The Kerberos security mechanism provides the following services:
Network authentication
Mutual authentication
Data integrity
Data confidentiality
Replay detection
Out-of-sequence detection
Credential delegation
For a description of these security services, see the Open Client Client-Library/C Reference Manual. See “Client-Library and security services” for an overview of how client applications use security services.
Kerberos security services are not supported on Windows
2003 (x64) (Service Pack 1).
The following considerations apply specifically to client applications that use CyberSafe Kerberos security services:
Install the CyberSafe Kerberos software on your system for Open Client and Open Server 12.5 or later.
The gssapi32.dll file must be in the library path while running your Client-Library application. Sybase does not provide this DLL, but it is included with some CyberSafe Kerberos products. If this DLL is not included with your CyberSafe Kerberos product, contact CyberSafe Kerberos to obtain their GSS-API library.
Configure the security section of the libtcl.cfg configuration file.
Set the desired security features using ct_con_props. If you want to use the default credentials, do not set any credential properties.
Verify that the application has a preexisting user credential to connect to the server. In other words, the user of the application must log in to CyberSafe Kerberos before running the client application. To do so, use the single sign-on feature or the CyberSafe kinit utility.
If a user name is supplied, it must match the user’s preexisting credential. If a user name is not supplied, Client-Library connects to the server using the user name associated with the user’s CyberSafe Kerberos credential.
The following environment variables set the paths to the credentials cache file, configuration file, and realms file. If the corresponding file is located in a non-default directory, set the environment variable to the file’s full path:
CSFC5CCNAME – credentials cache file
CSFC5CONFIG – configuration file
CSFC5REALMS – realms file
For more information, refer to your CyberSafe Kerberos documentation.
No extra flags are required when compiling your Client-Library applications to use CyberSafe Kerberos security services.
Once you have configured Open Client and Open Server and CyberSafe Kerberos, use the following command (without -U and -P arguments) to test your configuration:
isql -V
Some tasks described here require you to use the CyberSafe
Kerberos administration tools. See your CyberSafe Kerberos documentation
for information.
Install and configure the MIT software on your system, version 2.6.5 or later.
Configure the security section of the libtcl.cfg configuration file.
Set the desired security features using ct_con_props, or use the default credentials by not setting credential properties.
Verify that the application has a preexisting user credential to connect to the server. In other words, the user of the application must log in to the Kerberos environment using the kinit utility, before running the client application.
If a user name is supplied, it must match the user’s preexisting credential. If a user name is not supplied, Client-Library connects to the server using the user name associated with the user’s credential.
The environment variable KRB5CCNAME sets the path to the credentials cache file. If the corresponding file is located in a non-default directory, set the environment variable to the file’s full path.
For more information, refer to your documentation.
The MIT GSS library, gssapi32.dll, must be specified in the libtcl.cfg file using the libgss keyword. Sybase recommends providing the full path to the Kerberos driver.
No extra flags are required when compiling your Client-Library applications to use Kerberos security services.
Once you have configured Open Client and Open Server and Kerberos, you can use isql to test your configuration.
The Kerberos security driver supports credential delegation when using the MIT Kerberos Generic Security Services (GSS) library. This allows you to set up an Open Server gateway application that uses the delegated client credentials when establishing a connection with a remote server.
Establishing a connection with a remote server
using credential delegation
This is an example of a call sequence you can employ when using credential delegation. The ctos example in $SYBASE/ OCS-15_0/sample/srvlibrary. connect.c contains an example of the properties mentioned here:
The client application requests for credential delegation and forwards the credential to the gateway connection using:
ct_con_props(..., CS_SET, SRV_SEC_DELEGATION, ...)
The connection handler of the gateway application checks whether the client requested credential delegation:
if (srv_thread_props(..., CS_GET,
SRV_T_SEC_DELEGATION, ...))
{...}
The connection handler retrieves the delegated client credentials:
srv_thread_props(..., CS_GET, SRV_T_SEC_DELEGCRED, ...)
The client application sets the delegated credentials in the Client-Library connection structure for use in connecting to the remote server:
ct_con_props(..., CS_SET, CS_SEC_CREDENTIALS, ...)
The client application attempts to connect to the remote server using ct_connect.
You can also request for credential delegation using the isql and bcp option -Vd. For more information, see the Open Client and Open Server Programmer’s Supplement for Microsoft Windows.
For detailed information on using credential delegation, see the Open Server Server-Library/C Reference Manual and the Open Client Client-Library/C Reference Manual.
If Kerberos support is provided by the Windows Security Support Provider Interface (SSPI), edit the csfkrb5 entry in the libtcl.cfg file to specify the libsspiwrapper.dll as the GSS library.
For example:
csfkrb5=LIBSKRB secbase=@REALM libgss=C:\sybase\OCS-15_0\lib3p\libsspiwrapper.dll
