Db2

 View Only
  • 1.  DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Mon October 30, 2023 12:47 PM

    I was hoping someone would be able to help lend a hand on what I'm missing in the documentation.

    Here is the scenario I have;

    a) DMC is on it's own server in domain D1 - the repository is on a different server

    b) DMC needs to talk to over 100 other domains as that is where our customer databases reside

    c) I'm trying to set up a Connection Profile in DMC for a database in domain D2.  I've tried securityMechanism=11 and I've tried Kerberos from the drop down menu and both come back with an error "DATABASE.Caught javax.security.auth.login.LoginException while using JAASLogin. See attached Throwable for details."  

    d) I still haven't found the logs that hold the error and there is no krb5.ini file anywhere on the system.

    e) This is Windows to Windows connections

    Any help would be appreciated.

    Thank you 



    ------------------------------
    Freddie Callander
    ------------------------------


  • 2.  RE: DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Tue October 31, 2023 02:45 AM

    I have monitored database in a separate domain using clear username and password. Are you able to use that method?

    You can collect the logs of DMC by going to help>export logs in the IBM data Management Console App (not web app) or you can go to the installation_path/bin/logs for more logs

    And what information you could see in "See attached Throwable for details" as the error message.



    ------------------------------
    Sahan Mendis
    ------------------------------



  • 3.  RE: DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Tue October 31, 2023 01:47 PM

    The instance the database is set up on is AUTHENTICATION KERBEROS due to an application requirement.  If I try clear username and password, I get the error "Fail to establish connection with the connection profile DATABASE.Connection authorization failure occurred. Reason: Security mechanism not supported."

    The only logs I get from the Console application are logs in my AppData\Roaming\IBM DB2 Data Management Console \Logs folder which tell me nothing

    I have looked through the installation_path/bin/logs log files and cannot see any connection errors occurring. 

    I have queried every log file on the drive for the DATABASE name and the only location it occurs is in C:\Program Files\IBM Db2 Data Management Console\resources\bin\addons\drs\drs-agent\logs



    ------------------------------
    Freddie Callander
    ------------------------------



  • 4.  RE: DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Tue October 31, 2023 01:51 PM

    Hello Freddie,

    Quick question, have you tried to follow the instructions from the DMC manual at:

    https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=support-resolving-kerberos-connection-issues



    ------------------------------
    Cintia Ogura
    ------------------------------



  • 5.  RE: DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Tue October 31, 2023 03:03 PM

    I followed the article, stopped the console, made the jvm.options change (finally found the file), restarted teh console, tried to connect and same error

    Fail to establish connection with the connection profile DATABASE.Caught javax.security.auth.login.LoginException while using JAASLogin. See attached Throwable for details.



    ------------------------------
    Freddie Callander
    ------------------------------



  • 6.  RE: DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Tue October 31, 2023 03:06 PM
      |   view attached

    Screen Shot



    ------------------------------
    Freddie Callander
    ------------------------------



  • 7.  RE: DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Tue October 31, 2023 03:17 PM

    Hello Freddie,

    Create a case with IBM support and send us the DMC collector for an initial investigation?

    Here are the instructions:

    https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=support-exchanging-information



    ------------------------------
    Cintia Ogura
    ------------------------------



  • 8.  RE: DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Thu November 02, 2023 01:40 PM

    Hello Freddie,

    If you don't want to create a case, you can try to take a look at DMC log files.

    You can even turn on tracing, so DMC can add more details in the log:

    Connection issues are usually written in the DS_System log files.

    I hope that helps!



    ------------------------------
    Cintia Ogura
    ------------------------------



  • 9.  RE: DMC 3.1.11 - Kerberos setup - trusted domains

    Posted Thu November 02, 2023 03:31 PM

    Hi Cintia,

    I did reach out to support and we are working through this.  I guess the biggest gap I'm seeing in the documentation is ensuring the SPN is set up correctly and to point to the SPN.  I've been able to piece this through other IBM product documentation that uses DB2 for backend repositories, but there is nothing in the DB2 documentation to help point a poor DBA never dealing with Kerberos before where to go for the basics of setting things up.  I have read all of the documentation under DB2 that I can find through searches, but it never states any any time to make sure an SPN is set up.  According to the errors I'm getting, that appears to be the issue. 

    Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
    	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
    	at java.base/javax.security.auth.login.LoginContext.invoke(Unknown Source)
    	at java.base/javax.security.auth.login.LoginContext$4.run(Unknown Source)
    	at java.base/javax.security.auth.login.LoginContext$4.run(Unknown Source)
    	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
    	at java.base/javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    	at java.base/javax.security.auth.login.LoginContext.login(Unknown Source)
    	at com.ibm.db2.jcc.am.cx.a(cx.java:25)
    	... 72 more
    Caused by: KrbException: Pre-authentication information was invalid (24)
    	at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(Unknown Source)
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
    	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
    	... 81 more
    Caused by: KrbException: Identifier doesn't match expected value (906)
    	at java.security.jgss/sun.security.krb5.internal.KDCRep.init(Unknown Source)
    	at java.security.jgss/sun.security.krb5.internal.ASRep.init(Unknown Source)
    	at java.security.jgss/sun.security.krb5.internal.ASRep.<init>(Unknown Source)
    	... 84 more


    ------------------------------
    Freddie Callander
    ------------------------------