The configuration process is similar, regardless of which variety of Kerberos you use.
Set up Kerberos third-party software and create a Kerberos administrative user. To do this, you must:
Install Kerberos client software on machines where Open Client Server clients or Adaptive Server will run. The following client packages have been verified to work with:
CyberSafe TrustBroker 4.0
MIT Kerberos version 1.3.1
Install the Kerberos KDC server on a separate, dedicated machine.
KDCs from CyberSafe TrustBroker 4.0, MIT Kerberos v.1.3.1, and
Microsoft Windows Active Directory have been verified for use with
Adaptive Server.
Create an administrator account with administration privileges on the Kerberos server. This account is used for subsequent client actions such as creating principals from the client machines.
Execute the remainder of these steps on the Kerberos
client machine.
Add Kerberos principal for Adaptive Server ase120srv or ase120srv@MYREALM.
Extract the keytab file for principal ase120srv@MYREALM and store it as a file:
/krb5/v5srvtab
The following UNIX examples use the command line tool kadmin, available with CyberSafe or MIT Kerberos (there are also GUI tools available to administer Kerberos and users):
CyberSafe Kadmin: % kadmin aseadmin Principal - aseadmin@MYREALM Enter password: Connected to csfA5v01 in realm ASE. Command: add ase120srv Enter password: Re-enter password for verification: Principal added. Command: ext -n ase120srv Service Key Table File Name (/krb5/v5srvtab): Key extracted. Command: quit Disconnected.
In a production environment, control the access to the keytab file. If a user can read the keytab file, he or she can create a server that impersonates your server.
Use chmod and chgrp so that /krb5/v5srvtab is:
-rw-r----- 1 root sybase 45 Feb 27 15:42 /krb5/v5srvtab
When using Active Directory as the KDC, log in to the Domain Controller to add users and Adaptive Server principals. Use the Active Directory Users and Computers wizard to guide you through creating users and principals.
Extracting the keytab file for use with Adaptive Server requires an optional tool called ktpass, which is included in the Microsoft Support Tools package.
With Active Directory, extracting the keytab with ktpass is a separate step from creating the principal. The keytab file on Windows for Adaptive Server is located with the CyberSafe program files. For example, c:\Program Files\CyberSafe\v5srvtab is the expected location of the Adaptive Server keytab file when CyberSafe software is installed on the C: drive.
Add a Kerberos principal for the user “sybuser1” as “sybuser1@MYREALM”.
Start Adaptive Server and use isql to log in as “sa”. The following steps configure Adaptive Server parameters to use Kerberos security services, and create the user login account. These are the same on both Windows or UNIX machines:
Change configuration parameter use security services to 1:
sp_configure 'use security services', 1
Add a new login for user, “sybuser1” and then add the user:
create login sybuser1 with password password
Shut down Adaptive Server and modify administrative files and connectivity configuration files.
On UNIX platforms – the interfaces file is under $SYBASE/ and has an entry that looks similar to:
ase120srv master tli tcp myhost 2524 query tli tcp myhost 2524 secmech 1.3.6.1.4.1.897.4.6.6
On Windows platforms – the sql.ini file is in %SYBASE%\ini, and has an equivalent server entry that looks like:
[ase120srv]
master=TCP,myhost,2524
query=TCP,myhost,2524
secmech=1.3.6.1.4.1.897.4.6.6
The libtcl.cfg or libtcl64.cfg file is located in $SYBASE/$SYBASE_OCS/config/ on UNIX platforms.The SECURITY section should have an entry that looks similar to the following for CyberSafe Kerberos client libraries: (the lines starting with “csfkrb5” are single lines in these examples, but are split for space purposes)
[SECURITY] csfkrb5=libsybskrb.so secbase=@MYREALM libgss=/krb5/lib/libgss.so
A 64-bit CyberSafe Kerberos client library entry follows :
[SECURITY] csfkrb5=libsybskrb64.so secbase=@MYREALM libgss=/krb5/appsec-rt \ /lib/64/libgss.so
For a machine that uses MIT Kerberos client libraries, the entry looks something like:
[SECURITY] csfkrb5=libsybskrb.so secbase=@MYREALM libgss=/opt/mitkrb5/lib/ \ libgssapi_krb5.so
For a machine that uses Native OS provided libraries, such as Linux, it looks similar to:
[SECURITY] csfkrb5=libsybskrb.so secbase=@MYREALM libgss=/usr/kerberos/lib/ \ libgssapi_krb5.so
On Windows – the %SYBASE%\%SYBASE_OCS%\ini\libtcl.cfg file contains an entry like:
[SECURITY] csfkrb5=libskrb secbase=@MYREALM libgss=C:\WinNT\System32\ ^ gssapi32.dll
The libgss=<gss shared
object path> specifies the GSS API library
to be used. You must distinctly locate the Kerberos Client libraries
being used, especially when multiple versions are installed on a
machine.
Also check the objectid.dat under $SYBASE/$SYBASE_OCS/config/ and make sure the [secmech] section has an entry for csfkrb5:
[secmech] 1.3.6.1.4.1.897.4.6.6 = csfkrb5
You can use environment variables to override default locations of keytab files, Kerberos configuration, and realm configuration files. This is Kerberos-specific behavior and may not work consistently on all platforms.
For example, use the CSFC5KTNAME environment variable on CyberSafe UNIX platforms to specify the keytab file:
% setenv CSFC5KTNAME /krb5/v5srvtab
For MIT Kerberos, the equivalent environment variable is KRB5_KTNAME.
See the vendor documentation for information about these environment variables.
You may may need to modify the environment variable for dynamic library search paths. On UNIX, the most commonly used environment variable is LD_LIBRARY_PATH; on Windows, PATH is typically set to include DLL locations. You may need to modify these environment variables to enable applications to load the third-party objects correctly. For example, this command adds the location of CyberSafe 32-bit libgss.so shared object to the search path in a C-shell environment:
% set path = ( /krb5/lib $path )
Restart Adaptive Server. You should see:
00:00000:00000:2001/07/25 11:43:09.91 server Successfully initialized the security mechanism 'csfkrb5'. The SQL Server will support use of this security mechanism.
Use isql as UNIX user “sybuser1” (without the -U and -P arguments) to connect:
% $SYBASE/$SYBASE_OCS/bin/isql -Sase120srv -V 1>...
You can also use the encryption option:
$SYBASE/$SYBASE_OCS/bin/isql -Sase120srv –Vc
