I'm currently attempting to set up a DataSource connection in a DB2 database using Kerberos authentication. I've read several threads with differing approaches and now feel rather confused.
To begin, I'm unsure where the correct attribute is for setting up the values for Kerberos. Should I add it using dataSource.setServerName(nameofserver), dataSource.setPortNumber(integernumber), etc., or can I add it in a Properties variable?
Edit: I am using the com.ibm.db2.jcc.DB2SimpleDataSource and the version is 4.19.49 (thanks @mao)
Edit 12.01.2024:
Code Block
DB2SimpleDataSource dataSource = new DB2SimpleDataSource();
dataSource.setDriverType(4);
dataSource.setServerName("server");
dataSource.setPortNumber(portnumber);
dataSource.setDatabaseName("database name");
dataSource.setSslConnection(true);
dataSource.setClientProgramName("program name");
dataSource.setRetrieveMessagesFromServerOnGetMessage(true);
dataSource.setSecurityMechanism(dataSource.KERBEROS_SECURITY);
Error message
com.ibm.db2.jcc.am.SqlException: [jcc][t4][10262][11223][4.19.49] Unexpected Throwable caught: class com.ibm.db2.jcc.am.le (in unnamed module @0x49097b5d) cannot access class sun.security.action.GetPropertyAction (in module java.base) because module java.base does not export sun.security.action to unnamed module @0x49097b5d. ERRORCODE=-4228, SQLSTATE=null
at com.ibm.db2.jcc.am.kd.a(Unknown Source)
at com.ibm.db2.jcc.am.kd.a(Unknown Source)
at com.ibm.db2.jcc.am.kd.a(Unknown Source)
at com.ibm.db2.jcc.t4.b.b(Unknown Source)
at com.ibm.db2.jcc.t4.b.a(Unknown Source)
at com.ibm.db2.jcc.t4.b.a(Unknown Source)
at com.ibm.db2.jcc.t4.b.a(Unknown Source)
at com.ibm.db2.jcc.t4.b.<init>(Unknown Source)
at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(Unknown Source)
at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(Unknown Source)
at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(Unknown Source)
at test.connection.TestDbConnectionDataSource.main(TestDbConnectionDataSource.java:81)
Caused by: java.lang.IllegalAccessError: class com.ibm.db2.jcc.am.le (in unnamed module @0x49097b5d) cannot access class sun.security.action.GetPropertyAction (in module java.base) because module java.base does not export sun.security.action to unnamed module @0x49097b5d
at com.ibm.db2.jcc.am.le.a(Unknown Source)
at com.ibm.db2.jcc.am.le.a(Unknown Source)
at com.ibm.db2.jcc.t4.b.a(Unknown Source)
At IBM documentation reading for dataSource.setKerberosServerPrincipal("sample/[email protected]");
I have to replace @SRVLSJ.SJ.IBM.COM with the realm of my Kerberos.conf file. But, what can I do if I use many realm?
PS 1. I have used the System.setProperty("java.security.krb5.conf", "path\krb5.conf");.
PS 2. The above error I can resolve it if I use in VM arguments this: --add-exports java.base/sun.security.action=ALL-UNNAMED. But, I want to still work without this in VM arguments.
When asking for help with Db2, always state your Db2-server version+fixpack and your Db2-server platform, because the answers can differ per platform and sometimes also per version.
Suggest that you study carefully the IBM documentation page here, which shows sample snippets of kerberos with jdbc type 4 driver . which you are already using (db2jcc4.jar).
You choose whether to use the DriverManager interface or the com.ibm.db2.jcc.DB2SimpleDataSource interface.
It helps to educate yourself about the requirements for kerberos/jdbc which are documented here.
These presume that your Db2-server is already correctly configured to support kerberos authentication.
It helps to prove it is working by first testing it with a different jdbc product that supports using kerberos authentication with Db2. One such tool is the IBM Data Studio although you need to be at the latest Data-Studio version and additionally to have the latest fixes (fixpack) for data-studio installed. Data-Studio supports passwordless authentication with Kerberos and it is a large footprint java/jdbc application. Some other front end tools for jdbc either don't support kerberos authentication with Db2-LUW, or partially support it.