HP UX Kerberos Data Security Software manual DES Versus 3DES Key Type Settings

Page 31

IMPORTANT

Overview

DES Versus 3DES Key Type Settings

DES Versus 3DES Key Type Settings

In the processes outlined in the section “Authentication Process” on page 27, if the user principal and the service principal do not use the same key type, the process continues as described.

The Kerberos server acts as the only trusted party, and the client or the service does not accept a message encrypted by the client or the service key. Both the client application and the service share a secret key only with the server.

The authenticator data that the service and client encrypt or decrypt is encrypted in session keys. The server sends the required session keys to the client and service in packets that are encrypted with their respective keys. The Kerberos server checks the key type settings for the user principals and service principals and determines the most secure encryption allowed for the session key. If the user principals and service principals have a 3DES key stored in the database, the session key type that is returned is of type 3DES. If only one has a 3DES key and the other has a DES key, then the session key that is returned is of type DES.

The server never returns a session key in the service ticket packet that uses stronger encryption than the session key included with a TGT packet. If a user principal has both 3DES and DES keys and uses the DES key to obtain a TGT, all service tickets obtained using this TGT contain DES session keys.

The krbtgt/<REALM NAME> is the ticket-granting principal. This is a reserved principal that is automatically created when you add a realm to the database. You must assign a key type for the krbtgt/<REALM NAME> principal or the default key, issued by the Kerberos server, uses the 3DES encryption type.

Chapter 1

31

Image 31
Contents Manufacturing Part Number T1417-90009 E0905 EditionCopyright Notices Legal NoticesPage Page Contents Configuring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Configuration Worksheet Explanation Figures Figures Intended Audience What Is in This DocumentGlossary Interoperability with Windows 2000, onWidth Typographic ConventionsIndex Bold fixedPublishing History HP-UX Release Name and Release IdentifierRelated Software Products Related Documentation Accessing the World Wide WebRelated Request for Comments RFCs HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Illustrates the actions of the components and the Kerberos Authentication ProcessStep Authentication Process DES Versus 3DES Key Type Settings Ldap Advantages Introduction to LdapIntegrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Version Compatibility System RequirementsHardware Requirements Software RequirementsInstalling the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump file to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Version Migrating from Kerberos Server Version 2.0 toCopy the dump file to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Scenario Kerberos Server and Windows 2000 InteroperabilityEstablishing Trust Between Kerberos Server and Windows Fqdn qualifier specifies the fully qualified domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Postdated Tickets Special Considerations for InteroperabilityDatabase Considerations Encryption ConsiderationsSpecial Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Configuring the Kerberos Security Server Files That Require Configuration Configuration Files for the Kerberos ServerConfiguration File Function Krb.conf File Format Krb.conf FileKrb.realms File Krb.realms File Format Wildcard Character Description Wildcard CharactersAutoconfiguring the Kerberos Server To configure the server, select option Configuring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap File Function Configuration Files for Ldap IntegrationKrb5ldap.conf File Ldap Configuration FilesParameter Description Krb5ldap.conf File FormatThis line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Configuration Files for Ldap Integration Krb5map.conf File Format Krb5map.conf FileHpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Before You Begin Planning Your Ldap ConfigurationSetting up Your Ldap Configuration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Configuring the Kerberos Server with Ldap Autoconfiguring the Kerberos Server With Ldap IntegrationStep Select one of the following options Qualified host name or the IP address HpKrbKey Autoconfiguring the Kerberos Server With Ldap Integration Editing the Configuration Files Manually Configuring the Kerberos Server with LdapManually Configuring the Kerberos Server with Ldap Manually Configuring the Kerberos Server with Ldap Chapter Configuring the Primary Configuring the Primary Security Server Create the Principal Database After InstallationTo add an Administrative Principal Using the HP Kerberos Add an Administrative PrincipalAdministrator To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Define Secondary Security Server Network Locations Adminaclfile Password Policy FileSecurity Policies Starting the Security Server Creating the Principal Database Configuring the Secondary Security Servers with C-TreeCopying the Kerberos Configuration File Creating a host/fqdn Principal and Extracting the Key Configuring the Secondary Security Servers with Ldap Creating a stash file using the kdbstash utility106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database Configuration Files Required for kadmind Kadmind CommandFile Name Description Adminaclfile File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclfile Using Restricted Administrator Creating Administrative AccountsHow the r/R Modifiers Work 118 Password Policy Setting Default Value Password Policy FileEditing the Default File Default Password Policy Settings for the Base Group120 Principals 122 Adding User Principals Adding New Service PrincipalsReserved Service Principals Chapter 125 126 Removing User Principals Removing Special Privilege SettingsProtecting a Secret Key Removing Service PrincipalsChapter 129 Kadmin and kadminl Utilities Administration Utilities Name Description Administration UtilitiesHP Kerberos Administrator Button Name Action Standard Functionality of the AdministratorFunction of OK, Apply, and Cancel Buttons CancelUsing kadminlui Local Administrator kadminluiChapter 135 Principals Tab Principals Tab Components Principals TabList of Principals Component Name Description List AllSearch String SearchPrincipal Information Window General Tab Principal Information WindowPrincipal Information Window Components Attributes Tab Password TabField Name Description General TabMaximum Renew Time General Tab ComponentsField Name Description Principal Expiration Maximum Ticket LifetimeLast Modified Field Name Description Password PolicyModified By Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Search Criteria Searching for a PrincipalCharacter Description 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Displays the Ldap DN that you are editing Password Tab Principal InformationPassword Tab Components WindowExpiration/Date Component Name Description PasswordPassword Last Change PasswordChange Password Window Password Tab Change Password Window Components Entering a passwordVerification Components Description New PasswordChanging a DES-CRC or DES-MD5 Principal Key Type Changing a Key TypeTo 3DES 166 Changing Principal Attributes 12 describes the components of the Attributes tab Attributes Tab Principal InformationAttributes Tab Components Tickets Components DescriptionAllow Postdated Allow Renewable170 Session Keys Components Description Allow ForwardableAllow Proxy Allow DuplicateChange PreauthenticationRequire Password Components Description RequireComponents Description Lock Principal Allow As ServiceComponents Description Require Initial AuthenticationSet As Password Change ServiceLdap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Table Type Extract Service Key Table ComponentsService Key Component Description PrincipalEditing the Default Group Using Groups to Control SettingsChapter 183 Group Information Window Principal Group Information Window Components InformationEditEdit Default Group to display the GroupComponent Description Group Component Description Setting the Default Group Principal AttributesDefault Principal Attributes Principal AttributesChapter 187 Setting Administrative Permissions 11 Administrative Permissions Window Administrative PermissionsPrincipals Inquire about Add PrincipalsPrincipals ModifyComponent Description Restricted Override the Principal InformationEditEdit Group DefaultDefaults InformationEditEdit Default GroupGroup Information192 Realms Tab Realms Tab Components Realms TabRealm Information Window Components Realm Information WindowAdding a Realm Deleting a Realm Remote Administrator kadminui Logon Screen Logon screen displays as shown in Figure200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Adding a Random Key Specifying a New PasswordDeleting a Principal Changing Password to a New Randomly Generated3DES Extracting a PrincipalModifying a Principal Listing the Attributes of a PrincipalNumber of Authentication Failures fcnt Key Version Number Attribute Attributes Policy NameAllow Postdated Attribute Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Password Change Attribute Require Preauthentication AttributeLock Principal Attribute Allow As Service Attribute Principal InformationEditEdit Administrative Permissions Require Initial Authentication AttributeAuthentication Set As Password Change Service Attribute Authentication Select Require InitialNo text shows Password Expiration Attribute Maximum Ticket Lifetime Attribute Principal Expiration AttributeKey Type Attribute Maximum Renew Time AttributeSalt Type Attribute Principal Database Utilities Principal Database UtilitiesUtility Task Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons Starting and Stopping Daemons and Services SituationHost/fqdn@REALM Maintenance TasksMaster Password Protecting Security Server SecretsBacking Up the Principal Database Backing Up primary security server Data238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Relationships Propagation HierarchyExtracting a Key to the Service Key Table File Service Key TableMaintaining Secret Keys in the Key Table File Deleting Older Keys from the Service Key Table File Creating a New Service Key Table FilePropagation Tools If You Want To Use This Tool Propagation ToolsOne or more servers once Propagation is configured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Sections Defaultvalues SectionChapter 253 Secsrvname Section Configuration file Examples256 Prpadmin Administrative Application Setting Up Propagation Daemon Name Function Generic Usage Primary security server Services and Daemons260 Chapter 261 262 Monitoring Propagation Critical Error MessagesMonitoring the Log File Monitoring Old File Date and Large File Size Monitoring Propagation Queue FilesUpdating the principal.ok Time Stamp Authentication problemsComparing the Database to Its Copies Log files indicate problems Administration appears normalMismatch between the number of principals Kdbdump Utility Restarting Propagation Using the Full Dump Method Restarting Propagation Using a Simple ProcessPropagation Failure Security server Converting a secondary security server to a primaryCleaning the Temp Directory Restarting ServicesNumber of Realms per Database Configuring Multirealm EnterprisesPrimary security servers Supporting Multiple Realms Adding More Realms to a Multirealm Database Multiple primary security servers Supporting a Single RealmDatabase Propagation for Multirealm Databases Managing Multiple Realms 276 One-Way Trust Considering a Trust RelationshipTwo-Way Trust Other Types of Trust Hierarchical TrustConfiguring Direct Trust Relationships 280 Hierarchical Chain of Trust Hierarchical Interrealm TrustHierarchical Interrealm Configuration Chapter 283 Configuring the Local Realm Configuring the Intermediate Realm Configuring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Diagnostic Tools Diagnostic Tools SummaryTool Description Name Error Messages Troubleshooting KerberosLogging Capabilities Unix Syslog File Troubleshooting Techniques Services ChecklistTroubleshooting Scenarios Cause Tips Troubleshooting Scenarios 298 Server Scenario Cause Troubleshooting Tips Troubleshooting Scenarios for your LDAP-based Kerberos300 Chapter 301 302 Forgotten Passwords General ErrorsClock Synchronization Locking and Unlocking AccountsDecrypt Integrity Check Failed User Error MessagesPassword Has Expired While Getting Initial Ticket Administrative Error MessagesService Key Not Available While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Configuration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Key Distribution Center See KDC GlossaryGlossary Ticket-granting ticket See TGT V5srvtabTicket-granting ticket Index Symbols326 327
Related manuals
Manual 13 pages 9.67 Kb Manual 285 pages 23.05 Kb