Connection Manager for Legacy Systems.
Legacy KCML 6.00 & 6.20 system can be configured to take advantage of the connection policy in the KCML 7 Connection Manager. For example
This can be acheived without upgrading the KCML installation, however terminals will need to be upgraded to KClient 6.90 or 7 to take advantage of the new functionality. The KCML 7 Connection Manager & broker are only supported for AIX5.3 ML11 (and later), Linux 2.6 & Solaris 10 operating systems.
First the kwebserv_704 & broker_704 executables are copied into the KCML directory, typically /usr/local/kcml. The files should be owned either by root or bin and should have 0755 permissions.
-rwxr-xr-x 1 root bin 1726868 2010-04-22 16:19 /usr/local/kcml/kwebserv_704 -rwxr-xr-x 1 root bin 426452 2010-04-22 16:19 /usr/local/kcml/broker_704
Early 6.20 Connection Manager installations would only add PAM configution for the auth, account & password stages.
However, the KCML 7 Connection Manager also requires PAM configuration for session.
So a rule for session may need to be added to your system's PAM configuration.
This is usually acheived by copying the last password line and changing it to session.
For example, on RedHat 5 & CentOS 5:
Before
#%PAM-1.0 auth include system-auth account include system-auth password include system-auth
After
#%PAM-1.0 auth include system-auth account include system-auth password include system-auth session include system-auth
For other Linux distributions, please refer to Linux PAM configuration.
For AIX systems you will need to add a session entry to /etc/pam.conf. The following fragment shows the session entry for the ftp, kcc and OTHER PAM services.
# # Session Management # ftp session required /usr/lib/security/pam_aix ... ... kcc session required /usr/lib/security/pam_aix OTHER session required /usr/lib/security/pam_prohibitSolaris systems that use the default PAM configuration should not require any changes as the Connection Manager will authenticate using the other PAM service which performs normal authentication against the local password database, ie /etc/passwd & /etc/shadow. However, if the system has been configured not allow the other PAM service to authenticate, eg using pam_deny.so, then /etc/pam.conf will need session entries for the kcc PAM service.
The final stage is to change the name of the program that the internet super server executes.
Linux systems typically use the xinetd super-server.
The xinetd configuration for the Connection Manager is found in the /etc/xinetd.d/KCC file.
Change the pathname of the server & server_args attributes to use kwebserv_704.
For example:
# default: on
# description: KCML 7 Connection Manager
service KCC
{
flags = REUSE NAMEINARGS
socket_type = stream
wait = no
user = root
env = LD_LIBRARY_PATH=/usr/local/kcml
server = /usr/local/kcml/kwebserv_704
server_args = /usr/local/kcml/kwebserv_704
log_on_failure += USERID
log_on_success =
disable = no
per_source = UNLIMITED
instances = UNLIMITED
}
Then restart the xinetd daemon:
$ service xinetd restart
AIX & Solaris use the classic Unix inetd internet super-server. Change the Connection Manager's entry in /etc/inetd.conf to execute kwebserv_704
KCC stream tcp nowait root /usr/local/kcml/kwebserv_704 /usr/local/kcml/kwebserv_704
Then refresh the inetd daemon. On AIX this is done with
$ refresh -s inetdwhilst on Solaris 10 this is acheived with
$ inetconv -f $ svcadm restart inetd
See also:
System Requirements