How to Configure Vector to Use Kerberos
The process for configuring Vector to use Kerberos is as follows:
1. Set the basic configuration for using Kerberos by doing either of the following:
2. Set other parameters in Configuration-By-Forms, as needed, according to your environment.
3. Obtain authorization tickets by using the kinit command (Windows, Linux), the Leash Utility (Windows), or the Network Identity Manager (Windows).
4. Stop and restart Vector.
Startup will be successful if the Kerberos GSS API library exists in your LD_LIBRARY_PATH definition (Linux), or if the GSSAPI64.DLL and GSSAPI32.DLL files reside in your system environment path (Windows).
5. Test your server using a loopback test.
To test a loopback connection using Kerberos, the local Name Server must be configured for Kerberos authentication by using the iisukerberos utility or by setting the “remote_mechanism” setting in the Name Server to “kerberos” in the Configuration-By-Forms utility. In addition, your loopback vnode entry, as defined in netutil, must have an attribute named “authentication_mechanism” and an attribute value of “kerberos”, as described in
vnode Connection Attributes--Configure Client in a Heterogeneous Kerberos Environment.
If you do not want to define a loopback vnode, proceed to step 7.
6. Test your connection using the Terminal Monitor, as follows:
sql loopback::iidbdb
The loopback vnode should be as described in the preceding step.
7. Set up your clients. Your netutil definitions are almost the same as when using os-level authentication, but you should leave the login/password data blank.
Note: There is a known, intermittent Kerberos problem that generates “E_LC0001 GCA protocol service (GCA_REQUEST) failure. Internal service status E_GC00ca -- Encryption negotiation failed: encryption mechanism failed initialization” when trying to connect to a database when KRB5RCACHETYPE is not set to "none". We recommend setting KRB5RCACHETYPE to "none" and restarting the Vector installation.
Last modified date: 11/09/2022