KCML Configuration
KCML can retrieve configuration information from the kcml.conf file. This is located in the /etc/kcml directory on Unix systems, while on Windows systems it is located in $ALLUSERSPROFILE/CDK/KCML
General format:
# Comment [SECTION] Key1=Value1 Key2=Value2
Section and key names are caseless, however key values may be case sensitive. Lines that begin with a # character are treated as comments and are ignored.
On Unix systems, kcml.conf is intended to provide a secure location for KCML configuration data, hence only system administrators are allowed to change it contents. The file permissions on kcml.conf and all directory components need to be secure; write access should only be granted to the root super-user. The file should have read access for group and other. This can be ensured by using the following commands after creating kcml.conf.
$ cd /etc $ chown root kcml kcml/kcml.conf $ chmod 755 kcml $ chmod 644 kcml/kcml.confIf the access permissions on kcml.conf, or any of the directory components, are not secure then the file is not loaded and an error is reported to syslog:
Insecure access permissions on /etc/kcml/kcml.conf
System administrators can control what user accounts are used by the Connection Manager to execute SOAP servers. This mandates the use of a named user account to execute the server. The original behaviour of executing SOAP servers using the root super-user account when no User ID was set is prohibited.
[SOAP] ValidUser=fred ValidUser=bert ValidUser=kcc*
See : Connection Manager : SOAP Services for more information.
Starting KCML 6.20.83 and 7.05, the maximum number of partitions, global library processes and KPrint licences can be configured in kcml.conf.
For example, to create a $PSTAT area that can store 4096 partitions/terminals, 32 global library processes and 512 KPrint licences
[PSTAT] MaxPartitions=4096 MaxGlobals=32 MaxKplic=512
See : $PSTAT Configuration for more information.
Applications may store the value of $LOGNAME in their databases. On old Unix systems these names are generally short, lower-cased initials being a common convention. Hence Fred Bloggs could have a Unix user name of fb :-
$ grep Fred /etc/passwd fb:x:510:500:Fred Bloggs:/home/fb:/bin/bash
However, if Active Directory (AD) is adopted a different convention for user names may be chosen, eg surname followed by their first initial. In this case our user would have an AD username of bloggsf. To allow legacy systems to use SSO, the Connection Manager can call a routine from a shared library that maps the Active Directory username (bloggsf) to their old Unix account name (fb).
[SSOMod] module=usermap.so [usermap.so] UserMapFn=MapADUser
The shared library is supplied by the system administrator and defines one function. It should reside in /etc/kcml and have secure permissions, ie owned by root with only write access for the owner, group and other only require read + exec permission. In the above example the library mapuser.so would define a function called MapADUser which has the following C interface:
extern unsigned int MapADUser(const char *ADuser, char *pUserOut, int nUserOut, char *pErr, int nErr);
Where
The function returns TRUE if the AD username was successfully mapped, otherwise it returns FALSE.
The KCML 7.17 Connection Manager can mandate the minimum SSL protocol to allow when KClient connects. However, this is only recommended if all client machines connecting to the server are running KClient 7.16 or later on Windows 7 or Windows Server 2008 R2 or later as older versions of KClient & Windows may not support the encryption cipher that has been mandated.
# Use TLS/1.1 or better. # Requires all client machines to be running KClient 7.16 on Windows 7 or Windows Server 2008 R2. [SSL] MinProtocol=TLSv1_1 CipherList=ALL:!ADH:!LOW:!EXP:!MD5:!RC4:!3DES:@STRENGTH
The value of the MinProtocol and CipherList keys are used to set the KCML_MIN_SSL_PROTOCOL and KCML_SSL_CIPHER_LIST environment variables, which will be inherited by KCML processes. Hence secure sockets opened by OPEN # and any SOAP clients that connect via https:// will also use the same minimum encryption protocol and cipher list.
When using SSL KCML historically would require read access to the certificate. But session resumption in current versions of OpenSSL means this is no longer the case. However old KClient versions do not support session resumption. As a workaround to support old clients when KCML does not have certificate file access the SSLCertPassthrough setting can be used. This will allow the Connection Manager to pass the certificate to KCML on startup.
[SSL] SSLCertPassthrough=1
KCML reports the execution of SHELL commands to an audit system log. However background processes may execute many SHELL commands, for example the delegation of a task to another KCML process. This can produce a lot of messages that are of limited benefit, so the logging of the commands can be suppressed.
[syslog] SuppressBGShellMsg=1
Note that interactive, foreground, KCML processes will always report SHELL commands to the audit log.
The Server: HTTP header that the Connection Manager, kwebserv, sends includes its name, version number, the name of the operating system and the platform architecture. From version 7.21 of the Connection Manager, the amount of information included in this header can be restricted in a similar way that Apache does.
[WebServ] ServerTokens=ProductOnly
Valid values of the ServerTokens key are
| ServerToken | Example Server Header | Description |
|---|---|---|
| Full | Server: kwebserv/07.22.00.25178 (Linux-2.6-x64) | Full server info including version, operating system and plaform. This is the default header |
| Min[imal] | Server: kwebserv/07.22.00.25178 | Name & full version of the server |
| Minor | Server: kwebserv/07.22 | Name, major & minor versions of the server |
| Major | Server: kwebserv/07 | Name & major & version of the server |
| Prod[uctOnly] | Server: kwebserv | Name of the server |
# Defines a list of usernames, or patterns, who are allowed # to run SOAP servers. [SOAP] ValidUser=fred ValidUser=bert ValidUser=kcc* # Starting KCML 6.20.83 and 7.05, the maximum number of # partitions, global library processes and KPrint licences # can be configured in kcml.conf. For example, to create a # $PSTAT area that can store 4096 partitions/terminals, 32 # global library processes and 512 KPrint licences [PSTAT] MaxPartitions=4096 MaxGlobals=32 MaxKplic=512 # Development flags add extra functionality for the # convenience of developers but may make the systems less # secure so should only be used on internal networks. As they # are defined in /etc/kcml/kconf.xml they can only be turned # on by someone with root access. [Development] AllowKcmlDir=1 BrowserLogDir=/tmp/browser_log DisableSecurePath=1 SecurePath=/path/to/dir/kwebserv AllowKcc=1 # Connection Manager settings for network encryption. [SSL] MinProtocol=TLSv1_1 CipherList=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH SSLCertPassthrough=1 # System log settings [syslog] SuppressBGShellMsg=1 # Connection Manager settings [WebServ] ServerTokens=ProductOnly # Connection Manager settings for OAuth 2 [oauth2] callback_port=4096