Adaptive Server-to-Adaptive Server Replication with Kerberos Scenario

Set up Kerberos authentication for an Adaptive Server-to-Adaptive Server replication system.

Prerequisites

  • Install Adaptive Server Enterprise15.7 SP100 or later, and start the database. See the Adaptive Server Installation Guide.

  • Install Replication Server 15.7.1 SP100 or later and start the server. See the Replication Server Installation Guide.

  • Install the Kerberos key distribution center (KDC). To install the KDC for your Kerberos environment, see the vendor documentation.

Parent topic: Set up Network-based Security

Configuring Adaptive Server to Use Kerberos

Configure the Adaptive Server to use Kerberos security for data replication.

Prerequisites

Before you add the principal name in the KDC, ask the system administrator to provide the Kerberos library path.

Task

In this example, the primary Adaptive Server is Kerberos_PDS and its principal name is Kerberos_PDS_principal. The replicate Adaptive Server is Kerberos_RDS and its principal name is Kerberos_RDS_principal.

  1. To generate the keytab file, and its credentials, add the Adaptive Server principal name in the KDC .
    For example, on the MIT Kerberos machine, run:
    export LD_LIBRARY_PATH=/mitkrb/lib:$LD_LIBRARY_PATH
    export KRB5_CONFIG=/mitkrb/krb5.conf
    export PATH=/mitkrb/linux/bin:$PATH
/mitkrb/linux/sbin/kadmin -p kadmin/admin -k -t /mitkrb/linux/admin.key 
    kadmin:addprinc Kerberos_PDS_principal@ASE //password: a1234abcd
    kadmin:ktadd -k /usr/Kerberos_PDS_principal.keytab Kerberos_PDS_principal@ASE
    kadmin:addprinc Kerberos_RDS_principal@ASE //password: a1234abcd
    kadmin:ktadd -k /usr/Kerberos_RDS_principal.keytab Kerberos_PDS_principal@ASE
    kadmin:quit
    export KRB5CCNAME=/usr/Kerberos_PDS_principal.cc 
/mitkrb/linux/bin/kinit -f -k -t /usr/Kerberos_PDS_principal.keytab Kerberos_PDS_principal@ASE

    export KRB5CCNAME=/usr/Kerberos_RDS_principal.cc
/mitkrb/linux/bin/kinit -f -k -t /usr/Kerberos_RDS_principal.keytab Kerberos_RDS_principal@ASE

    where Kerberos_PDS_principal and Kerberos_RDS_principal are the principal names for the Kerberos_PDS, and the Kerberos_RDS respectively.

  2. Configure the interfaces file found in the $SYBASE/interfaces in UNIX, or %SYBASE%\ini\sql.ini in Windows.
    Add this line:
    secmech 1.3.6.1.4.1.897.4.6.6
    Kerberos_PDS
        query tcp sun-ether replinuxb15 20001
        master tcp sun-ether replinuxb15 20001
		secmech 1.3.6.1.4.1.897.4.6.6
Kerberos_PDS_principal
        query tcp sun-ether replinuxb15 20001
        master tcp sun-ether replinuxb15 20001
		secmech 1.3.6.1.4.1.897.4.6.6
Kerberos_RDS
        query tcp sun-ether replinuxb15 20002
        master tcp sun-ether replinuxb15 20002
        secmech 1.3.6.1.4.1.897.4.6.6
Kerberos_RDS_principal
        query tcp sun-ether replinuxb15 20002
        master tcp sun-ether replinuxb15 20002
        secmech 1.3.6.1.4.1.897.4.6.6
  3. Configure the libtcl.cfg configuration file on a 32-bit machine or libtcl64.cfg configuration file on a 64-bit machine found in the $SYBASE/$SYBASE_OCS/config/ directory in UNIX, or the %SYBASE%/$SYBASE_OCS/ini directory in Windows, by adding:
    [SECURITY]
csfkrb5=libsybskrb64.so libgss=/krb5/lib/libgssapi_krb5.so secbase=@ASE

    or:

    [SECURITY]
csfkrb5=libsybskrb.so libgss=/krb5/lib/libgssapi_krb5.so secbase=@ASE
    where:

    • csfkrbr – is the default name for the Kerberos security mechanism.

    • driver – is the name of the security driver, for example, libgssapi_krb5.so.

    • init-string – is the initialization string for the driver, for example, secbase=@ASE.

    Note: Ask the system administrator to provide the Kerberos library version and path.
  4. If you use a local mechanism name other than the default name, configure the objectid.dat file.

    The objectid.dat file is in the $SYBASE/config directory in UNIX, or the %SYBASE%/ini directory in Windows.

    Add the local name in the objectid.dat file and ensure it includes this line:
    "1.3.6.1.4.1.897.4.6.6 = csfkrb5"
  5. To configure use security services, enter:
    isql -U sa -P -S Kerberos_PDS
use master
go
sp_configure 'use security services', 1
go
    isql -U sa -P -S Kerberos_RDS
use master
go
sp_configure 'use security services', 1
go
  6. Restart Adaptive Servers with Kerberos security mechanism.
    To restart the Kerberos_PDS:
    export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
    export KRB5_KTNAME=/usr/Kerberos_PDS_principal.keytab
    export KRB5CCNAME=/usr/Kerberos_PDS_principal.cc 
    export KRB5_CONFIG=/mitkrb/krb5.conf 

    export SYBASE_PRINCIPAL=Kerberos_PDS_principal@ASE //
use SYBASE_PRINCIPAL or "-k" option 
dataserver -d data_Kerberos_PDS.dat -k Kerberos_PDS_principal@ASE -s Kerberos_PDS -c Kerberos_PDS.cfg 
//add "-k Kerberos_PDS_principal@ASE"
    To restart the Kerberos_RDS:
    export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
    export KRB5_KTNAME=/usr/Kerberos_RDS_principal.keytab
    export KRB5CCNAME=/usr/Kerberos_RDS_principal.cc 
    export KRB5_CONFIG=/mitkrb/krb5.conf 

    export SYBASE_PRINCIPAL=Kerberos_RDS_principal@ASE //
use SYBASE_PRINCIPAL or "-k" option 
dataserver -d data_Kerberos_RDS.dat -k Kerberos_RDS_principal@ASE -s Kerberos_RDS -c Kerberos_PDS.cfg 
//add "-k Kerberos_PDS_principal@ASE"
  7. Using sa user credentials, access Adaptive Servers when Kerberos is on:
    cd $SYBASE
. SYBASE.sh
export KRB5_CONFIG=/mitkrb/krb5.conf
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export PATH=/bin:$PATH
/bin/kinit sa
Password for sa@ASE: password
isql -V -I interfaces -J -U sa -S Kerberos_PDS_principal -w 700
isql -V -I interfaces -J -U sa -S Kerberos_RDS_principal -w 700
    where:
    • isql – is the Interactive SQL parser to Replication Server.
    • -V – specifies the network-based security options for user authentication.
    • -S – specifies the server's network name.
    • -U – specifies the user name.
    • -P – specifies the password for the user name.

Configuring Replication Server to Use Kerberos

Configure the Replication Server to use a user-defined Kerberos principal name to replicate data from an Adaptive Server database.

In this example, you configure the primary Replication Server (PRS) principal name as PRS_principal and the replicate Replication Server (RRS) principal name as RRS_principal.

  1. Follow step 1 to step 4 in the 'Configuring Adaptive Server to Use Kerberos' to add PRS_principal and RRS_principal in the KDC, interfaces, and libtcl64.cfg configuration files.
    Enter Replication Server principal names in the interfaces file as:
    .../$ vi interfaces
PRS
        query tcp ether replinuxb15 30002
        master tcp ether replinuxb15 30002
        secmech 1.3.6.1.4.1.897.4.6.6
PRS_principal
        query tcp ether replinuxb15 30002
        master tcp ether replinuxb15 30002
        secmech 1.3.6.1.4.1.897.4.6.6
RRS
        query tcp ether replinuxb15 30003
        master tcp ether replinuxb15 30003
        secmech 1.3.6.1.4.1.897.4.6.6
RRS_principal
        query tcp ether replinuxb15 30003
        master tcp ether replinuxb15 30003
        secmech 1.3.6.1.4.1.897.4.6.6
Kerberos_PDS
        query tcp sun-ether replinuxb15 20001
        master tcp sun-ether replinuxb15 20001
		secmech 1.3.6.1.4.1.897.4.6.6
Kerberos_PDS_principal
        query tcp sun-ether replinuxb15 20001
        master tcp sun-ether replinuxb15 20001
		secmech 1.3.6.1.4.1.897.4.6.6
Kerberos_RDS
        query tcp sun-ether replinuxb15 20002
        master tcp sun-ether replinuxb15 20002
        secmech 1.3.6.1.4.1.897.4.6.6
Kerberos_RDS_principal
        query tcp sun-ether replinuxb15 20002
        master tcp sun-ether replinuxb15 20002
        secmech 1.3.6.1.4.1.897.4.6.6
    Note: Make sure both Kerberos_PDS, and Kerberos_RDS and their principal names are also included in the interfaces file. Adaptive Server interfaces file should contain the same information as Replication Server interfaces file.
  2. In Adaptive Server, add Replication Server principal names:
    isql -U sa -P -S Kerberos_PDS
use master
go
sp_addlogin PRS_principal,a1234abcd
go
sp_adduser  PRS_principal
go
grant set session authorization to PRS_principal  
// or: grant set proxy to PRS_principal
go

    isql -U sa -P -S Kerberos_RDS
use master
go
sp_addlogin RRS_principal,a1234abcd
go
sp_adduser  RRS_principal
go
grant set session authorization to RRS_principal  
// or: grant set proxy to RRS_principal
go
  3. Add Replication Server users and their principal names:
    isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700
create user RRS_principal set password a1234abcd
go
grant sa to RRS_principal
go
grant connect source to RRS_principal
go
    isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 
create user PRS_principal set password a1234abcd
go
grant sa to PRS_principal
go
grant connect source to PRS_principal
go
    To access Replication Server with the Replication Agent thread, enter:
    isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700
create user Kerberos_PDS_principal set password a1234abcd
go
grant sa to Kerberos_PDS_principal
go
grant connect source to Kerberos_PDS_principal
go
  4. If you use a local mechanism name other than the default name, configure the objectid.dat.
    Add the local name in the objectid.dat file and ensure it includes this line:
    "1.3.6.1.4.1.897.4.6.6 = csfkrb5"
  5. To configure use security services, enter.
    isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700
configure replication server set 'use_security_services' to 'on'
go
shutdown
    isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 
configure replication server set 'use_security_services' to 'on'
go
shutdown

    See Replication Server Reference Manual> Replication Server Commands > configure replication server.

  6. Restart the Replication Servers.
    To restart PRS:
    cd $SYBASE
. SYBASE.sh
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
    export KRB5_KTNAME=/usr/PRS_principal.keytab
    export KRB5CCNAME=/usr/PRS_principal.cc 
    export SYBASE_RS_PRINCIPAL=PRS_principal
    export KRB5_CONFIG=/mitkrb/krb5.conf/
REP-15_5/install/RUN_PRS
    To restart RRS:
    cd $SYBASE
. SYBASE.sh
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
    export KRB5_KTNAME=/usr/RRS_principal.keytab
    export KRB5CCNAME=/usr/RRS_principal.cc 
    export SYBASE_RS_PRINCIPAL=RRS_principal
    export KRB5_CONFIG=/mitkrb/krb5.conf/
REP-15_5/install/RUN_RRS
  7. Configure the security_mechanism and ID_security_mechanism to use Kerberos.
    For PRS:
    isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700
configure replication server set 'security_mechanism' to 'csfkrb5'
go
configure replication server set 'id_security_mechanism' to 'csfkrb5'
go
shutdown
    For RRS:
    isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 
configure replication server set 'security_mechanism' to 'csfkrb5'
go
configure replication server set 'id_security_mechanism' to 'csfkrb5'
go
shutdown
  8. Restart PRS and RRS:
    To restart PRS:
    cd $SYBASE
. SYBASE.sh
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
    export KRB5_KTNAME=/usr/PRS_principal.keytab
    export KRB5CCNAME=/usr/PRS_principal.cc 
    export SYBASE_RS_PRINCIPAL=PRS_principal
    export KRB5_CONFIG=/mitkrb/krb5.conf/
REP-15_5/install/RUN_PRS
    To restart RRS:
    cd $SYBASE
. SYBASE.sh
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
    export KRB5_KTNAME=/usr/RRS_principal.keytab
    export KRB5CCNAME=/usr/RRS_principal.cc 
    export SYBASE_RS_PRINCIPAL=RRS_principal
    export KRB5_CONFIG=/mitkrb/krb5.conf/
REP-15_5/install/RUN_RRS
  9. Configure the unified_login, and id_unified_login settings.
    For PRS:
    isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700
configure replication server set unified_login to 'required'
go
configure replication server set id_unified_login to 'required'
go
shutdown
    For RRS:
    isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700 
configure replication server set unified_login to 'required'
go
configure replication server set id_unified_login to 'required'
go
shutdown
    See Replication Server Reference Manual> Replication Server Commands > configure replication server.
  10. Add the RSSD details in the Replication Server configuration file.
    For PRS:
    RSSD_unified_login=required
#RSSD_mutual_auth=not_required
#RSSD_msg_confidentiality=not_required
#RSSD_msg_integrity=not_required
#RSSD_msg_origin_check=not_supported
#RSSD_msg_replay_detection=not_required
#RSSD_msg_sequence_check=not_required
RSSD_sec_mechanism=csfkrb5
RSSD_server_principal=Kerberos_PDS_principal  // this is for PRS
ID_server_principal=PRS_principal  // if this RS is not ID server.
    For RRS:
    RSSD_unified_login=required
#RSSD_mutual_auth=not_required
#RSSD_msg_confidentiality=not_required
#RSSD_msg_integrity=not_required
#RSSD_msg_origin_check=not_supported
#RSSD_msg_replay_detection=not_required
#RSSD_msg_sequence_check=not_required
RSSD_sec_mechanism=csfkrb5
RSSD_server_principal=Kerberos_RDS_principal  // this is for RRS
ID_server_principal=PRS_principal  // if this RS is not ID server.

    Add principal user names in the rs_principal_users.cfg configuration file, if needed.

  11. Configure the unified_login settings in Adaptive Server.
    For Kerberos_PDS:
    isql -U sa -P -S Kerberos_PDS
sp_configure "unified login required", 1
    For Kerberos_RDS:
    isql -U sa -P -S Kerberos_RDS
sp_configure "unified login required", 1
  12. Restart PRS and RRS with Kerberos security mechanism:
    To restart PRS:
    cd $SYBASE
. SYBASE.sh
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
    export KRB5_KTNAME=/usr/PRS_principal.keytab
    export KRB5CCNAME=/usr/PRS_principal.cc 
    export SYBASE_RS_PRINCIPAL=PRS_principal
    export KRB5_CONFIG=/mitkrb/krb5.conf/
REP-15_5/install/RUN_PRS
    To restart RRS:
    cd $SYBASE
. SYBASE.sh
export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
    export KRB5_KTNAME=/usr/RRS_principal.keytab
    export KRB5CCNAME=/usr/RRS_principal.cc 
    export SYBASE_RS_PRINCIPAL=RRS_principal
    export KRB5_CONFIG=/mitkrb/krb5.conf/
REP-15_5/install/RUN_RRS
  13. If the Replication Server and Adaptive Server principal names are different from their server names, add principal user names in the rs_principal_users.cfg configuration file.

    Add one line for each Replication Server and Adaptive Server:

    • PRS:PRS_principal

    • RRS:RRS_principal

    • Kerberos_PDS:Kerberos_PDS_principa

    • Kerberos_RDS:Kerberos_RDS_principal

  14. If you do not want to restart Replication Server, reload the principal user names from the rs_principal_users.cfg:
    sysadmin principal_users, reload

    You can also use this command to display all principal names.

  15. To access PRS with the Replication Agent thread, enter:
    isql -V -I interfaces -J -U sa -S Kerberos_PDS_principal
use PRS_RSSD
go
sp_config_rep_agent PRS_RSSD, 'security mechanism', 'csfkrb5'
go
sp_config_rep_agent PRS_RSSD, 'unified login', 'true'
go
sp_config_rep_agent PRS_RSSD, 'rs_password', 'NULL'
go
sp_config_rep_agent PRS_RSSD, 'rs servername', 'PRS_principal'
go
sp_stop_rep_agent PRS_RSSD
go
sp_start_rep_agent PRS_RSSD
go
    use prspdb
go
sp_config_rep_agent prspdb, 'security mechanism', 'csfkrb5'
go
sp_config_rep_agent prspdb, 'unified login', 'true'
go
sp_config_rep_agent prspdb, 'rs_password', 'NULL'
go
sp_config_rep_agent prspdb, 'rs servername', 'PRS_principal' 
go
sp_stop_rep_agent prspdb
go
sp_start_rep_agent prspdb
go
  16. Access Replication Server when Kerberos security is on.
    To access PRS, using sa user credentials:
    isql -U sa -P a1234abcd -S PRS -I interfaces -J -w 700
isql -U sa -P a1234abcd -S PRS_principal -I interfaces -J -w 700
    To access RRS, using sa user credentials:
    isql -U sa -P a1234abcd -S RRS -I interfaces -J -w 700
isql -U sa -P a1234abcd -S RRS_principal -I interfaces -J -w 700
    Or, access Replication Server with the principal user credential:
    cd $SYBASE
. SYBASE.sh
export LD_LIBRARY_PATH=/mitkrb/linux/lib:$LD_LIBRARY_PATH
export KRB5_CONFIG=/mitkrb/krb5.conf
/mitkrb/linux/bin/kinit sa
Password for sa@ASE: password

isql -V -I interfaces -J -w 700 -U sa -S PRS_principal
isql -V -I interfaces -J -w 700 -U sa -S RRS_principal
  17. Use non-sa user credentials to access Replication Server when Kerberos security is on.
    1. To access Replication Server with the user name 'scott', add user scott in KDC:
      export LD_LIBRARY_PATH=/lib:$LD_LIBRARY_PATH
export KRB5_CONFIG=/mitkrb/krb5.conf
export PATH=/mitkrb/linux/bin:$PATH
/sbin/kadmin -p kadmin/admin -k -t mitkrb/linux/admin.key
addprinc scott@ASE   // 1234abcd
ktadd -k /usr/u/scott/scott.keytab scott@ASE
quit

export KRB5CCNAME=/usr/u/scott/scott.cc
/mitkrb/linux/bin/kinit -f -k -t /usr/u/scott/scott.keytab scott@ASE
    2. Add user 'scott' in Replication Server:
      isql -U sa -P a1234abcd -S PRS -I interfaces -J
create user scott@ASE set password a1234abcd
    3. Access Replication Server, either with the user name and password:
      isql -U scott -P a1234abcd -S PRS -I interfaces -J
      Or, with the principal user credentials:
      cd $SYBASE
. SYBASE.sh
export LD_LIBRARY_PATH=/mitkrb/linux/lib:$LD_LIBRARY_PATH
export KRB5_CONFIG=/mitkrb/krb5.conf
export KRB5CCNAME=/usr/u/scott/scott.cc
isql -V -S PRS_principal -I interfaces  
//if your login is "scott"     
isql -V -U scott -S PRS_principal -I interfaces

      Follow these same steps to configure a single Adaptive Server which acts both the primary and the replicate database in an Adaptive Server-to-Adaptive Server replication system.