You can run a custom Open Server application or the Security Guardian server with CyberSafe Kerberos security. In order for the server and its clients to communicate over the network, you must perform the normal configuration steps described in Chapter 3, “Basic Configuration for Open Server.” Then, for the server and its clients to use CyberSafe Kerberos security services, you must perform these additional configuration steps:
Decide which CyberSafe Kerberos principal the server will run as.
You can create a new principal with the CyberSafe kadmin utility, using the add command. The principal must be allowed to act as a server.
If the server principal does not already have a key in a CyberSafe Kerberos server key table file, create one with the CyberSafe kadmin utility, using the ext command. Make sure that the operating system user who starts the server has read permission on the server key table file. In a production environment, you must control the access to the key table file. If a user can read this file, they can create a server that impersonates your server.
Make sure the CyberSafe Kerberos security driver is configured in the [SECURITY] section of libtcl.cfg. See “SECURITY section” for details.
Set the CSFC5KTNAME environment variable to the name of the key table file that holds the key for the server principal (see step 2). The CyberSafe runtime libraries require that this environment variable to be set if the server key table file is in a location other than the CyberSafe system default.
You must place the shared library file (libgss.so on Sun Solaris 2.x and Linux, libgss.so on IBM RS/6000, or libgss.sl on HP-UX) in a directory specified in the shared library path: LD_LIBRARY_PATH on Sun Solaris 2.x and Linux, LIBPATH on IBM RS/6000, and SHLIB_PATH on HPUX. As an alternative, you can use the libgss keyword in libtcl.cfg to specify the path to the GSS library.
What enables the client to find this shared library file at runtime. You can also place the shared library file in the lib subdirectory of the CyberSafe installation as long as this subdirectory is in the shared library path.
This shared library is not provided by Sybase, but it is included in some CyberSafe products. If it is not included with your CyberSafe product, contact CyberSafe to obtain their GSS-API library.
When you start the server, specify the principal name in addition to the network name if the principal name does not match the network name. You do not have to specify the network name if you set the DSLISTEN environment variable to the network name.
The Open Server’s network name is its name in interfaces or the directory service.
A custom Open Server application specifies the principal name by setting the SRV_S_SEC_PRINCIPAL Server-Library property.
Kerberos does not allow the key table file to be specified programatically; you must use the CSFC5KTNAME environment variable (see step 4).
