Page tree
Skip to end of metadata
Go to start of metadata

Purpose

This wiki helps to understand ASE with securty mechanism Kerberos.
This wiki is based on a MIT kerberos setup.

Overview

I wanted to create this wiki to understand each step to setup Kerberos on ASE and understand why we are doing this.
What we will look into further:

  • libtcl.cfg & libtcl64.cfg
  • interfaces/sql.ini
  • krb5.conf
  • Kerberos Service Principal keytab
  • Kerberos Client Ticket Granted Ticket (TGT)
  • Environment variables

libtcl.cfg & libtcl64.cfg

The libtcl files are used to enable extra features; these features include LDAP, SSL, and Kerberos.
This file is loaded at the start of the application.
When you set a client to enable kerberos connection, the client looks at the libtcl.cfg file for specific parameters.
For Kerberos, you need the sybase library name, Kerberos realm , and kerberos library location.

When using kerberos, you need to add the entry:

Unix
libtcl.cfg:
[SECURITY]
csfkrb5=libsybskrb.so secbase=@REALM libgss=/usr/lib/libgss.so

libtcl64.cfg:
[SECURITY]
csfkrb5=libsybskrb64.so secbase=@REALM libgss=/usr/lib/64/libgss.so

libgss is the file name for native kerberos files.
If you want to use MIT libraries the file name is libgssapi_krb5.so

Windows
libtcl.cfg:
csfkrb5=LIBSYBSKRB.DLL secbase=@REALM libgss=C:\progra~2\MIT\Kerberos\bin\gssapi32.dll

libtcl64.cfg:
csfkrb5=LIBSYBSKRB64.DLL secbase=@REALM libgss=C:\progra~1\MIT\Kerberos\bin\gssapi64.dll

interfaces/sql.ini

The interfaces/sql.ini files are used to hold ASE server information to connect.
The information can include host, port, filters, securty mechanims, failover entries, and retry settings.

Example:
interfaces file-

asename
                master tcp ether host port
                query tcp ether host port
                secmech 1.3.6.1.4.1.897.4.6.6

The sechmech identifier ID comes from the objectid.dat file.
This file specifies 1.3.6.1.4.1.897.4.6.6 = csfkrb5 (ie kerberos).
You can see this name in the libtcl/libtcl64.cfg files as well.
With this in the interfaces file, clients will know to use the kerberos connection protocol.

krb5.conf

The krb5.conf file is used by clients to locate the Key Distribution Center  (KDC).
When using Kerberos authentication the clients request a kerberos certificate from the KDC.
This client certificate is then used by the clients to connect to the ASE.
This file also sets parameters and settings for the requested tickets.

Sections of the krb5.conf file:
[libdefaults] - You are able to set defaults for your Kerberos setup
examples: default realms, default encryptions, ticket lifetimes.
                default_realm = REALM

                default_tkt_enctypes = aes256-cts

                default_tgs_enctypes = aes256-cts

[realms] - This allows the client to find the KDC
example:
                REALM = {
                                kdc = <host>:<port>
                                admin_server = <host>:<port>

[domain_realm] - This helps link domain and realms
example:
        .domain.com = REALM

        domain.com = REALM

        .domain2.corp = REALM

        domain2.corp = REALM

[logging] - You can make errors to a file
examples: kdc, admin_server, default

[appdefaults] - Sets defaults for specific applications.

example:
                kinit = {
                                renewable = true
                                forwardable = true 

Kerberos Service Principal keytab

When using Kerberos with ASE, there are 2 types of tickets Service principal keytab and a client ticket.

See the KDC wiki if you have questions about setting up Kerberos credentials for ASE (link in Related Documents).

The Service principal is a generated file from the KDC.
The Principal is then used to create a keytab file using ktadd.
This file is given to the ASE so it can authenticate.

You will use an environment variable to allow the ASE to find/access this keytab file.
You must make sure the ASE can read this file, however you want to make this file as secure as possible.

Kerberos Client Ticket Granted Ticket (TGT)

The Client uses kinit kerberos tool to generate a ticket.

kinit is used to sign into the KDC and request a ticket.
Kinit sends the username, password, and realm for the KDC user.
Once this is sent the KDC sends back a ticket.

kinit username@REALM
password: ********

klist (this shows the credentials that are cached)>
You can also use environment variable KRB5CCNAME to specify a specific location and file name for the credential to be stored.

This ticket is used by the client to login to the ASE.
The client also specifies the service principal located in the keytab.

An overall picture

 

Picture provided by Jay Anderson

Environment variables

Remeber to setup your environment varialbes for your specific Sybase installation.
cd $SYBASE
source SYBASE.csh

Kerberos environment variables:
Set to specify the location of the krb5.conf file
setenv KRB5_CONFIG <locationToYourKrb5.confFile>/krb5.conf

Set to allow the ASE to pick up the keytab file:
setenv KRB5_KTNAME <locationToYourServerskeytab>/<name>.keytab

Set to allow the ASE to pick up the Service principal name:
setenv SYBASE_PRINCIPAL <keytab’sServicePrincipalname>

Lastly add the Kerberos library to your PATH and LD_LIBRARY_PATH and LD_LIBRARY_PATH_64 is pointing to the Kerberos libraries/executables

examples-

setenv PATH <kerberosexecutables>:$PATH

setenv LD_LIBRARY_PATH <kerberoslibrarylocation>:$LD_LIBRARY_PATH

setenv LD_LIBRARY_PATH <kerberoslibrarylocation>:$LD_LIBRARY_PATH_64

Related Content

Related Documents

objectid.dat file:
http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc01672.1572/html/sec_admin/X15496.htm

Key Distribution Center (KDC) and ASE wiki link:
http://wiki.sdn.sap.com/wiki/x/C4R6F

Related sap notes/kbas

1881287 - How to Setup MIT Kerberos on ASE and SDK (Includes KDC setup)

1899327 - How to Setup MIT Kerberos on OpenSwitch to ASE

  • No labels