Netezza Performance Server

 View Only
  • 1.  Kerberos with JDBC

    InnerCircle
    Posted Wed October 07, 2020 07:41 PM
    Hi
    Anybody had luck with setting up JDBC with Kerberos (not LDAP) on 256-bit encryption? We can get it up and running with ODBC without any issues (more or less: sometimes VDI's get API in registry and then we can get mixed case issues (but can be overcomed then by multiple kerberos tickets)).

    ODBC is giving a bit of overhead and most of the tools are now using JDBC by default so... 

    Working with IBM support on getting this sorted out - but maybe anyone have it done already?

    ------------------------------
    Adam Matusewicz
    ------------------------------


  • 2.  RE: Kerberos with JDBC

    InnerCircle
    Posted Wed June 16, 2021 04:54 AM

    Nevermind on this: Sorted it out. Apparently Netezza KB https://www.ibm.com/docs/en/psfa/7.2.1?topic=jdbc-kerberos-authentication-clients contain no accurate info for Windows AD servers. Seems like all tested only on Linux to Linux and with use of local shell. Missing subjects:

    - stronger encryption
    - disabling principal logons (in case somebody steal / intercept NPS keytab)
    - logging/debugging of above
    - communication security (SSL/debugging) with Kerberos

    Also seems for me that better now for NPS / JDBC is DBeaver. Aginity although natively support JDBC (and is now only option) , is enforcing password (one thing) and more important is that can't (or don't know how) to modify JVM startup to support custom config file. 

    As of now also MSLSA is a bit of struggle (though that not strictly related to Netezza - is for JDBC) - but there are workarounds....

    huw@smart.associates can tell more about this stuff. 



    ------------------------------
    Adam Matusewicz
    ------------------------------