UNIX Remote Host Validation
Description
On UNIX, remote connections to BBjServices are validated via either
by /etc/hosts.equiv
or by the .rhosts
file.
Using the /etc/hosts.equiv
file, the system administrator can configure global settings for the machines
that will be trusted by the BBjServices machine. If a machine should be
globally trusted so that users on that machine are allowed to use BBjServices
as the same account on the BBjServices machine, then add the line "+<machine>"
to the /etc/hosts.equiv
file. After adding this line, no .rhosts
manipulation is necessary.
NOTE: BBj DS services performed a DNS lookup on every entry in the .rhosts and /etc/hosts.equiv files. Depending on system configuration, the DNS lookups can take an excessive amount of time, causing the connection attempt to time out and cause either a !ERROR=72 or a !ERROR=12 (depending on whether the client or server timed out first).
In order for remote users to connect using .rhosts,
follow the steps listed below::
STEP 1) If BBjServices will be
running as root, ensure that every remote user has an account on the machine.
STEP 2) If BBjServices will be
running as root, modify each remote user's .rhosts
file. If BBjServices will be running as any other user other than root,
modify this user's .rhosts
file.
The .rhosts
file is found in the user's home directory. The .rhosts
file(s) should include all remote machines and users that are connecting
to BBjServices.
For example:
tiger
csmith <==== machine tiger, remote user csmith will be allowed
to connect
rider
+ <==== machine rider, all remote users from this box will be
allowed to connect
STEP 3) Set the .rhosts file permissions to 644.
STEP 4) Ensure that the .rhosts file for each user is owned by that user. For example, the .rhosts file for root must be owned by root and the .rhosts file for the user BBj must be owned by the user BBj.
Filesystem User/Password Authentication
In a muti-tier BBj environment, some kind of user authentication will occur when an application attempts to open a file on a remote BBj Filesystem Server. By default, BBj uses .rhosts authentication. However, another option is to use simple user/password authentication.
Enabling user/password authentication on the BBj Filesystem Server switches the server to use a user and password instead of .rhosts to authenticate incoming remote connections. The administrator must enable this for the Filesystem server and developers must include code at some point in the application to tell BBj the user and password used when it needs access to files on a remote BBj Filesystem Server.
Enable User/Password Authentication on the Server
Using the Enterprise Manager under BBjServices->Servers->Filesystem, enable the Password Auth for the Filesystem server.
Add BBj Application Code
When a Filesystem Server is configured to use user/password authentication, clients (and other remote BBjServices) connecting to that server must specify the user and password in order to connect. To do this from a BBj program, use the !DSUDDB STBL:
dummy$ = STBL("!DSUDDB", "user=jdoe,passwd=mypassword")
Once set, subsequent file OPEN calls use the specified user and password to connect to the remote Filesystem Server when data server syntax is used. For example:
OPEN(chan)"/<theremoteserver>/path/to/my/file.dat"