Nevermind on this: Sorted it out. Apparently Netezza KB https://www.ibm.com/docs/en/psfa/7.2.1?topic=jdbc-kerberos-authentication-clients contain no accurate info for Windows AD servers. Seems like all tested only on Linux to Linux and with use of local shell. Missing subjects:
- stronger encryption
- disabling principal logons (in case somebody steal / intercept NPS keytab)
- logging/debugging of above
- communication security (SSL/debugging) with Kerberos
Also seems for me that better now for NPS / JDBC is DBeaver. Aginity although natively support JDBC (and is now only option) , is enforcing password (one thing) and more important is that can't (or don't know how) to modify JVM startup to support custom config file.
As of now also MSLSA is a bit of struggle (though that not strictly related to Netezza - is for JDBC) - but there are workarounds....
huw@smart.associates can tell more about this stuff.
------------------------------
Adam Matusewicz
------------------------------
Original Message:
Sent: Wed October 07, 2020 04:12 PM
From: Adam Matusewicz
Subject: Kerberos with JDBC
Hi
Anybody had luck with setting up JDBC with Kerberos (not LDAP) on 256-bit encryption? We can get it up and running with ODBC without any issues (more or less: sometimes VDI's get API in registry and then we can get mixed case issues (but can be overcomed then by multiple kerberos tickets)).
ODBC is giving a bit of overhead and most of the tools are now using JDBC by default so...
Working with IBM support on getting this sorted out - but maybe anyone have it done already?
------------------------------
Adam Matusewicz
------------------------------
#NetezzaPerformanceServer