z/OS Integrated Security Services Network Authentication Service Administration
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Security server environment variables

z/OS Integrated Security Services Network Authentication Service Administration
SC23-6786-00

The following environment variables are supported for the SKRBKDC started task. These variables are specified in /etc/skrb/home/kdc/envar.
Table 1. Environment variables for security server
Environment Variable Explanation
SKDC_CONSOLE_LEVEL Specifies the message level for console logging. Kerberos security server messages will be logged on the system console if the message severity is greater than or equal to the specified severity level. The valid severity levels are I, W, E and A. The default is E if this environment variable is not defined.
SKDC_CREDS_SIZE Specifies the credentials data space size in kilobytes, with a minimum value of 1024, a maximum value of 2097148, and a default value of 20480. The Kerberos security server stores cross-memory credentials in this data space.
SKDC_DATABASE
Specifies the type of registry database used by the security server:
  • SAF - Indicates the security registry is maintained in the system security database available through the System Authorization Facility (SAF). The database is administered using commands provided by the external security manager. The external security manager is responsible for propagating any database changes to other systems in the realm where an instance of the KDC is running. Kerberos database propagation is not used with the SAF database.
  • NDBM - Indicates the security registry is maintained in HFS files located in the /var/skrb/krb5kdc directory. The database is administered using Kerberos administration commands. The KDC is responsible for propagating any database changes to other systems in the realm where an instance of the KDC is running.
SKDC_KADMIN_PORT

Specifies the administration service port number. If this environment variable is not defined, the administration service port is obtained from the kerberos-adm entry in the TCP/IP services files. If this entry is not defined, the administration service port defaults to 749. The administration service uses just the TCP protocol.
SKDC_KPASSWD_PORT

Specifies the password change service port number. If this environment variable is not defined, the password change service port is obtained from the kpasswd entry in the TCP/IP services file. If this entry is not defined, the password change service port defaults to 464. The password change service uses both the UDP and TCP protocols.
SKDC_KPROP_INTERVAL Specifies the database propagation interval in minutes and defaults to 15. The security server sends the current registry database to each secondary security server that is using the full replacement protocol. This propagation occurs at the end of each propagation interval. No propagation is done if the database has not been changed since the last propagation. Secondary security servers that are using the update protocol receive database updates immediately and do not wait for the end of a propagation interval.
SKDC_KPROP_PORT Specifies the database propagation port number. If this environment variable is not defined, the database propagation port is obtained from the krb5_prop entry in the TCP/IP services file. If this entry is not defined, the database propagation service port defaults to 754. Database propagation uses just the TCP protocol.
SKDC_LOCAL_THREADS Specifies the number of threads to be used for local requests that use the S/390® Program Call instruction to communicate with the security server. The default value is 10 and the minimum value is 2.
SKDC_LOGIN_AUDIT Specifies the desired auditing level for login attempts (that is, granting a Kerberos initial ticket). The allowed values are:
  • NONE = no auditing is done
  • FAILURE = only login attempts that fail due to an invalid password are audited
  • ALL = both success and failure login attempts are audited.
The audit level is set to FAILURE if the SKDC_LOGIN_AUDIT environment variable is not specified or is set to an incorrect value. SMF type 80 records with event code 68 are written for an audit event. See z/OS Security Server RACF Macros and Interfaces for more information about the format of the SMF records.
SKDC_NETWORK_POLL Specifies the network interface poll interval in minutes and defaults to 5. The security server queries the network configuration at the end of each poll interval to detect new network interfaces or the activation of a failed network interface.
SKDC_NETWORK_THREADS Specifies the number of threads to be used for remote requests that use TCP/IP to communicate with the security server. The default value is 10 and the minimum value is 2.
SKDC_PORT

Specifies the KDC port number. If this environment variable is not defined, the KDC port is obtained from the kerberos entry in the TCP/IP services file. If this entry is not defined, the KDC port defaults to 88. The KDC uses both the UDP and the TCP protocols.
SKDC_TKT_ENCTYPES

Specifies the encryption types to be used for ticket-granting tickets and for service tickets. This is a list of one or more encryption types separated by commas, specified from most-preferred to least-preferred. When generating a ticket, the KDC selects the first entry in the list that is available for the server specified in the ticket. The KDC uses des-cbc-crc if this environment variable is not defined.

Refer to Security runtime configuration profilefor a list of available encryption types.

The encryption types specified by the SKDC_TKT_ENCTYPES environment variable are also used by the Kerberos administration server when it generates new keys for a principal and no encryption types are specified by the administration request.
Parent topic: Configuring Network Authentication Service

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014