TOM KEMP'S CENTRIFY BLOG

Bringing IBM DB2 under the Active Directory Umbrella

Tuesday, June 26, 2007

As you know, Centrify DirectControl provides secure access control and centralized identity management by seamlessly integrating UNIX, Linux, and Macintosh OS X computers, and J2EE and web platforms, with Microsoft Active Directory. Just recently Centrify shipped our DirectControl DB2 Agent, which extends this capability to IBM DB2, allowing users to access DB2 databases using their Active Directory user identity. Hence, you gain the benefits of centralized authentication and access control with a well established, secure solution.

Adding DB2 support falls under our vision of delivering a "secure, connected computing environment" in which heterogeneous systems, applications and databases can leverage a common authentication, access control and auditing infrastructure (namely Active Directory, a platform that most customers have deployed). In effect, Centrify DirectControl makes a heterogeneous environment look, feel and smell like (OK, maybe not smell like) a homogenous environment from a core security perspective, and it does so by leveraging a de facto standard technology that the customer already had deployed and invested in.

I wanted to use this blog entry to provide some color commentary on our DB2 support, as DB2 is one of the top three databases in the world, and we have significant customer interest in deploying our solution within environments that have DB2. Before describing what our solution does, let me first talk at a high level about how identity management is currently supported in DB2.

In DB2, user and group authentication is performed by a facility that is external to the DB2 database management system, such as the operating system, a domain controller, or a Kerberos security system. It is accomplished using dynamically loadable libraries called security plug-ins. There are two authentication plug-in mechanisms:

User ID/password plug-ins that support authentication using a user ID and password
GSSAPI plug-ins that support authentication using GSSAPI (Generic Security Service Application Program Interface). Kerberos is also implemented using GSSAPI.

Each of the plug-ins can be used independently or in conjunction with one or more of the other plug-ins. The default behavior is to use a user ID/password plug-in that implements an operating system-level mechanism for authentication.

Authentication is important, but so is authorization. Authorization is the process of determining access information about specific database objects and actions based on a supplied user ID. Privileges can be granted to specific users or to groups of users. Users that are a member of a group automatically inherit the group's privileges. As mentioned before, these users and groups are defined outside the DB2 Universal Database (UDB); for example, with Centrify DirectControl in Active Directory.

Now turning to our solution, the Centrify DB2 Agent package allows you to connect or attach to a DB2 database using either an Active Directory or a UNIX user identity. The solution consists of the following plug-ins.

Username/Password plug-in. While the default DB2 Username/Password plug-in will authenticate only users in NIS and /etc/passwd, this Centrify plug-in supports both Active Directory and non-Active Directory users. A non-Active Directory user may be a UNIX user from local stores such as /etc/passwd and NSS (Name Service Switch); or a user who has been authenticated using PAM (Pluggable Authentication Modules) or AIX's LAM (Loadable Authentication Module).
GSSAPI plug-in. The GSSAPI plug-in allows Active Directory users to connect to a DB2 database using single sign-on. It assumes that the user accessing the database is the one already logged on to the machine and authenticated via the Kerberos mechanism. Hence, the Kerberos credentials of the logged-in user are used to obtain a ticket for the database server. However, if a user name is explicitly provided, (such as in a DB2 command, "connect to testdb user username using password"), the plug-in will first authenticate the given user to the Kerberos Key Distribution Center (KDC), obtain a ticket-granting ticket (TGT) upon success; and then use the TGT to get a service ticket for the DB2 server.
Group plug-in. The Group plug-in is used to retrieve the list of groups that a user belongs to. The group membership information is used by DB2 to check a user's access rights. The Group plug-in will retrieve the list from Active Directory as well as from the local systems in order to support local users. The Active Directory is queried first for groups that a user belongs to, and then the plug-in will look in the local groups as well. The two lists are then merged with duplicates removed and returned to DB2.

One of our engineers reviewing this blog pointed out to me that I should mention that either one of the first two plug-ins mentioned above can be used independently or in conjunction with one another. If both the Username/Password plug-in and the GSSAPI plug-in are configured, then the Username/Password plug-in will be used whenever a user name is explicitly specified. If only the GSSAPI plug-in is configured, then only Active Directory users can connect to the database.

In summary, our support for DB2 is just another example of Centrify allowing customers to further consolidate identity management of heterogeneous systems and applications under the Active Directory umbrella, and doing so by natively leveraging standards such as LDAP and Kerberos vs. adding complex layers of synchronization. For new customers, you can request to evaluate our DB2 support by visiting our DB2 Agent Evaluation Request page. Existing customers can login to our support site and download the DB2 Agent from the Centrify Download Center.

Categories: DirectControl for Databases, All

Bookmarks: