sp_serveroption

Description

Displays or changes remote server options.

Syntax

sp_serveroption [server, optname, optvalue]

Parameters

server: is the name of the remote server for which to set the option.

optname

is the name of the option to be set or unset. Table 1-30 lists the option names.

**Table 1-30: sp_serveroption options**
Option	Meaning
mutual authentication	Sets mutual authentication for all connections to the remote server using Kerberos authentication.
external engine auto start	Specifies that EJB Server starts up each time Adaptive Server starts up. The default is true; starting Adaptive Server also starts up EJB Server.
net password encryption	Specifies whether to initiate connections with a remote server with the client side password encryption handshake or with the normal (unencrypted password) handshake sequence. The default is false, no network encryption.
net password encryption reqd	Adaptive Server allows the use of asymmetric encryption to securely transmit passwords from client to server using the RSA public key encryption algorithm. Adaptive Server generates the asymmetric key pair and sends the public key to clients that use the new login protocol. The client encrypts the user’s login password with the public key before sending it to the server. The server, decrypts the password with the private key to begin the authentication of the client connecting. Configures Adaptive Server to require clients to use this protocol. Set the Adaptive Server configuration parameter net password encryption reqd to require all username- and password-based authentication requests to use RSA asymmetric encryption. The valid values for net password encryption reqd are: 0 – Allows the client to choose the encryption algorithm used for login passwords on the network, including no password encryption. This is the default value for this configuration parameter and provides functionality most similar to earlier releases. This allows the choice of network password encryption to be established by the client application. 1 – Restricts clients to use either RSA or Sybase proprietary encryption algorithms to encrypt login passwords on the network. This provides an incrementally restrictive setting that allows older clients to connect with the Sybase proprietary algorithm and new clients to connect with the stronger RSA algorithm. A client that attempts to connect without using password encryption will fail. 2 – Restricts clients to use only the RSA encryption algorithms to encrypt login passwords on the network. This provides strong RSA encryption of passwords and requires use of newer clients. A client that attempts to connect without using the RSA encryption will fail.
allow password downgrade
readonly	(Component Integration Services only) Specifies that access to the server named is read only.
security mechanism	This option specifies the security mechanism for the remote server. Enables Kerberos authentication for connections to the remote server when your login is authenticated using the Kerberos mechanism.
server cost	(Component Integration Services only) Specifies the cost of a single exchange under the user’s control, on a per-server basis. See Chapter 2, “Understanding Component Integration Services” in Understanding CIS for more information.
server logins	(Component Integration Services only) To fully support remote logins, Client-Library provides connection properties that enable CIS to request a server connection. This connection is recognized at the receiving server as a server connection (as opposed to an ordinary client connection), allowing the remote server to validate the connection through the use of sysremotelogins as if the connection were made by a site handler. When enabled, Omni connects to the specified server using the CS_LOGIN_TYPE connection property, with type set to LREMUSER. Also, if the remote server is an Adaptive Server, the CS_LOGIN_REMOTE_SERVER property is set to the value of the local server name, and remote passwords are set using ct_remote_pwd().
server principal	Sets the server principal name for a remote server.
negotiated logins	(Component Integration Services only) This option is necessary if CIS connections to XP server or Backup Server are required. When enabled, Omni connects to the specified server using the CS_SEC_CHALLENGE property, and establishes a callback handler that can respond appropriately to login challenges from XP Server and Backup Server.
timeouts	When unset (false), disables the normal timeout code used by the local server, so the site connection handler does not automatically drop the physical connection after one minute with no logical connection. The default is false.
use message confidentiality	Sets message confidentiality for all connections to the remote server using Kerberos authentication.
use message integrity	Sets message integrity for all connections to the remote server using Kerberos authentication.
cis hafailover	(Component Integration Services only) If enabled, instructs Open Client to use automatic failover when connections fail. In this case, CIS connection failures automatically failover to the server specified in directory services (such as the interface file and ldap server) as the failover server.

Adaptive Server accepts any unique string that is part of the option name. Use quotes around the option name if it includes embedded blanks.

optvalue: is true (on) or false (off) for all options except the security mechanism option.

For the security mechanism option, specify the name of the security mechanism. To see the names of the security mechanisms available on a server, execute:

select * from syssecmechs

Examples

Example 1

Displays a list of the server options:

sp_serveroption

Settable server options.
------------------------ 
cis hafailover
enable login redirection
external engine auto start
incompatible sort order
mutual authentication
negotiated logins
net password encryption
readonly
relocated joins
security mechanism
server cost
server logins
server principal
timeouts
use message confidentiality
use message integrity

Example 2

Tells the server not to time out inactive physical connections with the remote server GATEWAY:

sp_serveroption GATEWAY, "timeouts", false

Example 3

Specifies that when connecting to the remote server GATEWAY, GATEWAY sends back an encryption key to encrypt the password to send to it:

sp_serveroption GATEWAY, "net password encryption", true

Example 4

Specifies that the EJB Server SYB_EJB starts up each time Adaptive Server starts up:

sp_serveroption SYB_EJB, "external engine auto start", true

Example 5

Specifies Kerberos authentication for connections to remote server S2.

sp_serveroption S2, "security mechanism", csfkrb5

Example 6

Specifies mutual authentication for all connections to the remote server using Kerberos authentication.

sp_serveroption TEST3, "mutual authentication", true

Example 7

Disables automatic startup, where SYB_EJB is the logical name of the EJB Server:

sp_serveroption 'SYB_EJB', 'external engine auto start', 'false'

To enable automatic startup, enter:

sp_serveroption 'SYB_EJB', 'external engine auto start', 'true'

See “Starting EJB Server automatically” in Chapter 2, “Getting Started” of the EJB Server User’s Guide for more information about using external engine auto start.

Usage

To display a list of server options that can be set by the user, use sp_serveroption with no parameters.
Once timeouts is set to false, the site handlers will continue to run until one of the two servers is shut down.
The net password encryption option allows clients to specify whether to send passwords in plain text or encrypted form over the network when initiating a remote procedure call. If net password encryption is true, the initial login packet is sent without passwords, and the client indicates to the remote server that encryption is desired. The remote server sends back an encryption key, which the client uses to encrypt its passwords. The client then encrypts its passwords, and the remote server uses the key to authenticate them when they arrive.
To set network password encryption for a particular isql session, you can use a command line option for isql. For more information, see the Utility Programs manual for your platform.
You cannot use the net password encryption option when connecting to a pre-release 10.0 SQL Server.
The security mechanism, mutual authentication, use message confidentiality, and use message integrity options apply to Kerberos logins only.

Permissions

The permission checks for sp_serveroption differ based on your granular permissions settings.

Granular permissions enabled

With granular permissions enabled, you must be a user with manage server privilege. For a shared-disk cluster, you must be a user with manage server and manage cluster privileges.

Any user can execute sp_serveroption with no parameters to display a list of options.

Granular permissions disabled

With granular permissions disabled, you must be a user with sa_role to set the timeouts option.

You must be a user with sso_role to set:

net password encryption
security mechanism
mutual authentication
use message confidentiality
use message integrity