Sybase and Kerberos
Creating a principal and corresponding keytab on the KDC
SSH into the KDC as the user with sufficient privileges to run kadmin.local
Run the Kerberos configuration CLI with kadmin.local
Add a new principal you want to authenticate as later with:
add_principal <>We’re going to continue to use krbuser as our example Kerberos principal.Once you’ve created the principal and provided it a password, we need to generate a keytab for it. Do so via the following command:
ktadd -norandkey -k v5srvtab krbuserIn this case, v5srvtab is the keytab filename, and it will be placed into whatever directory you’ve invoked kadmin.local from. Presumably, this will be the home directory of the machine.
You now have everything you need done on the KDC, but you will need your keytab file later as well as the krb5.conf file that is located in the home directory of the KDC, so consider moving them somewhere (probably your local machine) that will be convenient for you to access later.
Configuring the Sybase image for Kerberos
Startup a Sybase database.
Note: Each Sybase database machine may have multiple Sybase instances running on it at a given point in time. In this case, I am configuring the ASE_1550_S5 instance, but these steps can be done on any instance so long as you change the $SYBASE_HOME directories accordingly.
Connect to the particular Sybase instance you are working on and invoke the following sql statement:
sp_configure ‘use security services’, 1Continue to create a user with the same name as the principal name you created previously on the KDC, in this case krbuser:
sp_addlogin krbuser, <password>Change your $SYBASE environment variable to point to the Sybase directory for whichever instance you are configuring. In this case, we want to do:
export SYBASE=/opt/sybase/15-5Open the $SYBASE/interfaces file, and find the header for whichever Sybase instance you are configuring. In our case, it is ASE_1550_S5. You should see something that looks like this:
ASE1550_S5
`master tcp ether 10.43.89.241 5500`
`master tcp ether localhost 5500`
`query tcp ether 10.43.89.241 5500`
`query tcp ether localhost 5500`You want to add the following line to this:
secmech 1.3.6.1.4.1.897.4.6.6
This line is static, while the other lines in this section are dynamically generated for your instance. So, your final result should look something like this:ASE1550_S5
master tcp ether 10.43.89.241 5500 < your numbers will vary
master tcp ether localhost 5500 < your numbers will vary
query tcp ether 10.43.89.241 5500 < your numbers will vary
query tcp ether localhost 5500 < your numbers will varyNavigate to $SYBASE/OCS-15_0/config. You should see libtcl64.cfg and libtcl.cfg
Change the contents of libtcl64.cfg to be this:
`[DIRECTORY]`
`;ldap=libsybdldap.so ldap://ldaphost/dc=sybase,dc=com`
`[SECURITY]`
`csfkrb5=libsybskrb64.so secbase=@bar.com libgss=/lib64/libgssapi_krb5.so.2.2[FILTERS];ssl=libsybfssl.so`
Change the contents of libtcl.cfg to be this:
`[DIRECTORY]`
`;ldap=libsybdldap.so ldap://ldaphost/dc=sybase,dc=com`
`[SECURITY]`
`csfkrb5=libsybskrb.so secbase=@bar.com libgss=/lib64/libgssapi_krb5.so.2.2`
`[FILTERS]`
`;ssl=libsybfssl.so`Note that the @bar.com value is our realm name that is determined by the KDC. Realistically, you should never have to deal with this, and it should never change, but if for some reason it does, that value needs to be updated.
Create a directory for those Kerberos config files you created on the KDC in the previous set of steps:
sudo mkdir /krb
Copy into /krb your keytab file v5srvtab and config file krb5.conf that you took off of the KDC earlier.
Head to $SYBASE/ASE-15_0/install and open the RUN_ASE1550_S5 file. We’re going to add information so that Sybase knows where to find our keytab and our krb5.conf file, so change the content to look like this:
#!/bin/sh
#
# ASE page size (KB) : 4096
# Master device path: /opt/sybase/devices/data5/S5_master.dat
# Error log path: /opt/sybase/errorlogs/ASE1550_S5.log
# Configuration file path: /opt/sybase/15-5/ASE-15_0/ASE1550_S5.cfg
# Directory for shared memory files: /opt/sybase/15-5/ASE-15_0
# Adaptive Server name: ASE1550_S5
#
export **KRB5_KTNAME**=/krb/v5srvtab
export **KRB5_CONFIG**=/krb/krb5.conf
/opt/sybase/15-5/ASE-15_0/bin/dataserver \
-kASE1550_S5@bar.com \
-d/opt/sybase/devices/data5/S5_master.dat \
-e/opt/sybase/errorlogs/ASE1550_S5.log \
-c/opt/sybase/15-5/ASE-15_0/ASE1550_S5.cfg \
-M/opt/sybase/15-5/ASE-15_0 \
-sASE1550_S5 \Reboot the Sybase instance you’re working so that it reads in all of these configuration changes.
Connect to the Sybase instance as the dbo user so that you may give dbo privileges to your Kerberos authentication login on a particular database within the instance. Below is an example of doing so with the database potatoes:
>> sql5
1> use potatoes
2> go
1> sp_addalias instructions, dbo
2> go
Alias user added.
(return status = 0)Now, to access the Sybase instance via Kerberos and confirm success, you can do the following set of commands (I put these three lines into a script called connect.sh for future convenience):
#!/bin/sh
kinit -k -t /krb/v5srvtab <>
export SYBASE='/opt/sybase/15-5'
/opt/sybase/15-5/OCS-15_0/bin/isql64 -V -SASE1550_S5Testing by creating a Kerberos connector on the Delphix Engine
Start by configuring your engine for Kerberos. SSH into the engine as the Delphix user and run the following command:
/opt/delphix/server/bin/jmxtool tunable set enabled_features KERBEROS trueLog into the Delphix Engine and proceed through the first-time setup.
Once the first-time setup is complete, log into the Delphix Setup page, proceed to Preferences > Kerberos Configuration. Add the information for your KDC to configure it with the principal name you created earlier, krbuser. You can get the keytab by running the following command on your keytab file:
base64 v5srvtab
Copy the output as plaintext into the keytab field of the Kerberos configuration box.
Finally, create a Sybase connector with parameters that look like this, and if your “test connection” attempt succeeds you’re all set!
