Set up for the username/password plug-in

The username/password plug in library, centrifydc_db2userpass.so, is now in place. Three more procedures are required to finish Authentication Service for IBM DB2 username/password plug-in installation and configuration:

  • Configure the instance’s Linux computer(s) to use the Authentication Service for IBM DB2 library for PAM authentication.

    Note:   The Authentication Service for IBM DB2 username/password security plug-in uses PAM to authenticate users. This step is required only for DB2 servers running on Linux platforms. On AIX-based computers, the Authentication Service for IBM DB2 username/password plug-in uses the native LAM authentication framework which is already configured for authentication against Active Directory accounts.

  • Set parameters in the /etc/centrifydc/centrifydc.conf file.

  • Assign permissions for the program that checks the password for local users.

  1. Configure Linux-based computers:

    Note:   This operation requires root user privileges.

    You need to tell the PAM service to use Authentication Service for IBM DB2 plug-in for authentication and account management. The name of the Authentication Service for IBM DB2 username/password plug-in is centrifydc_db2userpass.

    Each PAM service has its own configuration file in the /etc/pam.d directory. To add the Authentication Service for IBM DB2 username/password plug-in on a Red Hat Linux computer, create the file

    /etc/pam.d/centrifydc_db2userpass

    with the following contents:

    # Centrify PAM service for DB2 usename/password support 
    # %PAM-1.0
    auth     required  pam_stack.so service=system-auth
    auth     required  pam_nologin.so
    account  required  pam_stack.so service=system-auth
    ##########################################
    

    If you are configuring a SUSE Linux 10 computer, the contents of /etc/pam.d/centrifydc_db2userpass should be as follows:

    auth     include  common-auth
    account  include  common-account
    

    If you are configuring a SUSE Linux 8 or 9 computer, the contents of /etc/pam.d/centrifydc_db2userpass should be as follows:

    auth     required  pam_unix2.so
    auth     required  pam_nologin.so
    auth     required  pam_env.so
    account  required  pam_unix2.so
    account  required  pam_nologin.so
    
  2. Set /etc/centrifydc/centrifydc.conf parameters: The following configuration options require you to edit the /etc/centrifydc/centrifydc.conf file on the DB2 server.

    • If you want to allow users who are already logged in to the DB2 server to log in to the database instance without entering their user name and password, add the following line to /etc/centrifydc/centrifydc.conf:

      db2.userpass.allow.localnopasswd.db2_instance_name: true

      The default value is false, meaning that users already logged in to the server must enter their user name and password to access the database instance.

    • If you have an environment in which the user name case used for database authentication differs from user name case stored in /etc/passwd, you need to add the following parameter to the /etc/centrifydc/centrifydc.conf file:

      db2.userpass.username.lower: true

      When this parameter is present and set to true, the DB2 username/password plug-in converts the user name to lowercase before attempting authentication. When this parameter is set to false, it leaves the case as-is.

    • By default, the Centrify DB2 agent authenticates all Active Directory users even if the Active Directory user is not in the zone. To optionally constrain the authentication to zone enabled Active Directory users only, add the following parameter to the /etc/centrifydc/centrifydc.conf file:

      db2.user.zone_enabled.db2_instance_name: true

      After you add this parameter, restart the DB2 instance to pick up the new setting.

      Stop and start the agent after you modify centrifydc.conf to enable the conversion.