CSP Gateway Configuration Guide - InterSystems Documentation
CSP Gateway Configuration Guide - InterSystems Documentation
CSP Gateway Configuration Guide - InterSystems Documentation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CSP</strong> <strong>Gateway</strong> Operation and <strong>Configuration</strong><br />
• ../bin<br />
• ../../bin<br />
The <strong>Gateway</strong> attempts to load the library at the time it is first required. If successful, the following status message is written<br />
to the Event Log: <strong>CSP</strong> <strong>Gateway</strong> Initialization The CCONNECT library is loaded - Version: 5.3.0.175.0. (This library is<br />
used for the optional Kerberos-based security between the <strong>Gateway</strong> and Caché)<br />
If the <strong>Gateway</strong> is unable to locate or link to the cconnect library, a suitable statement of failure and error message is<br />
written to the Event Log.<br />
For Kerberized communications between the <strong>Gateway</strong> and Caché, the <strong>Gateway</strong> is the Kerberos client.<br />
The procedure for configuring the <strong>Gateway</strong> to use Kerberos is as follows.<br />
Windows<br />
Kerberos key tables are not implemented for Windows. Therefore, authentication uses network credentials that are either<br />
obtained when the hosting service starts in a named account or from the Trusted Computing Base (TCB) when the hosting<br />
service runs in the System Logon Session (that is, as LOCAL SYSTEM).<br />
Windows domain accounts use a permanent key derived from a password to acquire a Kerberos Ticket Granting Ticket<br />
(TGT) and service ticket for the local machine. The local machine must also have a permanent Kerberos key, shared with<br />
the Key Distribution Centre (KDC) component of the domain controller. That key can be used to acquire a TGT and service<br />
ticket to authenticate to another Kerberos principal such as Caché.<br />
For practical purposes the <strong>Gateway</strong>, operating within the context of a Windows-based Web server is operating through<br />
either the Network Service logon session or the System logon session. The account used must have Log on as a batch<br />
job rights assigned.<br />
The built-in Network Service logon session has access to the machine's credentials and is designed for services that need<br />
network credentials to authenticate to other machines. However, the Network Service logon session is not always present.<br />
The System logon session can also be used for the purpose of authenticating the <strong>Gateway</strong> to Caché.<br />
For IIS installations, and ISAPI extensions in particular, using the Network Service login session is the preferred means<br />
through which both databases (local and remote) and remote computers should be accessed.<br />
<strong>Gateway</strong> <strong>Configuration</strong><br />
Set the Service Principal Name to that of the target Caché server that the <strong>Gateway</strong> is connecting to. Leave the User<br />
Name, Password, and Key Table fields empty.<br />
The client principal name (or client username) is that of the <strong>Gateway</strong> host. This is the Kerberos name representing the<br />
<strong>Gateway</strong> hosts' network service session:<br />
$<br />
Assign this principal the necessary privileges in the Caché server to allow the <strong>Gateway</strong>’s service to operate.<br />
UNIX® and OpenVMS<br />
These Operating Systems support Kerberos Key Tables. The <strong>Gateway</strong> configuration is conceptually more straightforward<br />
for these systems.<br />
<strong>Gateway</strong> <strong>Configuration</strong><br />
Set the Service Principal Name to that of the target Caché server that the <strong>Gateway</strong> is connecting to.<br />
Enter the name of the key table file (including the full path) in the Key Table field.<br />
Set the User Name field to the name of the appropriate key in the key table file.<br />
Leave the Password field empty.<br />
30 <strong>CSP</strong> <strong>Gateway</strong> <strong>Configuration</strong> <strong>Guide</strong>