Kerberos support

Server-Library supports Kerberos security features for applications that need a high level of security when communicating over a network. By installing the required Kerberos software and performing the appropriate configuration tasks, your Server-Library applications can take advantage of these Kerberos security features:

Table 3-6: Required tasks for Kerberos support

Tasks

For more information

Install the following Kerberos software on your system. Be sure that the GSS library support is available as a shared library.

See your Kerberos documentation and see the Open Client and Open Server Configuration Guide for UNIX.

Extract keys for the desired server principal(s) into a key table file using the Kerberos utility called kadmin.

See your Kerberos documentation.

Configure the security section of the libtcl.cfg configuration file.

See the Open Client and Open Server Configuration Guide for UNIX.

Link your Client-Library application with the Sybase reentrant libraries.

See “Kerberos support”.

  • For CyberSafe Kerberos:

    • Set the CSFC5CCNAME environment variable to the credential cache directory location.

    • Set the CSFC5KTNAME variable to the path of the key table file if other than the default key table file.

  • For MIT Kerberos

    • Set the KRB5CCNAME environment variable to the credential cache file location.

    • Set the KRB5_KTNAME variable to the path of the key table file if other than the default key table file.

See your Kerberos documentation.

Default credential cache directory location varies by platform.

  • For CyberSafe Trust Broker, the default key table file is /krb5/v5srvtab.

  • For MIT Kerberos, the default key table file is /etc/krb5.keytab.

Use srv_props to set the server principal name if it is different from the server name passed to srv_init.

See the Open Server Server-Library/C Reference Manual.

NoteTo avoid compromising security, Sybase suggests that the key table files be owned by the user ID that runs Open Server, and that all other users be restricted from accessing this file. Sybase also suggests that you run each Open Server using a unique user id that is not used by interactive processes.