GSKit 7 on Soalris 10
By dkumar on Mar 27, 2007
Global Security Kit (GSKit) which is part of the supplement CD which comes with WebSphere Application Server(WAS) ND V6.1 and is a C API that is internal to IBM it is not available as seperate entity. There is not much distinct document exists for this API. It is the crypto-engine for many IBM software products including following
IBM Tivoli Access Manager
IBM HTTP Server (IHS)
Why do we need GSKit for App/Web Server ?
GSKit allows an application to be SSL enabled and lets you to access SSL and TLS functions from your socket application program.
You will need GSKit in Application Server based deployment if you intend to do the following:
- SSL between client (browser) and IBM HTTP Server.
- SSL between the IBM HTTP Server plug-in and WebSphere Application Server.
- SSL between IBM HTTP Server and LDAP server.
However when you install the HTTP server or WAS the GSKit never gets installed. This is part of the Web-Server plugin install. In other cases you have to do the install manually. There is also no uninstaller for GSKit as IBM just provides the installer.
During the installation of GSKit it does following activity which requires that you must be a root user:
- Installation/Registration of GSKit as solaris packages
- Soft links in /usr/bin so you default executable search path has access to all the executable as part of the GSKit.
- Soft links in /usr/lib so your default library search path has access to all the shared libaries of GSKit.
None of this would be needed if the software that requires access to either the shared libraries or binaries can handle their own requirement by having their LD_LIBARY_PATH and PATH variable modified suitably, but which doesn't seems to be true in this case so it is available to everybody on the system. As you already know anything under /usr/bin is accessible to everyone on the system and then /usr/lib is included as default library serach path for evryone. This poses further restriction when you take it to zones/container where you must have the links laid out before you proceed this so you must do this in global zone before
doing GSKit install in local zones. From local zones you cannot have write permission on these two directory. Not having the write permission will not allow you to create the soft links. When you do the GSKit install in global zone then the links are laid out for particular version of GSKit in /usr/lib and /usr/bin and then when you install in local zones all the soft links becomes valid as they will be pointing to right binaries in local zones install. Another thing to note here is that you cannot chnage the location of the install.