name of the container object in relative DN format (that is, do not specify the domain portion of the DN). For example, if you wanted to create the service account in the users container in the currently joined domain, you would type the following:

    CN=users
  12. Enter at the prompt, What group should be used as the group owner of this file?

    Specify the group name or select the default.

    All DB2 instances that you want to use the username/password plugin must be in this group.[db2iadm1]:

    You are prompted for more information depending on which plug- ins you are setting up:

    • The group that owns the /usr/share/centrifydc/bin/ db2userpass_checkpwd file. You are prompted for this information if you are setting up the username/password plug- in.
    • The password for the user with Active Directory Administrator privileges that you specified in Step 11. You are prompted for this information if you are setting up the GSSAPI plug-in.

    Example return output from this step.

    Copy

    *********** adkeytab setup (required for GSS-plugin)
    ***********
    Using /home/db2inst1/db2inst1.keytab for the keytab file for instance: db2inst1
    NOTE: adkeytab will prompt you for the password of the Active Directory admin user: rsriniva.
    # adkeytab -n -c CN=Users -u rsriniva -K /home/db2inst1/ db2inst1.keytab -P db2inst1/vaix61-2.corp.contoso.com db2inst1 rsriniva@CORP.CONTOSO.COM's password:
    Success: New Account: db2inst1
    NOTE: adkeytab will prompt you for the password of the Active Directory admin user: rsriniva again.
    # adkeytab -C db2inst1 -u rsriniva -w XXX-PASS-NOT-DISPLAYED- XXX -K /home/db2inst1/db2inst1.keytab rsriniva@CORP.CONTOSO.COM's password:
    Success: Change Password: db2inst1
    # chmod 600 /home/db2inst1/db2inst1.keytab
    # chown db2inst1 /home/db2inst1/db2inst1.keytab # db2set DB2ENVLIST=KRB5_KTNAME
    adkeytab setup successfully!
    ************* username/password plugin setup ************* # chmod 750 /usr/share/centrifydc/bin/db2userpass_checkpwd
    # chown root:db2iadm1 /usr/share/centrifydc/bin/ db2userpass_checkpwd
    # chmod u+s /usr/share/centrifydc/bin/db2userpass_checkpwd username/password setup successfully
    ******* Installing the plugins into instance: db2inst1 ******* Installing client side auth plugin
    # rm -f sqllib/security32/plugin/client/ centrifydc_db2gsskrb5.so
    # cp /usr/share/centrifydc/lib/libcentrifydc_db2gsskrb5.so sqllib/security32/plugin/client/centrifydc_db2gsskrb5.so
    Installing group plugin
    # rm -f sqllib/security32/plugin/group/centrifydc_db2group.so
    # cp /usr/share/centrifydc/lib/libcentrifydc_db2group.so sqllib/security32/plugin/group/centrifydc_db2group.so
    Installing server side auth plugin
    # rm -f sqllib/security64/plugin/server/ centrifydc_db2gsskrb5.so
    # rm -f sqllib/security64/plugin/server/ centrifydc_db2userpass.so
    # cp /usr/share/centrifydc/lib64/libcentrifydc_db2gsskrb5.so sqllib/security64/plugin/server/centrifydc_db2gsskrb5.so
    # cp /usr/share/centrifydc/lib64/ libcentrifydc_db2userpass95.so sqllib/security64/plugin/ server/centrifydc_db2userpass.so
    Installing client side auth plugin
    # rm -f sqllib/security64/plugin/client/ centrifydc_db2gsskrb5.so
    # cp /usr/share/centrifydc/lib64/libcentrifydc_db2gsskrb5.so sqllib/security64/plugin/client/centrifydc_db2gsskrb5.so
    Installing group plugin
    # rm -f sqllib/security64/plugin/group/centrifydc_db2group.so
    # cp /usr/share/centrifydc/lib64/libcentrifydc_db2group.so sqllib/security64/plugin/group/centrifydc_db2group.so
    ******* Updating settings for DB2 instance: db2inst1 ******
    Old configuration (You may want to copy these settings down in case you need to revert to the old settings):
    Group Plugin (GROUP_PLUGIN) =
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) = Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) = Server Userid-Password Plugin  (SRVCON_PW_PLUGIN) = Server Connection Authentication (SRVCON_AUTH) =
    NOT_SPECIFIED
    Database manager authentication (AUTHENTICATION) = SERVER The DB2 configuration will be updated to:
    LOCAL_GSSPLUGIN = centrifydc_db2gsskrb5 SRVCON_GSSPLUGIN_LIST = centrifydc_db2gsskrb5 SRVCON_PW_PLUGIN = centrifydc_db2userpass SRVCON_AUTH = GSS_SERVER_ENCRYPT AUTHENTICATION = SERVER
    GROUP_PLUGIN = centrifydc_db2group
  13. Review the script displayed content.

    From this point the script stops the DB2 instance: db2inst1, updates the configuration, and then restarts the instance.

    System information displays as files are configured. When the setupdb2.sh script finishes the configuration, a completion message displays.

    Examples output when the instance is stopped.

    Copy
    Stopping instance: db2inst1
    # db2stop
    SQL1064N DB2STOP processing was successful.
    # db2 update dbm config using LOCAL_GSSPLUGIN centrifydc_db2gsskrb5
    DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command
    completed successfully.
    # db2 update dbm config using SRVCON_GSSPLUGIN_LIST centrifydc_db2gsskrb5
    DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command
    completed successfully.
    # db2 update dbm config using SRVCON_PW_PLUGIN centrifydc_db2userpass
    DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command
    completed successfully.
     
    # db2 update dbm config using SRVCON_AUTH GSS_SERVER_ENCRYPT DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command
    completed
    successfully.
    # db2 update dbm config using AUTHENTICATION SERVER DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command
    completed
    successfully.
    # db2 update dbm config using GROUP_PLUGIN centrifydc_db2group DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command
    completed
    successfully.
    New configuration:
    Group Plugin (GROUP_PLUGIN) =
    centrifydc_db2group
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) = centrifydc_db2gsskrb5
    Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) = centrifydc_db2gsskrb5
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
    Server Connection Authentication (SRVCON_AUTH) = GSS_SERVER_ENCRYPT
    Database manager authentication (AUTHENTICATION) = SERVER
    Starting Instance # db2start
    SQL1063N DB2START processing was successful.
    The plugins for DB2 instance: db2inst1 were setup successfully!
  14. Verify if the setup completed properly or not by running the command as the DB2 instance user:

    db2 get dbm config |egrep -i "auth|gss|group|srvcon"

    Example of return output from the command for a scenario where all three DirectControl for DB2 security plug-ins have been configured is as follows.

    The lines of interest are highlighted in bold.

    SYSADM group name (SYSADM_GROUP) = DB2GRP1
    SYSCTRL group name (SYSCTRL_GROUP) = SYSMAINT group name (SYSMAINT_GROUP) =
    SYSMON group name (SYSMON_GROUP) =
    Group Plugin (GROUP_PLUGIN) = centrifydc_db2group
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) = centrifydc_db2gsskrb5
    Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) = centrifydc_db2gsskrb5
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
    Server Connection Authentication (SRVCON_AUTH) = SERVER_ENCRYPT Database manager authentication (AUTHENTICATION) = SERVER Cataloging allowed without authority (CATALOG_NOAUTH) = NO Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
    Bypass federated authentication (FED_NOAUTH) = NO

This completes the automated installation on the DB2 server. If you selected single sign-on and username/password or single sign-on only, you need to install the GSSAPI client on every client computer. Go to Set up the GSSAPI DB2 client for information about that procedure.

If you selected username/password only, you are done with the installation. Go to Test the installation to finish.