Before you set up the SQLHOSTS information and concsm.cfg file
for the client computer in a single sign-on implementation, verify
that your login service is correctly configured to use Kerberos authentication.
Before you begin
The client user principal and service principals must exist
in the Key Distribution Center (KDC) to authenticate by using the
Kerberos tickets. Also, the KDC daemon must be running.
Procedure
- Log on by using Kerberos authentication, which typically
generates the required user credentials (ticket-granting ticket) for
SSO on all platforms. However, if you are working on UNIX™ or Linux™,
you can also employ the kinit utility to obtain
a ticket-granting ticket (TGT).
For example, the following
command can generate a TGT for the user named admin in the realm
payroll.jkenterprises.com:
% /usr/local/bin/kinit admin@payroll.jkenterprises.com
- Use the klist utility to view the credentials
cache from the KDC and verify the existence of a valid ticket for
the user ID.
A valid ticket looks similar to the following
example:
Ticket cache: FILE:/tmp/krb5cc_200
Default principal: admin@payroll.jkenterprises.com
Valid starting Expires
01/30/08 09:45:28 01/31/08 09:45:26
Service principal
krbtgt/payroll.jkenterprises.com@jkenterprises.com
- After HCL
OneDB™ accepts
a connection request, verify that a valid ticket-granting service
(TGS) is present.
The TGS is required for the server service
principal.
The following example shows the output of
the
klist utility, with
ol_home2data/jkent-005.payroll.jkenterprises.com as
the
HCL
OneDB service
principal.
Ticket cache: FILE:/tmp/krb5cc_200
Default principal: admin@payroll.jkenterprises.com
Valid starting Expires
01/30/08 09:45:28 01/31/08 09:45:26
Service principal
krbtgt/payroll.jkenterprises.com@jkenterprises.com
01/30/08 09:48:31 01/31/08 09:45:26
ol_home2data/jkent-005.payroll.jkenterprises.com@jkenterprises.com