The isql and bcp utilities include the following command line options to enable network-based security services on the connection:
-K keytab_file
-R remote_server_principal
-V security_options
-Z security_mechanism
These options are described in the following paragraphs.
-K keytab_file – can be used only with DCE security, and specifies a DCE keytab file that contains the security key for the user logging in to the server. You can create keytab files with the DCE dcecp utility—see your DCE documentation.
If the -K option is not supplied, the isql user must be logged in to DCE. If the user specifies the -U option, the name specified with -U must match the name defined for the user in DCE.
-R remote_server_principal – specifies the principal name for the server as defined to the security mechanism. By default, a server’s principal name matches the server’s network name (which is specified with the -S option or the DSQUERY environment variable). The -R option must be used when the server’s principal name and network name are not the same.
-V security_options – specifies network-based user authentication. With this option, the user must log in to the network’s security system before running the utility. In this case, if a user specifies the -U option, the user must supply the network user name known to the security mechanism; any password supplied with the -P option is ignored. -V can be followed by a security_options string of key-letter options to enable additional security services. These key letters are:
c – enables data confidentiality service.
i – enables data integrity service.
m – enables mutual authentication for connection establishment.
o – enables data origin stamping service.
r – enables data replay detection.
q – enables out-of-sequence detection.
-Z security_mechanism – specifies the name of a security mechanism to use on the connection.
Security mechanism names are defined in the libtcl.cfg configuration file. If no security_mechanism name is supplied, the default mechanism is used. See the Open Client/Server Configuration Guide for your platform.
If you log in to the security mechanism and then log in to Adaptive Server, you do not need to specify the isql -U option because Adaptive Server gets the user name from the security mechanism. For example, consider the following session:
svrsole4% dce_login user2 Enter Password: svrsole4% $SYBASE/bin/isql_r -V 1> select suser_name() 2> go
------------------------------ user2
For this example, “user2” logs in to DCE with dce_login and then logs in to Adaptive Server without specifying the -U option. The -V option without parameters implicitly specifies one security service: unified login.
For more information about Adaptive Server utilities, see the Utility Guide.
If you are using Client-Library to connect to Adaptive Server, you can define security properties before connecting to the server. For example, to check message sequencing, set the CS_SEC_DETECTSEQ property. For information about using security services with Client-Library, see the Open Client Client-Library/C Reference Manual.
