Diagnosis Guide

Requisite function

This is a list of the software and operating system resources directly used by the SP Security Services component of PSSP. Problems within the requisite software or resources may manifest themselves as error symptoms in SP Security Services. If you perform all the diagnostic routines and error responses listed in this chapter, and still have problems with SP Security Services, you should consider the following components as possible sources of the error. They are listed with the most likely candidate first, least likely candidate last.

Distributed Computing Environment (DCE) Version 3.1 for AIX

DCE Restriction
If you have DCE authentication enabled, you cannot run HACWS.

Note:: The DCE daemons will be affected if the /var file system becomes full. This will prevent users from logging into DCE. Refer to IBM DCE for AIX manuals for more information.

PSSP security services provides the option to use DCE to enhance the security of SP client/server programs known as SP trusted services, and of the AIX remote commands. This option is supported with DCE Version 3.1 or higher. If you choose to use this option, diagnostic information in messages and logs will be a combination of PSSP information and DCE information.

The various PSSP commands that you use to configure the system to use DCE for authentication and authorization invoke DCE commands that are described in the DCE product publications. Errors reported by those commands are logged with PSSP information in the log file described in Log files. SP trusted services receive error status from the security services library subroutines, which may contain DCE and DCE GSSAPI error codes. Messages and log entries created by the various services will contain message text obtained from DCE library subroutines.

If an error reported by DCE cannot be attributed to a readily corrected user problem, such as failure to login or failure to start DCE servers, consult the appropriate DCE publications.

System Data Repository (SDR)

Note:: If you have migrated to PSSP 3.2 from a level of PSSP earlier than 3.1, there are extra security steps which are required. If these steps are omitted, the information in the SDR may be incorrect. See Action 6 - Reset authentication values.

The security configuration settings for each system partition are maintained in the Syspar object in the SDR. That information is set by various configuration commands. It is used by security administration commands, scripts that perform SP node initialization, and the security services runtime library, used by various SP trusted services.

For Kerberos V4 security, information is kept in the SP object about the type of Kerberos V4 authentication server that is being used. Also, the management of Kerberos V4 service principals used on SP nodes is dependent on node name and adapter information in the Node and Adapter objects.

The SDR contains information specific to each security setup. Common information includes:

in the Syspar object for each system partition:
- auth_install
- auth_methods
- auth_root_rcmd
- ts_auth_methods

For DCE, this includes:

in the SP object
- sec_master
- cds_server
- cell_name
- cw_dcehostname
in the Node object
- dcehostname

For Kerberos V4, this includes, in the SP object:

authent_server

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]