Security server environment variables

The following environment variables are supported for the SKRBKDC started task. These variables are specified in /etc/skrb/home/kdc/envar.
Table 1. Environment variables for security server
Environment Variable Explanation
SKDC_CONSOLE_LEVEL Specifies the message level for console logging. Kerberos security server messages are logged on the system console if the message severity is greater than or equal to the specified severity level. The valid severity levels are I, W, E, and A. The default is E if this environment variable is not defined.
SKDC_CREDS_SIZE Specifies the credentials data space size in kilobytes, with a minimum value of 1024, a maximum value of 2097148, and a default value of 20480. The Kerberos security server stores cross-memory credentials in this data space.
SKDC_DATABASE
Specifies the type of registry database that is used by the security server:
  • SAF - Indicates that the security registry is maintained in the system security database available through the System Authorization Facility (SAF). The database is administered by using commands that are provided by the external security manager. The external security manager is responsible for propagating any database changes to other systems in the realm where an instance of the KDC is running. Kerberos database propagation is not used with the SAF database.
  • NDBM - Indicates that the security registry is maintained in HFS files that are in the /var/skrb/krb5kdc directory. The database is administered by using Kerberos administration commands. The KDC is responsible for propagating any database changes to other systems in the realm where an instance of the KDC is running.
SKDC_FIPSLEVEL Specifies the FIPS level which the KDC will conform. The values can be one of the following in the envar file:
0
non FIPS mode (default)
1
FIPS140-2
2
SP800-131A with exception
3
SP800-131A without exception
Note: The SKDC_FIPSLEVEL should match the fipslevel setting in the Kerberos configuration file used by the KDC(/etc/skrb/krb5.conf or file specified by KRB5_CONFIG environment variable).
SKDC_KADMIN_PORT

Specifies the administration service port number. If this environment variable is not defined, the administration service port is obtained from the kerberos-adm entry in the TCP/IP services files. If this entry is not defined, the administration service port defaults to 749. The administration service uses just the TCP protocol.
SKDC_KPASSWD_PORT

Specifies the password change service port number. If this environment variable is not defined, the password change service port is obtained from the kpasswd entry in the TCP/IP services file. If this entry is not defined, the password change service port defaults to 464. The password change service uses both the UDP and TCP protocols.
SKDC_KPROP_INTERVAL Specifies the database propagation interval in minutes and defaults to 15. The security server sends the current registry database to each secondary security server that is using the full replacement protocol. This propagation occurs at the end of each propagation interval. No propagation is done if the database is not changed since the last propagation. Secondary security servers that are using the update protocol receive database updates immediately and do not wait for the end of a propagation interval.
SKDC_KPROP_PORT Specifies the database propagation port number. If this environment variable is not defined, the database propagation port is obtained from the krb5_prop entry in the TCP/IP services file. If this entry is not defined, the database propagation service port defaults to 754. Database propagation uses just the TCP protocol.
SKDC_LOCAL_THREADS Specifies the number of threads to be used for local requests that use the S/390® Program Call instruction to communicate with the security server. The default value is 10 and the minimum value is 2.
SKDC_LOGIN_AUDIT Specifies the wanted auditing level for login attempts (that is, granting a Kerberos initial ticket). The following values are allowed:
  • NONE = no auditing is done
  • FAILURE = only login attempts that fail due to an invalid password are audited
  • ALL = both success and failure login attempts are audited.
The audit level is set to FAILURE if the SKDC_LOGIN_AUDIT environment variable is not specified or is set to an incorrect value. SMF type 80 records with event code 68 are written for an audit event. See z/OS Security Server RACF Macros and Interfaces for more information about the format of the SMF records.
SKDC_NETWORK_POLL Specifies the network interface poll interval in minutes and defaults to 5. The security server queries the network configuration at the end of each poll interval to detect new network interfaces or the activation of a failed network interface.
SKDC_NETWORK_THREADS Specifies the number of threads to be used for remote requests that use TCP/IP to communicate with the security server. The default value is 10 and the minimum value is 2.
SKDC_PORT

Specifies the KDC port number. If this environment variable is not defined, the KDC port is obtained from the kerberos entry in the TCP/IP services file. If this entry is not defined, the KDC port defaults to 88. The KDC uses both the UDP and the TCP protocols.
SKDC_PKINIT_REQUIRED Specifies whether the Public Key authentication method (PKINIT) in the Authentication Service (AS) exchange is required. The following are valid values:
1
Required
0
Not required (the default)
SKDC_PKINIT_KEYRING Specifies the key store to be used for PKINIT. The value is in the format of <owner id>/<ring name> or token name in the format of *TOKEN*/token name, or key database name in the format of full path key database name. For key database, a stash file also needs to be specified for the following SKDC_PKINIT_KEYRING_STASH keyword.
SKDC_PKINIT_KEYRING_STASH Specifies the full path name of the key database stash file that contains the password of the key database. If the value of SKDC_PKINIT_KEYRING is a key database file, this entry is required.
SKDC_PKINIT_REQUIRE_EKU Specifies whether the KDC requires the client certificate used for PKINIT to have the extended keyusage extension. The following are valid values:
1
Required
0
Not required (the default)
SKDC_PKINIT_REQUIRE_ REVOCATION_CHECKING Specifies whether revocation checking is needed and what checking methods to use in PKINIT during the verification of the client certificate. Multiple checking methods can be specified separated by a comma or blanks. The valid values are as follows.

The order of checking is the order that they are specified. If 'none' or any invalid value is specified in the list, no revocation is checked.

none (default)
No revocation is checked
ocsp
Revocation is checked by using the Authority Information Access (AIA) certificate extension to locate an OCSP responder to verify the certificate.
crldp
Revocation is checked by using the http format URI value in the CRLDistributionPoints extension of the certificate.
ldap
Revocation is checked by using the CRL distribution point name in the CrlDistributionPoints extension of the certificate, or the certificate issuer name on the certificate if there is no CrlDistributionPoints extension as the distinguished name of the LDAP directory entry containing the certificate revocation list (CRL) in the LDAP server. The LDAP server location is specified by the following SKDC_PKINIT_LDAP_SERVER keyword. If it is not specified, SKDC_PKINIT_REQUIRE_ REVOCATION_CHECKING defaults to none.
Note:
  • Revocation cache values are not used.
  • If the revocation checking sources are provided in the certificate extensions, but cannot be contacted, the status of the certificate is considered revoked or unknown. If the revocation checking sources are not provided in the certificate extensions, the checking is skipped.
SKDC_PKINIT_LDAP_SERVER Specifies the LDAP server location where the LDAP directory entry containing the certificate revocation list (CRL) is stored. The LDAP server is specified as: hostname[:port-number], port-number is assumed to be 389 if not specified. This is required when SKDC_PKINIT_REQUIRE_ REVOCATION_CHECKING specifies ldap.
SKDC_PKINIT_DH_MIN_BITS Specifies the KDC policy for the minimum Diffie-Hellman key size (in bits) to be allowed on inbound AS requests by using PKINIT. A request that uses a DH key size smaller than this value is rejected by the KDC and the KDC returns a list of supported sizes. Valid key sizes are 1024 and 2048, and defaults to 2048 if not specified or if an unsupported value is specified.
SKDC_TKT_ENCTYPES

Specifies the encryption types to be used for ticket-granting tickets and for service tickets. This is a list of one or more encryption types that are separated by commas, which are specified from most-preferred to least-preferred. When generating a ticket, the KDC selects the first entry in the list that is available for the server that is specified in the ticket. The KDC uses des-cbc-crc if this environment variable is not defined.

Refer to Security runtime configuration profilefor a list of available encryption types.

The encryption types that are specified by the SKDC_TKT_ENCTYPES environment variable are also used by the Kerberos administration server when it generates new keys for a principal and no encryption types are specified by the administration request.