Using and Administering

Handling DCE Security Credentials

You can write a pair of programs to override the default LoadLeveler DCE authentication method. To enable the programs, use the following keyword in your configuration file:

DCE_AUTHENTICATION_PAIR = program1, program2: Where program1 and program2 are LoadLeveler or installation supplied programs that are used to authenticate DCE security credentials. program1 obtains a handle (an opaque credentials object), at the time the job is submitted, which is used to authenticate to DCE. program2 is the path name of a LoadLeveler or an installation supplied program that uses the handle obtained by program1 to authenticate to DCE before starting the job on the executing machine(s).

An example of a credentials object is a character string containing the DCE principle name and a password. program1 writes the following to standard output:

The length of the handle to follow
The handle

If program1 encounters errors, it writes error messages to standard error.

program2 receives the following as standard input:

The length of the handle to follow
The same handle written by program1

program2 writes the following to standard output:

The length of the login context to follow
An exportable DCE login context, which is the idl_byte array produced from the sec_login_export_context DCE API call. For more information, see the DCE Security Services API chapter in the Distributed Computing Environment for AIX Application Development Reference.
A character string suitable for assigning to the KRB5CCNAME environment variable This string represents the location of the credentials cache established in order for program2 to export the DCE login context.

If program2 encounters errors, it writes error messages to standard error. The parent process, the LoadLeveler starter process, writes those messages to the starter log.

Usage Notes

If you are using DCE on AIX 4.3, you need the proper DCE credentials for the existing authentication method in order to run a command or function that uses rshell (rsh). Otherwise, the rshell command may fail. You can use the lsauthent command to determine the authentication method. If lsauthent indicates that DCE authentication is in use, you must log in to DCE wth the dce_login command to obtain the proper credentials.

LoadLeveler commands that run rshell include llctl version and llctl start.

For examples of programs that enable DCE security credentials, see the /samples/lldce subdirectory in the release directory.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]