Security Guide > Security Guide > A. Configuring Ingres to Use Kerberos > How to Configure Ingres to Use Kerberos
Was this helpful?
How to Configure Ingres to Use Kerberos
The process for configuring Ingres to use Kerberos is as follows:
1. Set the basic configuration for using Kerberos by doing either of the following:
Run the iisukerberos utility (see iisukerberos Command--Perform Basic Kerberos Configuration).
Set parameters in Configuration-By-Forms, as described in Basic Configuration for Kerberos (see Basic Configuration for Kerberos).
2. Set other parameters in Configuration-By-Forms, as needed, according to your environment.
3. Obtain authorization tickets by using the kinit command (Windows, VMS and UNIX), the Leash Utility (Windows), or the Network Identity Manager (Windows).
4. Stop and restart Ingres.
Startup will be successful if the Kerberos GSS API library exists in your LD_LIBRARY_PATH definition (UNIX and Linux), if the GSSAPI32.DLL file resides in your system environment path (Windows), or if the file SYS$LIBRARY:GSS$RTL32.EXE is installed (VMS).
5. Test your server using a loopback test.
To test a loopback connection using Kerberos, the local Name Server must be configured for Kerberos authentication by using the iisukerberos utility or by setting the “remote_mechanism” setting in the Name Server to “kerberos” in the Configuration-By-Forms utility. In addition, your loopback vnode entry, as defined in netutil, must have an attribute named “authentication_mechanism” and an attribute value of “kerberos”, as described in vnode Connection Attributes--Configure Client in a Heterogeneous Kerberos Environment).
If you do not want to define a loopback vnode, proceed to step 7.
6. Test your connection using the Terminal Monitor, as follows:
sql loopback::iidbdb
The loopback vnode should be as described in the preceding step.
7. Set up your clients. Your netutil definitions are almost the same as when using os-level authentication, but you should leave the login/password data blank.
Note:  There is a known, intermittent Kerberos problem that generates “E_LC0001 GCA protocol service (GCA_REQUEST) failure. Internal service status E_GC00ca -- Encryption negotiation failed: encryption mechanism failed initialization” when trying to connect to a database when KRB5RCACHETYPE is not set to "none". We recommend setting KRB5RCACHETYPE to "none" and restarting the Ingres installation.
Last modified date: 01/30/2023