Security

Kerberos

The Linux Application Package supports IBM i authentication using Kerberos. To install and configure the IBM i platform for Kerberos, see the Single signon topic, in the Security topic collection in the IBM i Information Center.

To use Kerberos with the Linux Application Package, you must first authenticate to your Kerberos domain using the kinit command or by setting up your initial Linux login to authenticate with the pluggable authentication module (PAM) Kerberos plugin. After successful authentication, you should be able to do a klist -f to see the status of your Kerberos tickets.

For any IBM i Access function, you can use *kerberos in place of the IBM i user profile to use your Kerberos tickets. Any password is ignored in this case.

The Kerberos principle name is based upon the fully qualified TCP/IP name received from the reverse lookup of the TCP/IP address. If you use a host file to resolve TCP/IP addresses, be sure to include the fully qualified TCP/IP system name. For example: 1.2.3.4 mysystem.example.com mysystem.

Transport Layer Security (TLS)

The Application Package supports TLS by way of the OpenSSL package provided by the operating system or on macOS via Homebrew. Unlike similar support on the Windows Application Package, which has its own certificate store, when using OpenSSL the package relies on the system certificate store. Refer to your system’s documentation on how to add CA certificates to your system’s certificate store. The SSL_CERT_FILE environment variable can also be used to set the path to a PEM certificate to use instead of the system's certificate store.