Diagnosis Guide

Related documentation

The following publications provide information about SP Security Services.

• PSSP: Planning Volume 2

  This book describes configuration decisions that are made when setting up the SP Security Services on your system. You should be familiar with these choices and the resulting requirements. These requirements are for users of the system to be authenticated by logging into DCE or Kerberos V4, and for proper authorizations to allow appropriate access to system software components.

• PSSP: Installation and Migration Guide

  Several tasks that are performed when installing a new SP system or migrating from a prior release of PSSP determine the security capabilities of the software components. The understanding of, and correct performance of, these tasks are important for avoiding security-related problems when using SP system management facilities or network applications.

• PSSP: Administration Guide

  An important difference between this PSSP release and prior releases is the separation between roles of AIX super-user and system security administrator. When using DCE for security, the PSSP security infrastructure separates tasks that must be performed by the root user from those that must be performed by a DCE cell administrator. One side effect is that DCE has a larger number of discrete tasks to be performed for setup and administration, than Kerberos V4.

• PSSP: Messages Reference

  These chapters contain messages related to SP Security Services:

  • 2502 - Authentication Messages
  • 2503 - Kerberos Messages
  • 2504 - Kerberos Messages
  • 2545 - Authentication Installation and Configuration Messages
• PSSP: Command and Technical Reference

  Refer to the entries for the following commands and files for security considerations and restrictions on their use:

  1. Common PSSP security configuration
     • chauthpar
     • chauthpts
     • chauthts
     • get_keyfiles
     • kfserver
     • lsauthpar
     • lsauthpts
     • lsauthts
     • SDRSetTsAuth
     • setup_CWS
     • spauthconfig
     • spseccfg
     • spsetauth
  2. PSSP security configuration for DCE
     • config_spsec
     • create_dcehostname
     • create_keyfiles
     • setupdce
     • spsec_overrides
  3. PSSP security administration for DCE
     • hmdceobj
     • spacl
     • spnkeymand
  4. PSSP security use for DCE
     • dsrvtgt
     • spgrpname
     • sptgtprin
  5. PSSP security configuration for Kerberos V4
     • add_principal
     • create_krb_files
     • kstash
     • setup_authent
  6. PSSP security administration for Kerberos V4
     • chkp
     • ext_srvtab
     • hmacls
     • kadmin
     • kadmind
     • kdb_destroy
     • kdb_edit
     • kdb_init
     • kdb_util
     • kerberos
     • kprop
     • kpropd
     • krb.conf
     • krb.realms
     • ksrvutil
     • lskp
     • mkkp
     • rmkp
     • sysctl.acl
  7. PSSP security use for Kerberos V4
     • k4destroy
     • k4init
     • k4list
     • kpasswd
     • ksrvtgt
     • rcmdtgt
• IBM DCE for AIX, Version 3.1: Administration Commands Reference

  Refer to entries for the following commands. This is the list of commands other than dcecp:

  1. For installation and configuration:
     • config.dce
     • unconfig.dce
     • kerberos.dce -type local
  2. For general DCE status: show.cfg
  3. For starting and stopping DCE:
     1. start.dce
     2. stop.dce
  4. For obtaining DCE credentials (for use with other DCE commands and with AIX secure remote commands):
     • dce_login -f
     • kinit -f
  5. For displaying the state of DCE credentials: klist -f
  6. For destroying DCE credentials: kdestroy

  These are all dcecp -c commands:

  • dcecp -c cell show
  • dcecp -c group catalog
  • dcecp -c group show -all
  • dcecp -c group list
  • dcecp -c group add
  • dcecp -c group remove
  • dcecp -c org catalog
  • dcecp -c org show -all
  • dcecp -c org list
  • dcecp -c org add
  • dcecp -c acl show
  • dcecp -c acl perm
  • dcecp -c acl modify
  • dcecp -c keytab show
  • dcecp -c keytab list
  • dcecp -c keytab catalog
  • dcecp -c keytab add
  • dcecp -c keytab remove
  • dcecp -c principal catalog
  • dcecp -c principal show -all
  • dcecp -c principal list
  • dcecp -c account catalog
  • dcecp -c account show -all
  • dcecp -c account list
  • dcecp -c registry catalog -master
  • dcecp -c registry show -policies
  • dcecp -c secval status
  • dcecp -c secval ping
• IBM DCE for AIX, Version 3.1: Administration Guide - Introduction
• IBM DCE for AIX, Version 3.1: Administration Guide - Core Components
• IBM DCE for AIX, Version 3.1: DFS Administration Guide and Reference
• IBM DCE for AIX, Version 3.1: Application Development Guide - Introduction and Style Guide
• IBM DCE for AIX, Version 3.1: Application Development Guide - Core Components
• IBM DCE for AIX, Version 3.1: Application Development Guide - Directory Services
• IBM DCE for AIX, Version 3.1: Application Development Reference
• IBM DCE for AIX, Version 3.1: Problem Determination Guide

  The following sections can help in diagnosing problems encountered when using DCE for SP security:

  • Message and Message ID Structure
  • File Systems Used by DCE
  • Keytab Files
  • Log Files on AIX
  • Checking the Security Servers
  • Checking User Accounts
  • Checking Access Permissions
  • Using DCE Debug and Trace Options
  • Common Problems and Their Resolution
  • Mapping DCE Daemon Core File Locations
• IBM DCE for AIX, Version 3.1: Release Notes