Configuring MIT Kerberos  Client-Library applications and MIT Kerberos

Appendix D: Kerberos Security Services

Open Server applications and MIT Kerberos

You can run a custom Open Server application with Kerberos security. In order for the server and its clients to communicate over the network, you must perform the normal configuration steps described in Chapter 3, “Basic Configuration for Open Server.” In order for the server and its clients to use Kerberos security services, you must perform these additional configuration steps:

  1. Decide which Kerberos principal the server will run as.

    You can create a new principal with the kadmin utility, using the add command. The principal must be allowed to act as a server.

  2. If the server principal does not already have a key in a Kerberos server key table file, create one with the kadmin utility, using the ext command. Make sure that the operating system user that starts the server has read permission on the server key table file. In a production environment, you must control the access to the key table file. If a user can read this file, they can create a server that impersonates your server.

  3. Make sure the Kerberos security driver is configured in the [SECURITY] section of libtcl.cfg. See “SECURITY section” for details.

  4. Set the KRB5_KTNAME environment variable to the name of the key table file that holds the key for the server principal (see step 2). The Kerberos runtime libraries require this environment variable to be set if the server key table file is in a location other than the system default.

  5. Enter the location of libgssapi_krb5.so file in the libtcl.cfg directory using the libgss keyword.

  6. When you start the server, specify the principal name in addition to the network name if the principal name does not match the network name. You do not have to specify the network name if you set the DSLISTEN environment variable to the network name.

    The Open Server network name is defined in the interfaces directory service.

    A custom Open Server application specifies the principal name by setting the SRV_S_SEC_PRINCIPAL Server-Library property.

    Kerberos does not allow the key table file to be specified programatically; you must use the KRB5_KTNAME environment variable (see item 4).




Copyright © 2008. Sybase Inc. All rights reserved. Client-Library applications and MIT Kerberos

View this document as PDF