The configuration process is similar, regardless of which variety of Kerberos is used. To configure Kerberos:
Set up Kerberos third-party software and create a Kerberos administrative user. To do this, you must:
Install Kerberos client software on machines where Open Client Server clients or Adaptive Server will run. The following client packages have been verified to be working:
CyberSafe TrustBroker 4.0
MIT Kerberos version 1.3.1
Install the Kerberos KDC server on a separate, dedicated machine.
KDCs from CyberSafe TrustBroker 4.0, MIT Kerberos v.1.3.1, and
Microsoft Windows Active Directory have been verified for use with
Adaptive Server.
Create an administrator account on the Kerberos server with administration privileges. This account is used for subsequent client actions such as creating principals from the client machines.
Execute the remainder of these steps on the Kerberos
client machine.
Add Kerberos principal for Adaptive Server ase120srv or ase120srv@MYREALM.
Extract the keytab file for principal ase120srv@MYREALM and store it as a file:
/krb5/v5srvtab
The following UNIX examples use the command line tool kadmin, available with CyberSafe or MIT Kerberos.There are also GUI tools available to aid in administration of Kerberos and users:
CyberSafe Kadmin: % kadmin aseadmin Principal - aseadmin@MYREALM Enter password: Connected to csfA5v01 in realm ASE. Command: add ase120srv Enter password: Re-enter password for verification: Principal added. Command: ext -n ase120srv Service Key Table File Name (/krb5/v5srvtab): Key extracted. Command: quit Disconnected.
In a production environment, you must control the access to the keytab file. If a user can read the keytab file, he or she can create a server that impersonates your server.
Use chmod and chgrp so that /krb5/v5srvtab is:
-rw-r----- 1 root sybase 45 Feb 27 15:42 /krb5/v5srvtab
When using Active Directory as the KDC, log in to the Domain Controller to add users and Adaptive Server principals. Use the Active Directory Users and Computers wizard to guide you through the creation of users and principals.
Extracting the keytab file for use with Adaptive Server requires an optional tool called ktpass, which is included in the Microsoft Support Tools package.
With Active Directory, extracting the keytab with ktpass is done as a separate step from creating the principal. The keytab file on Windows for Adaptive Server is located with the CyberSafe program files. For example, c:\Program Files\CyberSafe\v5srvtab is the expected location of Adaptive Server’s keytab file when CyberSafe software is installed on the C: drive.
Add a Kerberos principal for the user “sybuser1” as “sybuser1@MYREALM”.
Start Adaptive Server and use isql to log in as “sa”. The following steps configure Adaptive Server parameters to use Kerberos security services, and create the user login account. These are the same on both Windows or UNIX machines:
Change configuration parameter use security services to 1:
1> sp_configure 'use security services', 1
Add new login for user, “sybuser1” and then add the user:
1> sp_addlogin sybuser1, password
Shut down Adaptive Server and modify administrative files and connectivity configuration files.
On UNIX platforms, the interfaces file is under $SYBASE/ and has an entry that looks similar to:
ase120srv
master tli tcp myhost 2524
query tli tcp myhost 2524
secmech 1.3.6.1.4.1.897.4.6.6
On Windows platforms, the sql.ini file is in %SYBASE%\ini, and has an equivalent server entry that looks like:
[ase120srv]
master=TCP,myhost,2524
query=TCP,myhost,2524
secmech=1.3.6.1.4.1.897.4.6.6
The libtcl.cfg or libtcl64.cfg file is located in $SYBASE/$SYBASE_OCS/config/ on UNIX platforms.The SECURITY section should have an entry that looks similar to the following for CyberSafe Kerberos client libraries:
[SECURITY] csfkrb5=libsybskrb.so secbase=@MYREALM libgss=/krb5/lib/libgss.so
A 64-bit CyberSafe Kerberos client library entry follows:
[SECURITY] csfkrb5=libsybskrb64.so secbase=@MYREALM libgss= \ /krb5/appsec-rt/lib/64/libgss.so
For a machine that uses MIT Kerberos client libraries, the entry looks something like:
[SECURITY] csfkrb5=libsybskrb.so secbase=@MYREALM libgss=/opt/mitkrb5/lib/libgssapi_krb5.so
For a machine that uses Native OS provided libraries, such as Linux, it looks similar to:
[SECURITY] csfkrb5=libsybskrb.so secbase=@MYREALM libgss=/usr/kerberos/lib/libgssapi_krb5.so
On Windows NT, the %SYBASE%\%SYBASE_OCS%\ini\libtcl.cfg file contains an entry like:
[SECURITY] csfkrb5=libskrb secbase=@MYREALM libgss=C:\WinNT\System32\gssapi32.dll
Note the libgss=<gss
shared object path> that specifies the GSS
API library to be used. It is important that you distinctly locate
the Kerberos Client libraries being used, especially when multiple
versions are installed on a machine.
Also check the objectid.dat under $SYBASE/$SYBASE_OCS/config/ and make sure the [secmech] section has an entry for csfkrb5:
[secmech] 1.3.6.1.4.1.897.4.6.6 = csfkrb5
You can use environment variables to override default locations of keytab files, Kerberos configuration, and realm configuration files. This is Kerberos-specific behavior and may not work consistently on all platforms.
For example, the CSFC5KTNAME environment variable can be used on CyberSafe UNIX platforms to specify the keytab file:
% setenv CSFC5KTNAME /krb5/v5srvtab
For MIT Kerberos, the equivalent environment variable is KRB5_KTNAME.
See the vendor documentation for information about these environment variables.
Your application may also need to modify the environment variable for dynamic library search paths. On UNIX, the most commonly used environment variable is LD_LIBRARY_PATH; on Windows, PATH is typically set to include DLL locations. You may need to modify these environment variables to enable applications to load the third-party objects correctly. For example this command adds the location of CyberSafe 32-bit libgss.so shared object to the search path in a C-Shell environment:
% set path = ( /krb5/lib $path )
Restart Adaptive Server. You should see the following log message during start-up:
00:00000:00000:2001/07/25 11:43:09.91 server Successfully initialized the security mechanism 'csfkrb5'. The SQL Server will support use of this security mechanism.
Use isql as UNIX user “sybuser1” (without the -U and -P arguments) to connect:
% $SYBASE/$SYBASE_OCS/bin/isql -Sase120srv -V 1> ...
You can also use the encryption option:
$SYBASE/$SYBASE_OCS/bin/isql -Sase120srv –Vc
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|
