ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhenvvar.htm

223 lines
13 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Network authentication service environment variables" />
<meta name="abstract" content="You can use environment variables with network authentication service to affect how Generic Security Services (GSS) APIs and the Kerberos protocol APIs perform." />
<meta name="description" content="You can use environment variables with network authentication service to affect how Generic Security Services (GSS) APIs and the Kerberos protocol APIs perform." />
<meta name="DC.Relation" scheme="URI" content="rzakhconcept.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhenvvar" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Network authentication service environment variables</title>
</head>
<body id="rzakhenvvar"><a name="rzakhenvvar"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Network authentication service environment variables</h1>
<div><p>You can use environment variables with network authentication service
to affect how Generic Security Services (GSS) APIs and the Kerberos protocol
APIs perform.</p>
<div class="section"><p>You can use environment variables to change the configuration
and to manage the network authentication service on your network. i5/OS™ supports
multiple ways to work with environment variables. </p>
<div class="p"><strong>CL commands</strong><ul><li>ADDENVVAR</li>
<li>CHGENVVAR</li>
<li>RMVENVVAR</li>
<li>WRKENVVAR</li>
</ul>
For an example of using environment variables using the CL command, ADDENVVAR,
see <a href="rzakhadvtapitracetool.htm#rzakhadvtapitracetool">API trace tool</a>.
This set of environment variables allows you to create a log file that traces
each of the Kerberos and GSS API calls. The API trace tool allows you to troubleshoot
more advanced problems involving your Kerberos-enabled applications, problems
that can occur during network authentication service configuration, and problems
that can occur during Kerberos ticket requests.</div>
<div class="p"><strong>C APIs</strong><ul><li>getenv() </li>
<li>putenv()</li>
</ul>
For descriptions and examples of these APIs, see the usage notes on the <a href="../apis/evgetenv.htm">getenv()</a> and
the <a href="../apis/evputenv.htm">putenv()</a> APIs.</div>
<div class="p"> <strong>Qshell
commands</strong><ul><li>export -s env_var_name=value</li>
</ul>
</div>
<div class="p">In addition, you can define an environment variable file (envar
file) containing entries of the <strong>form</strong> environment_variable=value. Any
variables defined through the Qshell environment or with the CL commands override
the same variables in the envar file. The _EUV_ENVAR_FILE environment variable
can be used to specify the location of the file containing these entries. <dl><dt class="dlterm">_EUV_ENVAR_FILE </dt>
<dd><p>The name of the file that contains environment variable definitions.
If this variable is not set, the default is to use the envar file located
in the home directory (as specified by the _EUV_HOME or HOME environment variable).
</p>
<p>Each line of the file consists of the variable name followed by an
equal sign (=) followed by the variable value with no intervening blanks or
other punctuation. The variable value consists of everything following the
equal sign up to the end of the line (including any embedded and trailing
blanks). Any line beginning with a pound sign (#) is treated as a comment
line. You can continue a line by ending it with a backward slash (\). No trailing
blanks can follow the backward slash. The <tt>_EUV_</tt> must begin in column
1.</p>
<p>Environment variables are not set until the first time that a function
in the security run time is invoked. Thus, it is mainly useful for setting
environment variables that will be used by functions within the security run
time, although it can be used to set environment variables that will be used
by the application as well. In this case, the application should not rely
on the environment variable values until after the security run time has been
initialized. The user profile under which this program runs must have *X authority
to each directory in the path preceding this file, and *R authority to this
file.</p>
</dd>
<dt class="dlterm">_EUV_HOME and HOME </dt>
<dd>The security run-time home directory is set to the value of the _EUV_HOME
environment variable. If this variable is not specified, the HOME variable
is used to determine the security run-time home directory. If neither environment
variable is set, the home directory that is configured in the user profile
that is currently running is used. If the home directory does not exist, the
current working directory is used. Limit public access to this directory to
*EXCLUDE or *R. </dd>
<dt class="dlterm">_EUV_SEC_KRB5CCNAME_FILE</dt>
<dd>The name of the file used to locate the default Kerberos credentials cache.
If this variable is not set, the default is to use the krb5ccname file located
in the security run-time home directory. The running user profile must have
*X authority to each directory in the path name preceding this file. If the
file does not yet exist, the running user profile must have *WX authority
to the parent directory that contains this file. The user must ensure that
public access to the parent directory is limited to prevent a malicious user
from changing the credentials cache file that is used.</dd>
<dt class="dlterm">_EUV_SVC_MSG_LOGGING</dt>
<dd>The target where messages are logged. The following values are valid: <dl><dt class="dlterm">NO_LOGGING</dt>
<dd>Suppress all messages. This is the default. </dd>
<dt class="dlterm">STDOUT_LOGGING</dt>
<dd>Write all messages (informational and error) to stdout, and write error
messages to stderr.</dd>
<dt class="dlterm">STDERR_LOGGING</dt>
<dd>Write informational messages to stdout and error messages to stderr. </dd>
</dl>
</dd>
<dt class="dlterm">_EUV_SVC_MSG_LEVEL </dt>
<dd>The message level when logging messages. Messages that do not meet this
criterion are suppressed. The default is to log all messages. The following
values are valid: <dl><dt class="dlterm">FATAL</dt>
<dd>Only unrecoverable messages are logged.</dd>
<dt class="dlterm">ERROR</dt>
<dd>Only unrecoverable and error messages are logged.</dd>
<dt class="dlterm">USER</dt>
<dd>Only unrecoverable, error, and user messages are logged.</dd>
<dt class="dlterm">WARNING</dt>
<dd>Only unrecoverable, error, user, and warning messages are logged.</dd>
<dt class="dlterm">NOTICE</dt>
<dd>Only unrecoverable, error, user, warning, and notice messages are logged.</dd>
<dt class="dlterm">VERBOSE</dt>
<dd>All messages are logged.</dd>
</dl>
</dd>
<dt class="dlterm">_EUV_SVC_STDOUT_FILENAME </dt>
<dd>The fully qualified name of the file to receive standard output messages.
If this environment variable is not defined, messages are written to stdout.
The currently running user profile must have *X authority to each directory
in the path preceding this file and *WX authority to the parent directory
that contains this file. </dd>
<dt class="dlterm">_EUV_SVC_STDERR_FILENAME </dt>
<dd>The fully qualified name of the file to receive standard error messages.
If this environment variable is not defined, messages are written to stderr.
The currently running user profile must have *X authority to each directory
in the path preceding this file and *WX authority to the parent directory
that contains this file. </dd>
<dt class="dlterm">_EUV_SVC_DBG_MSG_LOGGING </dt>
<dd>Whether debug messages are generated. The default is to suppress debug
messages. Logging of debug messages should not be enabled unless requested
by IBM<sup>®</sup> service,
as it can severely affect performance. The following values are valid: <ul><li>0 Suppress debug messages </li>
<li>1 Write debug messages </li>
</ul>
</dd>
<dt class="dlterm">_EUV_SVC_DBG </dt>
<dd><p>The subcomponents and levels for the debug messages. Debug messages
for a particular subcomponent are not logged unless the subcomponent is included
in the _EUV_SVC_DBG list and the debug message level is greater than or equal
to the specified level. Use an asterisk (*) to specify all subcomponents.</p>
<div class="p">The
subcomponent list consists of a subcomponent name and a debug level separated
by a period. You can specify multiple subcomponents by separating the entries
with commas. For example, _EUV_SVC_DBG=*.1,KRB_CCACHE.8 enables debug level
1 for all subcomponents and debug level 8 for the KRB_CCACHE subcomponent.
You can specify the following subcomponents: <ul><li>KRB_API</li>
<li>KRB_GENERAL</li>
<li>KRB_CCACHE</li>
<li>KRB_RCACHE</li>
<li>KRB_CRYPTO</li>
<li>KRB_GSSAPI</li>
<li>KRB_KEYTAB</li>
<li>KRB_LIB</li>
<li>KRB_ASN1</li>
<li>KRB_OS</li>
<li>KRB_KDC</li>
<li>KRB_KDB</li>
<li>KRB_KUT</li>
</ul>
</div>
</dd>
<dt class="dlterm">_EUV_SVC_DBG_FILENAME </dt>
<dd>The fully qualified name of the file to receive debug messages. If this
environment variable is not defined, debug messages are written to the file
specified by the _EUV_SVC_STDOUT_FILENAME. If _EUV_SVC_STDOUT_FILENAME is
not specified, then debug messages are written to stdout. The currently running
user profile must have *X authority to each directory in the path preceding
this file and *WX authority to the parent directory that contains this file. </dd>
<dt class="dlterm">KRB5_CONFIG </dt>
<dd>One or more configuration file names separated by colons. The default
configuration file is <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/krb5.conf</span>.
The currently running user profile must have *X authority to each directory
in the path preceding these configuration files and *R authority to the configuration
files. </dd>
<dt class="dlterm">KRB5CCNAME</dt>
<dd>The default name for the credentials cache file, which is specified as
type:name. The supported types are FILE and MEMORY. The default is to perform
FILE-based credentials caching in the <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/creds</span> directory.
If the default is used, no authority setup is needed. If a FILE-based credentials
cache file is specified, then the currently running user profile must have
*X authority to each directory in the path. It must have *WX authority to
the parent directory when the cache file is first created and *RW authority
to the cache file. If the cache file is being deleted, it must have *OBJEXIST
authority to the cache file. </dd>
<dt class="dlterm">KRB5_KTNAME</dt>
<dd>The default key table name. If not specified, the file specified by the
default_keytab_name configuration entry in the configuration file is used.
If the configuration entry is not specified, the default file is <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab</span>. The currently running user profile must have *X authority to each directory
in the path. If the file is being created, it must also have *WX authority
to the parent directory. If the file is being updated, it must have *RW authority
to the file. Specific authorities needed are documented under the Qshell commands
and the run-time APIs. </dd>
<dt class="dlterm">KRB5RCACHETYPE</dt>
<dd>The default replay cache type. It defaults to dfl. </dd>
<dt class="dlterm">KRB5RCACHENAME </dt>
<dd>The default replay cache name. If not specified, the Kerberos run time
generates a name. </dd>
<dt class="dlterm">KRB5RCACHEDIR </dt>
<dd>The default replay cache directory. It defaults to <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/replay</span>. </dd>
</dl>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhconcept.htm" title="Network authentication service supports Kerberos protocols and Generic Security Service (GSS) APIs that provide user authentication in a network.">Concepts</a></div>
</div>
</div>
</body>
</html>