VMS Considerations for Kerberos
Kerberos commands are accepted in uppercase by default (as in DCL commands). Accordingly, principal names should be enclosed in double quotes, as in the following example:
$ kinit "tingresxx"
If "tingresxx" had not been enclosed in double quotes, the KDC would have looked for the principal "TINGRESXX" instead of "tingresxx". Creation of the Kerberos principal "TINGRESXX" (all caps) will not help; the Ingres security mechanism fails the authentication due to "TINGRESXX" not equating to "tingresxx". The Ingres security mechanism is still in force as the default authentication mechanism regardless of whether Kerberos is configured.
If server-to-server authentication is desired (CBF, Security, Configure, user_mechanism), the VMS logical KRB$USER must be defined at the group level. The SYS$MANAGER:KRB$SYMBOLS.COM script defines only at the process level by default. Otherwise, security contexts will not be accepted and the error "GSS-API error gss_init_sec_context: Credentials cache I/O operation failed XXX" will appear in a GCS trace or the error log. This problem occurs because servers run as detached processes. Detached processes run without a CLI and have no visibility of logical definitions at the process level.
The following command file defines KRB$USER at the group level based on the process-level definition, runs ingstart, and de-assigns KRB$USER:
$!
$! RINGSTART.COM - Run Ingstart with KRB$USER
$!
$ krb = F$TRNLNM("KRB$USER","LNM$PROCESS")
$ define/group/executive/translation=concealed KRB$USER 'krb'
$ ingstart
$ deassign/group/exec KRB$USER
$ exit
Last modified date: 01/30/2023