Specifying the Adaptive Server principal name

Use a dataserver option and an environment variable to specify a principal name different from the Adaptive Server name. Adaptive Server name is specified by environment variables DSLISTEN and DSQUERY, or the dataserver command-line option "-s servername".

You can set the principal name either the setenv command or the -k dataserver option.

By default, the principal name is the name of Adaptive Server. To specify a different name, set SYBASE_PRINCIPAL before starting Adaptive Server to use Kerberos:

setenv SYBASE_PRINCIPAL <name of principal>

Once you have set an Adaptive Server principal name, Adaptive Server uses the value of this variable to authenticate itself with Kerberos.

You can use the following command-line option to specify an Adaptive Server principal name, when starting Adaptive Server:

 -k <server principal name>

When you start an Adaptive Server with the Kerberos security mechanism enabled, Adaptive Server first uses the principal name specified with the -k option for Kerberos authentication. If the -k option is not specified, Adaptive Server looks for the principal name in the environment variable SYBASE_PRINCIPAL. If neither is specified, Adaptive Server uses the server name for authentication.

In this example, the Adaptive Server name is “secure_ase” and realm name is “MYREALM.COM,” the Adaptive Server name is specified on the command line with -s parameter to the dataserver. The current realm is specified in libtcl.cfg by a secbase attribute value:

[SECURITY]
csfkrb5=libskrb.so libgss=/krb5/lib/libgss.so
secbase=@MYREALM.COM

The default Adaptive Server principal name is “secure_ase@MYREALM.COM.” If the principal name defined in the Adaptive Server keytab file is “aseprincipal@MYREALM.COM,” you can override the default Adaptive Server principal name by setting a server principal name using options 1 or 2 below:

• Option 1: -k is specified:

  % 
  $SYBASE/$SYBASE_ASE/bin/dataserver -dmaster.dat 
  -s secure_ase -k aseprincipal@MYREALM.COM
  

  The Adaptive Server principal name used to authenticate with Kerberos is “aseprincipal@MYREALM.COM.”

• Option 2: -k is not specified but SYBASE_PRINCIPAL is set:

  setenv SYBASE_PRINCIPAL aseprincipal@MYREALM.COM
  $SYBASE/$SYBASE_ASE/bin/dataserver –dmaster.dat 
  -s secure_ase 
  

  The Adaptive Server principal name used to authenticate with Kerberos is “aseprincipal@MYREALM.COM,” the value of $SYBASE_PRINCIPAL.

• Option 3: Neither -k nor SYBASE_PRINCIPAL is set

  % $SYBASE/$SYBASE_ASE/bin/dataserver –dmaster.dat 
  -s secure_ase 
  

  The Adaptive Server principal name used to authenticate with Kerberos is “secure_ase@MYREALM.COM.”

For more information about Kerberos, see the Security section of the System Administration Guide, Volume One.