The SP system administrator chooses the level of security services to use on the control workstation and nodes in each SP system partition and on individual workstations. The options are typically set during installation and configuration or during migration and configuration, based on the security policy of your organization. An authorized administrator can change which of the installed and configured authentication methods are enabled within an SP system partition at any time.
Sysctl uses the SP security services. The security characteristics of the Sysctl facility depend on the way security services are configured within the SP system partition in which Sysctl is operating at the time. If an authentication method is used, it is provided either by the DCE security services, or by the SP implementation of Kerberos V4.
The SP security services determine which authentication method is applicable from the security configuration information on the client and server hosts, and by the way users obtain credentials. A security administrator creates principals for users and establishes the procedures for obtaining credentials: either automatically at AIX login or by an explicit command.
Sysctl allows any client request to be submitted with or without authentication. Whether access is granted is a matter for the authorization policy established on your SP system and enforced by the SP security services. Authenticated users can be DCE principals or Kerberos V4 principals. Authenticated users need to identify themselves to the authentication service. With DCE, this generally happens automatically when the user logs in to AIX. If the integrated DCE and AIX login feature is not used on your SP system, you must use the dce_login command before using Sysctl facilities that require an authenticated identity. On hosts that use Kerberos V4 when the compatibility authentication method is active, users can obtain credentials at AIX login, but only by entering their Kerberos V4 password separately after the AIX password prompt. Users who do not already have Kerberos V4 credentials must issue the k4init command before using Sysctl facilities.
See Chapter 2, Security features of the SP system for more information on security services.