CSP Gateway Configuration Guide - InterSystems Documentation

intersystems.com

CSP Gateway Configuration Guide - InterSystems Documentation

CSP Gateway and Security

UNIX®

Passwords are stored in CSP.ini as plain text. Access to the configuration file should be protected by setting the file owner

to be the account from which the Gateway (or hosting web server) operates. The access mode should be set to 600.

OpenVMS

Passwords are stored in CSP.ini as plain text. Access to the configuration file should be protected by setting the file owner

to be the account from which the Gateway (or hosting web server) operates. The file protection should be set to: (s:rwed,

o:rwed, g:, w:)

2.2.4 Kerberos-based Authentication and Data Protection

In Kerberos-based Authentication and Data Protection, three levels of authentication (and data protection) are provided

through the Connection Security Level parameter.

1. Kerberos. This option provides initial authentication only for the connection.

2. Kerberos with Packet Integrity. This option provides initial authentication and guarantees data packet integrity.

3. Kerberos with Encryption. This is the highest level of security and provides initial authentication, guaranteed data

packet integrity, and, finally, encryption for all transmitted messages.

2.2.4.1 Kerberos Library

To use any of the Kerberos-based modes, the Gateway must be able to load the InterSystems Kerberos client library:

• Windows DLL:cconnect.dll

• UNIX® Shared Object:cconnect.so

• OpenVMS Shareable Image:CCONNECT.EXE

Install the appropriate library in a location specified in the PATH environment variable for the Operating System or at one

of the following locations relative to the Gateway installation.

• . (that is, local to the Gateway)

• ./bin

• ../bin

• ../../bin

The Gateway attempts to load the library at the time it is first required. If successful, the following status message is written

to the Event Log: CSP Gateway Initialization The CCONNECT library is loaded - Version: 5.3.0.175.0. (This library is

used for the optional Kerberos-based security between the Gateway and Caché)

If the Gateway is unable to locate or link to the cconnect library, a suitable statement of failure and error message is

written to the Event Log.

For Kerberized communications between the Gateway and Caché, the Gateway is the Kerberos client.

The procedure for configuring the Gateway to use Kerberos is in the following two sections — “Windows” and “UNIX

and OpenVMS”.

Overriding the Library Path If You Use SSL

By default, the Gateway expects dependent security libraries (shared objects) to be installed in its home directory (that is,

the directory with the Gateway binaries).

CSP Gateway Configuration Guide 35

More magazines by this user
Similar magazines