SKDC_CONSOLE_LEVEL |
Specifies the message level for console logging.
Kerberos security server messages will be logged on the system console
if the message severity is greater than or equal to the specified
severity level. The valid severity levels are I, W, E and A. The default
is E if this environment variable is not defined. |
SKDC_CREDS_SIZE |
Specifies the credentials data space size in kilobytes,
with a minimum value of 1024, a maximum value of 2097148, and a default
value of 20480. The Kerberos security server stores cross-memory
credentials in this data space. |
SKDC_DATABASE |
Specifies the type of registry database used
by the security server: - SAF - Indicates the security registry is maintained in the system
security database available through the System Authorization Facility
(SAF). The database is administered using commands provided by the
external security manager. The external security manager is responsible
for propagating any database changes to other systems in the realm
where an instance of the KDC is running. Kerberos database propagation
is not used with the SAF database.
- NDBM - Indicates the security registry is maintained in HFS files
located in the /var/skrb/krb5kdc directory.
The database is administered using Kerberos administration commands.
The KDC is responsible for propagating any database changes to other
systems in the realm where an instance of the KDC is running.
|
SKDC_KADMIN_PORT |
Specifies the administration service port number.
If this environment variable is not defined, the administration service
port is obtained from the kerberos-adm entry
in the TCP/IP services files. If this entry is not defined, the administration
service port defaults to 749. The administration service uses just
the TCP protocol.
|
SKDC_KPASSWD_PORT |
Specifies the password change service port number.
If this environment variable is not defined, the password change
service port is obtained from the kpasswd entry
in the TCP/IP services file. If this entry is not defined, the password
change service port defaults to 464. The password change service
uses both the UDP and TCP protocols.
|
SKDC_KPROP_INTERVAL |
Specifies the database propagation interval in
minutes and defaults to 15. The security server sends the current
registry database to each secondary security server that is using
the full replacement protocol. This propagation occurs at the end
of each propagation interval. No propagation is done if the database
has not been changed since the last propagation. Secondary security
servers that are using the update protocol receive database updates
immediately and do not wait for the end of a propagation interval. |
SKDC_KPROP_PORT |
Specifies the database propagation port number.
If this environment variable is not defined, the database propagation
port is obtained from the krb5_prop entry
in the TCP/IP services file. If this entry is not defined, the database
propagation service port defaults to 754. Database propagation uses
just the TCP protocol. |
SKDC_LOCAL_THREADS |
Specifies the number of threads to be used for
local requests that use the S/390® Program
Call instruction to communicate with the security server. The default
value is 10 and the minimum value is 2. |
SKDC_LOGIN_AUDIT |
Specifies the desired auditing level for login
attempts (that is, granting a Kerberos initial ticket). The allowed
values are: - NONE = no auditing is done
- FAILURE = only login attempts that fail due to an invalid password
are audited
- ALL = both success and failure login attempts are audited.
The audit level is set to FAILURE if the SKDC_LOGIN_AUDIT environment
variable is not specified or is set to an incorrect value. SMF type
80 records with event code 68 are written for an audit event. See z/OS Security Server RACF Macros and Interfaces for
more information about the format of the SMF records. |
SKDC_NETWORK_POLL |
Specifies the network interface poll interval in
minutes and defaults to 5. The security server queries the network
configuration at the end of each poll interval to detect new network
interfaces or the activation of a failed network interface. |
SKDC_NETWORK_THREADS |
Specifies the number of threads to be used for
remote requests that use TCP/IP to communicate with the security server.
The default value is 10 and the minimum value is 2. |
SKDC_PORT |
Specifies the KDC port number. If this environment
variable is not defined, the KDC port is obtained from the kerberos entry in the TCP/IP services file. If
this entry is not defined, the KDC port defaults to 88. The KDC uses
both the UDP and the TCP protocols.
|
SKDC_TKT_ENCTYPES |
Specifies the encryption types to be used for
ticket-granting tickets and for service tickets. This is a list of
one or more encryption types separated by commas, specified from most-preferred
to least-preferred. When generating a ticket, the KDC selects the
first entry in the list that is available for the server specified
in the ticket. The KDC uses des-cbc-crc if
this environment variable is not defined.
Refer to Security runtime configuration profilefor a list of available encryption types.
The
encryption types specified by the SKDC_TKT_ENCTYPES environment variable
are also used by the Kerberos administration server when it generates
new keys for a principal and no encryption types are specified by
the administration request.
|