Password less authentication or API to update password for CDC engine and Management Console

IBM update.

We document support for Kerberos with Oracle: https://www.ibm.com/docs/en/idr/11.4.0?topic=databases-setting-up-kerberos-authentication . Is the concern that this was not working when you tried to configure it?

Note the following comments from L3. (In summary password less communication from MC to Oracle Datastores is feasible with current capabilities):

"

When kerberos is configured for the engine, then when MC is trying to connect to the db through CDC engine, if only user name is provided (i.e. password field is empty in the datastore), then CDC will only check if the user exists instead of trying to connect to db using user/password stored in MC."

If customer doesn’t want to provide login info in MC for a datastore that was configured with kerberos, customer just need to enter a valid db user in the MC and leave password field empty.

IBM Update.

Regarding this part of the requirement "(1) CDC engine for IBM iseries needs to support password less authentication like kerberos, or have an API that allows password to be updated., we need more details.

What exactly is needed where it comes to password less access:

Here is relevant guidance from L3

"

While create CDC instance for IBM i we do not provide database credentials as in confguring LUW CDC engines.

Installation of CDC instance for IBM i is typically done using the QSECOFR user (or any user who has *SECOFR special authorities).

For configuring and operating CDC, there are 2 types of user profiles to be taken into consideration:

CDC operational user: Users who run CDC replication processes, typically users who are logged on through the datastore or who start replication processes from the command line/job scheduler. The CDC source jobs are run under the CDC operational user profile. The CDC operational user requires authorities to the replicated source tables, journals and journal receivers. For target tables, no authorities are required for the CDC operational user since all the apply processes are run under the CDC product user.

CDC owner/product user: By default, the user profile D_MIRROR. The user profile D_MIRROR is automatically created during installation. CDC requires this user profile to supervise replication operations for the CDC apply processes. The D_MIRROR user profile does not need authorities to the replicated source tables, journals or journal receivers. However, all the CDC apply processes are run under the D_MIRROR user profile, hence the need for this profile to have update rights to the target tables.CDC Management console, need to support password less authentication you mean not to provide the IBM i user profile details while configuring the CDC for IBM i datastore."

Hi,

Can we please have an update on the target date for IBM CDC listener supporting kerberos authentication for RHEL 8 ?
we need to move away from our current setup which is using password based authentication on the listener to connect to Oracle 19 db.

We had attempted setting up a Kerberos connection for listener IIDR-11.4.0.5-5733-linux-x86.bin on RHEL 8 however it gave a checksum error due to incompatible SHA512. Database checksum is 'SHA512,SHA256'

following error was encountered in the setup -
Error:A SQL exception has occurred. The SQL error code is '0'. The SQL state is: HY008. The error message is:

[CDC][Oracle JDBC Driver]ORA-12656: Cryptographic checksum mismatch

Thanks,
Jitendra

IBM Update.

Thanks for filing this requirement.

We think the requirement is valid. We will keep it on our list of requirements that are candidates for prioritization in future roadmap planning.

==

Comments on 2025.4.15 ^

Note the subsequent comments made after further review/investigation.

More information is presently being requested regarding (1) CDC engine for IBM iseries needs to support password less authentication like kerberos, or have an API that allows password to be updated.