sp_serveroption

Displays or changes remote server options.

Syntax

sp_serveroption [server, optname, optvalue]

Parameters

server – is the name of the remote server for which to set the option.
optname – is the name of the option to be set or unset. The following table lists the option names.
- mutual authentication – Sets mutual authentication for all connections to the remote server using Kerberos authentication.
- external engine auto start – Specifies that EJB Server starts up each time the SAP ASE server starts up. The default is true; starting the SAP ASE server also starts up EJB Server.
- net password encryption – Specifies whether to initiate connections with a remote server with the client side password encryption handshake or with the normal (unencrypted password) handshake sequence. The default is false, no network encryption.
- net password encryption reqd – The SAP ASE server allows the use of asymmetric encryption to securely transmit passwords from client to server using the RSA public key encryption algorithm. The SAP ASE server generates the asymmetric key pair and sends the public key to clients that use the new login protocol. The client encrypts the user’s login password with the public key before sending it to the server. The server, decrypts the password with the private key to begin the authentication of the client connecting.
  Configures the SAP ASE server to require clients to use this protocol. Set the SAP ASE configuration parameter net password encryption reqd to require all username- and password-based authentication requests to use RSA asymmetric encryption. The valid values for net password encryption reqd are:
  - 0 – Allows the client to choose the encryption algorithm used for login passwords on the network, including no password encryption. This is the default value for this configuration parameter and provides functionality most similar to earlier releases. This allows the choice of network password encryption to be established by the client application.
  - 1 – Restricts clients to use either RSA or Sybase proprietary encryption algorithms to encrypt login passwords on the network. This provides an incrementally restrictive setting that allows older clients to connect with the Sybase proprietary algorithm and new clients to connect with the stronger RSA algorithm. A client that attempts to connect without using password encryption fails.
  - 2 – Restricts clients to use only the RSA encryption algorithms to encrypt login passwords on the network. This provides strong RSA encryption of passwords and requires use of newer clients. A client that attempts to connect without using the RSA encryption fails.
- allow password downgrade –
- readonly – (Component Integration Services only) Specifies that access to the server named is read only.
- security mechanism – This option specifies the security mechanism for the remote server. Enables Kerberos authentication for connections to the remote server when your login is authenticated using the Kerberos mechanism.
- server cost – (Component Integration Services only) Specifies the cost of a single exchange under the user’s control, on a per-server basis. See Understanding Component Integration Services in Understanding CIS for more information.
- server logins – (Component Integration Services only) To fully support remote logins, Client-Library provides connection properties that enable CIS to request a server connection. This connection is recognized at the receiving server as a server connection (as opposed to an ordinary client connection), allowing the remote server to validate the connection through the use of sysremotelogins as if the connection were made by a site handler.
  When enabled, Omni connects to the specified server using the CS_LOGIN_TYPE connection property, with type set to LREMUSER. Also, if the remote server is an SAP ASE server, the CS_LOGIN_REMOTE_SERVER property is set to the value of the local server name, and remote passwords are set using ct_remote_pwd().
- server principal – Sets the server principal name for a remote server.
- negotiated logins – (Component Integration Services only) This option is necessary if CIS connections to XP server or Backup Server are required.
  When enabled, Omni connects to the specified server using the CS_SEC_CHALLENGE property, and establishes a callback handler that can respond appropriately to login challenges from XP Server and Backup Server.
- timeouts – When unset (false), disables the normal timeout code used by the local server, so the site connection handler does not automatically drop the physical connection after one minute with no logical connection. The default is false.
- use message confidentiality – Sets message confidentiality for all connections to the remote server using Kerberos authentication.
- use message integrity – Sets message integrity for all connections to the remote server using Kerberos authentication.
- cis hafailover – (Component Integration Services only) If enabled, instructs Open Client to use automatic failover when connections fail. In this case, CIS connection failures automatically failover to the server specified in directory services (such as the interface file and ldap server) as the failover server.
The SAP ASE server accepts any unique string that is part of the option name. Use quotes around the option name if it includes embedded blanks.
optvalue – is true (on) or false (off) for all options except the security mechanism option.
For the security mechanism option, specify the name of the security mechanism. To see the names of the security mechanisms available on a server, execute:
```
select * from syssecmechs
```

Examples

Example 1 – Displays a list of the server options:

sp_serveroption

Settable server options.
------------------------ 
cis hafailover
enable login redirection
external engine auto start
incompatible sort order
mutual authentication
negotiated logins
net password encryption
readonly
relocated joins
security mechanism
server cost
server logins
server principal
timeouts
use message confidentiality
use message integrity

Example 2 – Tells the server not to time out inactive physical connections with the remote server GATEWAY:
```
sp_serveroption GATEWAY, "timeouts", false
```
Example 3 – Specifies that when connecting to the remote server GATEWAY, GATEWAY sends back an encryption key to encrypt the password to send to it:
```
sp_serveroption GATEWAY, "net password encryption", true
```
Example 4 – Specifies that the EJB Server SYB_EJB starts up each time the SAP ASE server starts up:
```
sp_serveroption SYB_EJB, "external engine auto start", true
```
Example 5 – Specifies Kerberos authentication for connections to remote server S2.
```
sp_serveroption S2, "security mechanism", csfkrb5
```
Example 6 – Specifies mutual authentication for all connections to the remote server using Kerberos authentication.
```
sp_serveroption TEST3, "mutual authentication", true
```
Example 7 – Disables automatic startup, where SYB_EJB is the logical name of the EJB Server:
```
sp_serveroption 'SYB_EJB', 'external engine auto start', 'false'
```
To enable automatic startup, enter:
```
sp_serveroption 'SYB_EJB', 'external engine auto start', 'true'
```
See the EJB Server User’s Guide for more information about using external engine auto start.

Usage

There are additional considerations when using sp_serveroption:

To display a list of server options that can be set by the user, use sp_serveroption with no parameters.
Once timeouts is set to false, the site handlers continue to run until one of the two servers is shut down.
The net password encryption option allows clients to specify whether to send passwords in plain text or encrypted form over the network when initiating a remote procedure call. If net password encryption is true, the initial login packet is sent without passwords, and the client indicates to the remote server that encryption is desired. The remote server sends back an encryption key, which the client uses to encrypt its passwords. The client then encrypts its passwords, and the remote server uses the key to authenticate them when they arrive.
To set network password encryption for a particular isql session, you can use a command line option for isql.
The security mechanism, mutual authentication, use message confidentiality, and use message integrity options apply to Kerberos logins only.

Permissions

The permission checks for sp_serveroption differ based on your granular permissions settings.

Setting	Description
Enabled	With granular permissions enabled, you must be a user with `manage server` privilege. For a shared-disk cluster, you must be a user with `manage server` and `manage cluster` privileges. Any user can execute sp_serveroption with no parameters to display a list of options.
Disabled	With granular permissions disabled, you must be a user with sa_role to set the timeouts option. You must be a user with sso_role to set: net password encryption security mechanism mutual authentication use message confidentiality use message integrity Any user can execute sp_serveroption with no parameters to display a list of options.

Auditing

Values in event and extrainfo columns from the sysaudits table are:

Information	Values
Event	38
Audit option	exec_procedure
Command or access audited	Execution of a procedure
Information in `extrainfo`	Roles – Current active roles Keywords or options – NULL Previous value – NULL Current value – NULL Other information – All input parameters Proxy information – Original login name, if set proxy in effect