Set up Kerberos authentication for an Adaptive Server-to-Adaptive Server replication system.
Install Adaptive Server Enterprise15.7 SP100 or later, and start the database. See the Adaptive Server Installation Guide.
Install Replication Server 15.7.1 SP100 or later and start the server. See the Replication Server Installation Guide.
Install the Kerberos key distribution center (KDC). To install the KDC for your Kerberos environment, see the vendor documentation.
Configure the Adaptive Server to use Kerberos security for data replication.
Before you add the principal name in the KDC, ask the system administrator to provide the Kerberos library path.
In this example, the primary Adaptive Server is Kerberos_PDS and its principal name is Kerberos_PDS_principal. The replicate Adaptive Server is Kerberos_RDS and its principal name is Kerberos_RDS_principal.
export LD_LIBRARY_PATH=/mitkrb/lib:$LD_LIBRARY_PATH
export KRB5_CONFIG=/mitkrb/krb5.conf
export PATH=/mitkrb/linux/bin:$PATH /mitkrb/linux/sbin/kadmin -p kadmin/admin -k -t /mitkrb/linux/admin.key
kadmin:addprinc Kerberos_PDS_principal@ASE //password: a1234abcd
kadmin:ktadd -k /usr/Kerberos_PDS_principal.keytab Kerberos_PDS_principal@ASE
kadmin:addprinc Kerberos_RDS_principal@ASE //password: a1234abcd
kadmin:ktadd -k /usr/Kerberos_RDS_principal.keytab Kerberos_PDS_principal@ASE
kadmin:quit
export KRB5CCNAME=/usr/Kerberos_PDS_principal.cc /mitkrb/linux/bin/kinit -f -k -t /usr/Kerberos_PDS_principal.keytab Kerberos_PDS_principal@ASE
export KRB5CCNAME=/usr/Kerberos_RDS_principal.cc /mitkrb/linux/bin/kinit -f -k -t /usr/Kerberos_RDS_principal.keytab Kerberos_RDS_principal@ASE
where Kerberos_PDS_principal and Kerberos_RDS_principal are the principal names for the Kerberos_PDS, and the Kerberos_RDS respectively.
secmech 1.3.6.1.4.1.897.4.6.6
Kerberos_PDS query tcp sun-ether replinuxb15 20001 master tcp sun-ether replinuxb15 20001 secmech 1.3.6.1.4.1.897.4.6.6 Kerberos_PDS_principal query tcp sun-ether replinuxb15 20001 master tcp sun-ether replinuxb15 20001 secmech 1.3.6.1.4.1.897.4.6.6 Kerberos_RDS query tcp sun-ether replinuxb15 20002 master tcp sun-ether replinuxb15 20002 secmech 1.3.6.1.4.1.897.4.6.6 Kerberos_RDS_principal query tcp sun-ether replinuxb15 20002 master tcp sun-ether replinuxb15 20002 secmech 1.3.6.1.4.1.897.4.6.6
[SECURITY] csfkrb5=libsybskrb64.so libgss=/krb5/lib/libgssapi_krb5.so secbase=@ASE
or:
[SECURITY] csfkrb5=libsybskrb.so libgss=/krb5/lib/libgssapi_krb5.so secbase=@ASE
The objectid.dat file is in the $SYBASE/config directory in UNIX, or the %SYBASE%/ini directory in Windows.
"1.3.6.1.4.1.897.4.6.6 = csfkrb5"
isql -U sa -P -S Kerberos_PDS use master go sp_configure 'use security services', 1 go
isql -U sa -P -S Kerberos_RDS use master go sp_configure 'use security services', 1 go
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_KTNAME=/usr/Kerberos_PDS_principal.keytab
export KRB5CCNAME=/usr/Kerberos_PDS_principal.cc
export KRB5_CONFIG=/mitkrb/krb5.conf
export SYBASE_PRINCIPAL=Kerberos_PDS_principal@ASE // use SYBASE_PRINCIPAL or "-k" option dataserver -d data_Kerberos_PDS.dat -k Kerberos_PDS_principal@ASE -s Kerberos_PDS -c Kerberos_PDS.cfg //add "-k Kerberos_PDS_principal@ASE"
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_KTNAME=/usr/Kerberos_RDS_principal.keytab
export KRB5CCNAME=/usr/Kerberos_RDS_principal.cc
export KRB5_CONFIG=/mitkrb/krb5.conf
export SYBASE_PRINCIPAL=Kerberos_RDS_principal@ASE // use SYBASE_PRINCIPAL or "-k" option dataserver -d data_Kerberos_RDS.dat -k Kerberos_RDS_principal@ASE -s Kerberos_RDS -c Kerberos_PDS.cfg //add "-k Kerberos_PDS_principal@ASE"
cd $SYBASE . SYBASE.sh export KRB5_CONFIG=/mitkrb/krb5.conf export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH export PATH=/bin:$PATH /bin/kinit sa Password for sa@ASE: password isql -V -I interfaces -J -U sa -S Kerberos_PDS_principal -w 700 isql -V -I interfaces -J -U sa -S Kerberos_RDS_principal -w 700
Configure the Replication Server to use a user-defined Kerberos principal name to replicate data from an Adaptive Server database.
In this example, you configure the primary Replication Server (PRS) principal name as PRS_principal and the replicate Replication Server (RRS) principal name as RRS_principal.
.../$ vi interfaces PRS query tcp ether replinuxb15 30002 master tcp ether replinuxb15 30002 secmech 1.3.6.1.4.1.897.4.6.6 PRS_principal query tcp ether replinuxb15 30002 master tcp ether replinuxb15 30002 secmech 1.3.6.1.4.1.897.4.6.6 RRS query tcp ether replinuxb15 30003 master tcp ether replinuxb15 30003 secmech 1.3.6.1.4.1.897.4.6.6 RRS_principal query tcp ether replinuxb15 30003 master tcp ether replinuxb15 30003 secmech 1.3.6.1.4.1.897.4.6.6 Kerberos_PDS query tcp sun-ether replinuxb15 20001 master tcp sun-ether replinuxb15 20001 secmech 1.3.6.1.4.1.897.4.6.6 Kerberos_PDS_principal query tcp sun-ether replinuxb15 20001 master tcp sun-ether replinuxb15 20001 secmech 1.3.6.1.4.1.897.4.6.6 Kerberos_RDS query tcp sun-ether replinuxb15 20002 master tcp sun-ether replinuxb15 20002 secmech 1.3.6.1.4.1.897.4.6.6 Kerberos_RDS_principal query tcp sun-ether replinuxb15 20002 master tcp sun-ether replinuxb15 20002 secmech 1.3.6.1.4.1.897.4.6.6
isql -U sa -P -S Kerberos_PDS use master go sp_addlogin PRS_principal,a1234abcd go sp_adduser PRS_principal go grant set session authorization to PRS_principal // or: grant set proxy to PRS_principal go
isql -U sa -P -S Kerberos_RDS use master go sp_addlogin RRS_principal,a1234abcd go sp_adduser RRS_principal go grant set session authorization to RRS_principal // or: grant set proxy to RRS_principal go
isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700 create user RRS_principal set password a1234abcd go grant sa to RRS_principal go grant connect source to RRS_principal go
isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 create user PRS_principal set password a1234abcd go grant sa to PRS_principal go grant connect source to PRS_principal go
isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700 create user Kerberos_PDS_principal set password a1234abcd go grant sa to Kerberos_PDS_principal go grant connect source to Kerberos_PDS_principal go
"1.3.6.1.4.1.897.4.6.6 = csfkrb5"
isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700 configure replication server set 'use_security_services' to 'on' go shutdown
isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 configure replication server set 'use_security_services' to 'on' go shutdown
See Replication Server Reference Manual> Replication Server Commands > configure replication server.
cd $SYBASE . SYBASE.sh export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_KTNAME=/usr/PRS_principal.keytab
export KRB5CCNAME=/usr/PRS_principal.cc
export SYBASE_RS_PRINCIPAL=PRS_principal
export KRB5_CONFIG=/mitkrb/krb5.conf/ REP-15_5/install/RUN_PRS
cd $SYBASE . SYBASE.sh export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_KTNAME=/usr/RRS_principal.keytab
export KRB5CCNAME=/usr/RRS_principal.cc
export SYBASE_RS_PRINCIPAL=RRS_principal
export KRB5_CONFIG=/mitkrb/krb5.conf/ REP-15_5/install/RUN_RRS
isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700 configure replication server set 'security_mechanism' to 'csfkrb5' go configure replication server set 'id_security_mechanism' to 'csfkrb5' go shutdown
isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 configure replication server set 'security_mechanism' to 'csfkrb5' go configure replication server set 'id_security_mechanism' to 'csfkrb5' go shutdown
cd $SYBASE . SYBASE.sh export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_KTNAME=/usr/PRS_principal.keytab
export KRB5CCNAME=/usr/PRS_principal.cc
export SYBASE_RS_PRINCIPAL=PRS_principal
export KRB5_CONFIG=/mitkrb/krb5.conf/ REP-15_5/install/RUN_PRS
cd $SYBASE . SYBASE.sh export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_KTNAME=/usr/RRS_principal.keytab
export KRB5CCNAME=/usr/RRS_principal.cc
export SYBASE_RS_PRINCIPAL=RRS_principal
export KRB5_CONFIG=/mitkrb/krb5.conf/ REP-15_5/install/RUN_RRS
isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700 configure replication server set unified_login to 'required' go configure replication server set id_unified_login to 'required' go shutdown
isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 configure replication server set unified_login to 'required' go configure replication server set id_unified_login to 'required' go shutdownSee Replication Server Reference Manual> Replication Server Commands > configure replication server.
RSSD_unified_login=required #RSSD_mutual_auth=not_required #RSSD_msg_confidentiality=not_required #RSSD_msg_integrity=not_required #RSSD_msg_origin_check=not_supported #RSSD_msg_replay_detection=not_required #RSSD_msg_sequence_check=not_required RSSD_sec_mechanism=csfkrb5 RSSD_server_principal=Kerberos_PDS_principal // this is for PRS ID_server_principal=PRS_principal // if this RS is not ID server.
RSSD_unified_login=required #RSSD_mutual_auth=not_required #RSSD_msg_confidentiality=not_required #RSSD_msg_integrity=not_required #RSSD_msg_origin_check=not_supported #RSSD_msg_replay_detection=not_required #RSSD_msg_sequence_check=not_required RSSD_sec_mechanism=csfkrb5 RSSD_server_principal=Kerberos_RDS_principal // this is for RRS ID_server_principal=PRS_principal // if this RS is not ID server.
Add principal user names in the rs_principal_users.cfg configuration file, if needed.
isql -U sa -P -S Kerberos_PDS sp_configure "unified login required", 1
isql -U sa -P -S Kerberos_RDS sp_configure "unified login required", 1
cd $SYBASE . SYBASE.sh export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_KTNAME=/usr/PRS_principal.keytab
export KRB5CCNAME=/usr/PRS_principal.cc
export SYBASE_RS_PRINCIPAL=PRS_principal
export KRB5_CONFIG=/mitkrb/krb5.conf/ REP-15_5/install/RUN_PRS
cd $SYBASE . SYBASE.sh export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_KTNAME=/usr/RRS_principal.keytab
export KRB5CCNAME=/usr/RRS_principal.cc
export SYBASE_RS_PRINCIPAL=RRS_principal
export KRB5_CONFIG=/mitkrb/krb5.conf/ REP-15_5/install/RUN_RRS
Add one line for each Replication Server and Adaptive Server:
PRS:PRS_principal
RRS:RRS_principal
Kerberos_PDS:Kerberos_PDS_principa
Kerberos_RDS:Kerberos_RDS_principal
sysadmin principal_users, reload
You can also use this command to display all principal names.
isql -V -I interfaces -J -U sa -S Kerberos_PDS_principal use PRS_RSSD go sp_config_rep_agent PRS_RSSD, 'security mechanism', 'csfkrb5' go sp_config_rep_agent PRS_RSSD, 'unified login', 'true' go sp_config_rep_agent PRS_RSSD, 'rs_password', 'NULL' go sp_config_rep_agent PRS_RSSD, 'rs servername', 'PRS_principal' go sp_stop_rep_agent PRS_RSSD go sp_start_rep_agent PRS_RSSD go
use prspdb go sp_config_rep_agent prspdb, 'security mechanism', 'csfkrb5' go sp_config_rep_agent prspdb, 'unified login', 'true' go sp_config_rep_agent prspdb, 'rs_password', 'NULL' go sp_config_rep_agent prspdb, 'rs servername', 'PRS_principal' go sp_stop_rep_agent prspdb go sp_start_rep_agent prspdb go
isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700 isql -U sa -P a1234abcd -S PRS_principal -I interfaces -J -w 700
isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 isql -U sa -P a1234abcd -S RRS_principal -I interfaces -J -w 700
cd $SYBASE . SYBASE.sh export LD_LIBRARY_PATH=/mitkrb/linux/lib:$LD_LIBRARY_PATH export KRB5_CONFIG=/mitkrb/krb5.conf /mitkrb/linux/bin/kinit sa Password for sa@ASE: password isql -V -I interfaces -J -w 700 -U sa -S PRS_principal isql -V -I interfaces -J -w 700 -U sa -S RRS_principal
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH export KRB5_CONFIG=/mitkrb/krb5.conf export PATH=/mitkrb/linux/bin:$PATH /sbin/kadmin -p kadmin/admin -k -t mitkrb/linux/admin.key addprinc scott@ASE // 1234abcd ktadd -k /usr/u/scott/scott.keytab scott@ASE quit export KRB5CCNAME=/usr/u/scott/scott.cc /mitkrb/linux/bin/kinit -f -k -t /usr/u/scott/scott.keytab scott@ASE
isql -U sa -P a1234abcd -S PRS -I interfaces -J create user scott@ASE set password a1234abcd
isql -U scott -P a1234abcd -S PRS -I interfaces -JOr, with the principal user credentials:
cd $SYBASE . SYBASE.sh export LD_LIBRARY_PATH=/mitkrb/linux/lib:$LD_LIBRARY_PATH export KRB5_CONFIG=/mitkrb/krb5.conf export KRB5CCNAME=/usr/u/scott/scott.cc isql -V -S PRS_principal -I interfaces //if your login is "scott" isql -V -U scott -S PRS_principal -I interfaces
Follow these same steps to configure a single Adaptive Server which acts both the primary and the replicate database in an Adaptive Server-to-Adaptive Server replication system.