CSP Gateway Configuration Guide - InterSystems Documentation
CSP Gateway Configuration Guide - InterSystems Documentation
CSP Gateway Configuration Guide - InterSystems Documentation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CSP</strong> <strong>Gateway</strong> and Security<br />
UNIX®<br />
Passwords are stored in <strong>CSP</strong>.ini as plain text. Access to the configuration file should be protected by setting the file owner<br />
to be the account from which the <strong>Gateway</strong> (or hosting web server) operates. The access mode should be set to 600.<br />
OpenVMS<br />
Passwords are stored in <strong>CSP</strong>.ini as plain text. Access to the configuration file should be protected by setting the file owner<br />
to be the account from which the <strong>Gateway</strong> (or hosting web server) operates. The file protection should be set to: (s:rwed,<br />
o:rwed, g:, w:)<br />
2.2.4 Kerberos-based Authentication and Data Protection<br />
In Kerberos-based Authentication and Data Protection, three levels of authentication (and data protection) are provided<br />
through the Connection Security Level parameter.<br />
1. Kerberos. This option provides initial authentication only for the connection.<br />
2. Kerberos with Packet Integrity. This option provides initial authentication and guarantees data packet integrity.<br />
3. Kerberos with Encryption. This is the highest level of security and provides initial authentication, guaranteed data<br />
packet integrity, and, finally, encryption for all transmitted messages.<br />
2.2.4.1 Kerberos Library<br />
To use any of the Kerberos-based modes, the <strong>Gateway</strong> must be able to load the <strong>InterSystems</strong> Kerberos client library:<br />
• Windows DLL:cconnect.dll<br />
• UNIX® Shared Object:cconnect.so<br />
• OpenVMS Shareable Image:CCONNECT.EXE<br />
Install the appropriate library in a location specified in the PATH environment variable for the Operating System or at one<br />
of the following locations relative to the <strong>Gateway</strong> installation.<br />
• . (that is, local to the <strong>Gateway</strong>)<br />
• ./bin<br />
• ../bin<br />
• ../../bin<br />
The <strong>Gateway</strong> attempts to load the library at the time it is first required. If successful, the following status message is written<br />
to the Event Log: <strong>CSP</strong> <strong>Gateway</strong> Initialization The CCONNECT library is loaded - Version: 5.3.0.175.0. (This library is<br />
used for the optional Kerberos-based security between the <strong>Gateway</strong> and Caché)<br />
If the <strong>Gateway</strong> is unable to locate or link to the cconnect library, a suitable statement of failure and error message is<br />
written to the Event Log.<br />
For Kerberized communications between the <strong>Gateway</strong> and Caché, the <strong>Gateway</strong> is the Kerberos client.<br />
The procedure for configuring the <strong>Gateway</strong> to use Kerberos is in the following two sections — “Windows” and “UNIX<br />
and OpenVMS”.<br />
Overriding the Library Path If You Use SSL<br />
By default, the <strong>Gateway</strong> expects dependent security libraries (shared objects) to be installed in its home directory (that is,<br />
the directory with the <strong>Gateway</strong> binaries).<br />
<strong>CSP</strong> <strong>Gateway</strong> <strong>Configuration</strong> <strong>Guide</strong> 35