223 lines
13 KiB
HTML
223 lines
13 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="reference" />
|
|
<meta name="DC.Title" content="Network authentication service environment variables" />
|
|
<meta name="abstract" content="You can use environment variables with network authentication service to affect how Generic Security Services (GSS) APIs and the Kerberos protocol APIs perform." />
|
|
<meta name="description" content="You can use environment variables with network authentication service to affect how Generic Security Services (GSS) APIs and the Kerberos protocol APIs perform." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhconcept.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakhenvvar" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Network authentication service environment variables</title>
|
|
</head>
|
|
<body id="rzakhenvvar"><a name="rzakhenvvar"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Network authentication service environment variables</h1>
|
|
<div><p>You can use environment variables with network authentication service
|
|
to affect how Generic Security Services (GSS) APIs and the Kerberos protocol
|
|
APIs perform.</p>
|
|
<div class="section"><p>You can use environment variables to change the configuration
|
|
and to manage the network authentication service on your network. i5/OS™ supports
|
|
multiple ways to work with environment variables. </p>
|
|
<div class="p"><strong>CL commands</strong><ul><li>ADDENVVAR</li>
|
|
<li>CHGENVVAR</li>
|
|
<li>RMVENVVAR</li>
|
|
<li>WRKENVVAR</li>
|
|
</ul>
|
|
For an example of using environment variables using the CL command, ADDENVVAR,
|
|
see <a href="rzakhadvtapitracetool.htm#rzakhadvtapitracetool">API trace tool</a>.
|
|
This set of environment variables allows you to create a log file that traces
|
|
each of the Kerberos and GSS API calls. The API trace tool allows you to troubleshoot
|
|
more advanced problems involving your Kerberos-enabled applications, problems
|
|
that can occur during network authentication service configuration, and problems
|
|
that can occur during Kerberos ticket requests.</div>
|
|
<div class="p"><strong>C APIs</strong><ul><li>getenv() </li>
|
|
<li>putenv()</li>
|
|
</ul>
|
|
For descriptions and examples of these APIs, see the usage notes on the <a href="../apis/evgetenv.htm">getenv()</a> and
|
|
the <a href="../apis/evputenv.htm">putenv()</a> APIs.</div>
|
|
<div class="p"> <strong>Qshell
|
|
commands</strong><ul><li>export -s env_var_name=value</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p">In addition, you can define an environment variable file (envar
|
|
file) containing entries of the <strong>form</strong> environment_variable=value. Any
|
|
variables defined through the Qshell environment or with the CL commands override
|
|
the same variables in the envar file. The _EUV_ENVAR_FILE environment variable
|
|
can be used to specify the location of the file containing these entries. <dl><dt class="dlterm">_EUV_ENVAR_FILE </dt>
|
|
<dd><p>The name of the file that contains environment variable definitions.
|
|
If this variable is not set, the default is to use the envar file located
|
|
in the home directory (as specified by the _EUV_HOME or HOME environment variable).
|
|
</p>
|
|
<p>Each line of the file consists of the variable name followed by an
|
|
equal sign (=) followed by the variable value with no intervening blanks or
|
|
other punctuation. The variable value consists of everything following the
|
|
equal sign up to the end of the line (including any embedded and trailing
|
|
blanks). Any line beginning with a pound sign (#) is treated as a comment
|
|
line. You can continue a line by ending it with a backward slash (\). No trailing
|
|
blanks can follow the backward slash. The <tt>_EUV_</tt> must begin in column
|
|
1.</p>
|
|
<p>Environment variables are not set until the first time that a function
|
|
in the security run time is invoked. Thus, it is mainly useful for setting
|
|
environment variables that will be used by functions within the security run
|
|
time, although it can be used to set environment variables that will be used
|
|
by the application as well. In this case, the application should not rely
|
|
on the environment variable values until after the security run time has been
|
|
initialized. The user profile under which this program runs must have *X authority
|
|
to each directory in the path preceding this file, and *R authority to this
|
|
file.</p>
|
|
</dd>
|
|
<dt class="dlterm">_EUV_HOME and HOME </dt>
|
|
<dd>The security run-time home directory is set to the value of the _EUV_HOME
|
|
environment variable. If this variable is not specified, the HOME variable
|
|
is used to determine the security run-time home directory. If neither environment
|
|
variable is set, the home directory that is configured in the user profile
|
|
that is currently running is used. If the home directory does not exist, the
|
|
current working directory is used. Limit public access to this directory to
|
|
*EXCLUDE or *R. </dd>
|
|
<dt class="dlterm">_EUV_SEC_KRB5CCNAME_FILE</dt>
|
|
<dd>The name of the file used to locate the default Kerberos credentials cache.
|
|
If this variable is not set, the default is to use the krb5ccname file located
|
|
in the security run-time home directory. The running user profile must have
|
|
*X authority to each directory in the path name preceding this file. If the
|
|
file does not yet exist, the running user profile must have *WX authority
|
|
to the parent directory that contains this file. The user must ensure that
|
|
public access to the parent directory is limited to prevent a malicious user
|
|
from changing the credentials cache file that is used.</dd>
|
|
<dt class="dlterm">_EUV_SVC_MSG_LOGGING</dt>
|
|
<dd>The target where messages are logged. The following values are valid: <dl><dt class="dlterm">NO_LOGGING</dt>
|
|
<dd>Suppress all messages. This is the default. </dd>
|
|
<dt class="dlterm">STDOUT_LOGGING</dt>
|
|
<dd>Write all messages (informational and error) to stdout, and write error
|
|
messages to stderr.</dd>
|
|
<dt class="dlterm">STDERR_LOGGING</dt>
|
|
<dd>Write informational messages to stdout and error messages to stderr. </dd>
|
|
</dl>
|
|
</dd>
|
|
<dt class="dlterm">_EUV_SVC_MSG_LEVEL </dt>
|
|
<dd>The message level when logging messages. Messages that do not meet this
|
|
criterion are suppressed. The default is to log all messages. The following
|
|
values are valid: <dl><dt class="dlterm">FATAL</dt>
|
|
<dd>Only unrecoverable messages are logged.</dd>
|
|
<dt class="dlterm">ERROR</dt>
|
|
<dd>Only unrecoverable and error messages are logged.</dd>
|
|
<dt class="dlterm">USER</dt>
|
|
<dd>Only unrecoverable, error, and user messages are logged.</dd>
|
|
<dt class="dlterm">WARNING</dt>
|
|
<dd>Only unrecoverable, error, user, and warning messages are logged.</dd>
|
|
<dt class="dlterm">NOTICE</dt>
|
|
<dd>Only unrecoverable, error, user, warning, and notice messages are logged.</dd>
|
|
<dt class="dlterm">VERBOSE</dt>
|
|
<dd>All messages are logged.</dd>
|
|
</dl>
|
|
</dd>
|
|
<dt class="dlterm">_EUV_SVC_STDOUT_FILENAME </dt>
|
|
<dd>The fully qualified name of the file to receive standard output messages.
|
|
If this environment variable is not defined, messages are written to stdout.
|
|
The currently running user profile must have *X authority to each directory
|
|
in the path preceding this file and *WX authority to the parent directory
|
|
that contains this file. </dd>
|
|
<dt class="dlterm">_EUV_SVC_STDERR_FILENAME </dt>
|
|
<dd>The fully qualified name of the file to receive standard error messages.
|
|
If this environment variable is not defined, messages are written to stderr.
|
|
The currently running user profile must have *X authority to each directory
|
|
in the path preceding this file and *WX authority to the parent directory
|
|
that contains this file. </dd>
|
|
<dt class="dlterm">_EUV_SVC_DBG_MSG_LOGGING </dt>
|
|
<dd>Whether debug messages are generated. The default is to suppress debug
|
|
messages. Logging of debug messages should not be enabled unless requested
|
|
by IBM<sup>®</sup> service,
|
|
as it can severely affect performance. The following values are valid: <ul><li>0 Suppress debug messages </li>
|
|
<li>1 Write debug messages </li>
|
|
</ul>
|
|
</dd>
|
|
<dt class="dlterm">_EUV_SVC_DBG </dt>
|
|
<dd><p>The subcomponents and levels for the debug messages. Debug messages
|
|
for a particular subcomponent are not logged unless the subcomponent is included
|
|
in the _EUV_SVC_DBG list and the debug message level is greater than or equal
|
|
to the specified level. Use an asterisk (*) to specify all subcomponents.</p>
|
|
<div class="p">The
|
|
subcomponent list consists of a subcomponent name and a debug level separated
|
|
by a period. You can specify multiple subcomponents by separating the entries
|
|
with commas. For example, _EUV_SVC_DBG=*.1,KRB_CCACHE.8 enables debug level
|
|
1 for all subcomponents and debug level 8 for the KRB_CCACHE subcomponent.
|
|
You can specify the following subcomponents: <ul><li>KRB_API</li>
|
|
<li>KRB_GENERAL</li>
|
|
<li>KRB_CCACHE</li>
|
|
<li>KRB_RCACHE</li>
|
|
<li>KRB_CRYPTO</li>
|
|
<li>KRB_GSSAPI</li>
|
|
<li>KRB_KEYTAB</li>
|
|
<li>KRB_LIB</li>
|
|
<li>KRB_ASN1</li>
|
|
<li>KRB_OS</li>
|
|
<li>KRB_KDC</li>
|
|
<li>KRB_KDB</li>
|
|
<li>KRB_KUT</li>
|
|
</ul>
|
|
</div>
|
|
</dd>
|
|
<dt class="dlterm">_EUV_SVC_DBG_FILENAME </dt>
|
|
<dd>The fully qualified name of the file to receive debug messages. If this
|
|
environment variable is not defined, debug messages are written to the file
|
|
specified by the _EUV_SVC_STDOUT_FILENAME. If _EUV_SVC_STDOUT_FILENAME is
|
|
not specified, then debug messages are written to stdout. The currently running
|
|
user profile must have *X authority to each directory in the path preceding
|
|
this file and *WX authority to the parent directory that contains this file. </dd>
|
|
<dt class="dlterm">KRB5_CONFIG </dt>
|
|
<dd>One or more configuration file names separated by colons. The default
|
|
configuration file is <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/krb5.conf</span>.
|
|
The currently running user profile must have *X authority to each directory
|
|
in the path preceding these configuration files and *R authority to the configuration
|
|
files. </dd>
|
|
<dt class="dlterm">KRB5CCNAME</dt>
|
|
<dd>The default name for the credentials cache file, which is specified as
|
|
type:name. The supported types are FILE and MEMORY. The default is to perform
|
|
FILE-based credentials caching in the <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/creds</span> directory.
|
|
If the default is used, no authority setup is needed. If a FILE-based credentials
|
|
cache file is specified, then the currently running user profile must have
|
|
*X authority to each directory in the path. It must have *WX authority to
|
|
the parent directory when the cache file is first created and *RW authority
|
|
to the cache file. If the cache file is being deleted, it must have *OBJEXIST
|
|
authority to the cache file. </dd>
|
|
<dt class="dlterm">KRB5_KTNAME</dt>
|
|
<dd>The default key table name. If not specified, the file specified by the
|
|
default_keytab_name configuration entry in the configuration file is used.
|
|
If the configuration entry is not specified, the default file is <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab</span>. The currently running user profile must have *X authority to each directory
|
|
in the path. If the file is being created, it must also have *WX authority
|
|
to the parent directory. If the file is being updated, it must have *RW authority
|
|
to the file. Specific authorities needed are documented under the Qshell commands
|
|
and the run-time APIs. </dd>
|
|
<dt class="dlterm">KRB5RCACHETYPE</dt>
|
|
<dd>The default replay cache type. It defaults to dfl. </dd>
|
|
<dt class="dlterm">KRB5RCACHENAME </dt>
|
|
<dd>The default replay cache name. If not specified, the Kerberos run time
|
|
generates a name. </dd>
|
|
<dt class="dlterm">KRB5RCACHEDIR </dt>
|
|
<dd>The default replay cache directory. It defaults to <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/replay</span>. </dd>
|
|
</dl>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhconcept.htm" title="Network authentication service supports Kerberos protocols and Generic Security Service (GSS) APIs that provide user authentication in a network.">Concepts</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |