HP UX Kerberos Data Security Software To Conﬁgure a propagation in a multi-realm environment

Page 241

Propagation

	Conﬁguring for Multi-realm Enterprises
	You can follow the standard propagation conﬁguration if you have
	conﬁgured a multi-realm environment that has only one realm for every
	Primary Security Server. In other words, you have multiple Primary
	Security Servers or if you want to propagate all realms from the Primary
	Server to each Secondary Server, follow the steps mentioned below.
	In the following steps, we assume you are familiar with the propagation
	setup procedure. Refer to, “Propagation Hierarchy” on page 209, for
	details.
	To Conﬁgure a propagation in a multi-realm environment
Step	1. Edit the Kerberos conﬁguration ﬁle, krb.conf, on the Primary Server to
	contain one entry for each Secondary Server that supports a given realm.
	If a Secondary Server supports more than one realm, you must add
	multiple entries to the ﬁle for that server, one for each supported realm.
	Be sure to also add one primary server entry for each realm that the
	primary server supports. Once all entries are added, save and close the
	ﬁle.
Step	2. Run the mkpropcf utility to create an initial version of the kpropd.ini
	ﬁle or registry key.
Step	3. You must edit the file/registry key to contain the correct information
	for your propagation design. For instance, if you want to propagate only
	certain realms to a selected secondary server, you must edit the
	entry/key for the parent of that server to indicate only the required
	realms. For more information on indicating only select realms to
	propagate, refer to the kpropd.ini manpage.
Step	4. Once you have conﬁgured the primary server’s kpropd.ini correctly,
	follow the propagation conﬁguration steps.
	Note that on each Kerberos Security Server, you need to only extract
	a host/key for the primary server’s default realm, not each realm that
	the secondary server supports. Even if the secondary server does not
	support the primary server’s default realm, you must still create a host/
	principal for the secondary server and extract the key to the secondary
	server’s key table ﬁle.

Chapter 7

241

Image 241

Contents Manufacturing Part Number T1417-90003 E0602 EditionLegal Notices Page Page Contents Administration Contents Contents Inter-realm Troubleshooting Glossary Index Contents Tables Tables Figures Figures Preface Audience Accessing the World Wide WebRelated Software Products Related DocumentationRelated Request for Comments RFCs Width ConventionsUsing This Manual Glossary Index Overview Chapter Overview How The Kerberos Server Works Conﬁguring and Administering the Kerberos Server on HP-UX Authentication Process Step Authentication ProcessTGT Authentication Process Authentication Process Must be assigned a key type or default keys issued by DES vs 3DES Key Type SettingsKrbtgt/REALM Name is the ticket-granting principal. This is Is added to the database. The krbtgt/REALM NAMEprincipalInstallation Installation Before Installing The Kerberos Server Hardware Requirements Software Requirements Installing The Kerberos Server With SD-UX Installing The Kerberos Server Chapter Migration Migration Policy Migration on Step-wise Procedure For Migration on Policy Migration Step-wise Procedure For Migration For version 2.0 of the Kerberos Server, as described in Step On successful completion the following message is displayed Step-wise Procedure For Migration Chapter Interoperability With Windows Interoperability With Windows Chapter Overview Understanding the Terminology Understanding the Terminology Table of Analogous Terms HP’s Kerberos Server Windows Table of Analogous TermsCase HP’s Kerberos Server and Windows 2000 InteroperabilityEstablishing Trust Between HP’s Kerberos Servers and Windows Single Realm Domain Authentication Inter-Realm Inter-Domain Authentication Database Considerations Special Considerations for InteroperabilityEncryption Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Conﬁguration Conﬁguration Security Server Files That Require Conﬁguration Conﬁguration Files For The Kerberos ServerFile Auto-Conﬁguration of the Security Server Auto-Conﬁguration of the Security Server Return to the main menu Editing the Conﬁguration Files Manual Conﬁguration Of The Kerberos ServerManual Conﬁguration Of The Kerberos Server Krb.conf Format Krb.confRealm Sample krb.conf File Reference Krb.realms Krb.realms Format Krb.realms Sample krb.realms Sample krb.realms Chapter Conﬁguring The Primary Server Creating The Principal Database After Installation To add an administrative principal using Add An Administrative PrincipalAdministrator Run Command-Line-Administrator,kadmin Create The host/fqdn principal And Extract Its Service Key Start the Kerberos daemons Deﬁne Secondary Server Network Locations Adminaclﬁle Password Policy FileSecurity Policies Starting the Security Server Summary Sbin/initd/krbsrv start Create the Principal Database Conﬁguring The Secondary Security ServersCopy the Kerberos Conﬁguration File Create a host/fqdn Principal and Extract Its Key Administration Administration Administering the Kerberos Database Kadmind Adminaclﬁle Assigning Administrative Permissions List prinicpal. This is redundant with i or Adding Entries to the adminaclﬁle Using Restricted Adminsitrator Creating Administrative AccountsHow the r/R Modiﬁers Work 100 Editing the Default File Password Policy FileDefault Password Policy Settings for the base group Password Policy setting Default102 Principals 104 Adding User Principals Adding New Service PrincipalsReserved Service Principals Chapter 107 Do not remove or modify this principal entry Removing User Principals Remove Special Privilege SettingsProtecting Secret Keys Removing Service Principals Administration Tools Kadmin Vs kadminlAdministration Tools Tool Name Tool Description Administrator Apply Standard Functionality of the AdministratorUsage of kadminlui Local Administrator kadminluiChapter 117 Principals Tab Principals TabChapter 119 General Tab Principal Information Window General Tab Principal Information windowChapter 121 To add a principal Adding Principals to the DatabaseTo simultaneously add multiple principals with Same settingsTo create an administrative principal Creating an Administrative PrincipalChapter 125 To search for a principal Finding a PrincipalSearch Criteria Chapter 127 128 To delete a user principal Deleting a PrincipalTo reload the default values for a principal Loading Default Values for a PrincipalRestoring Previously Saved Values for a Principal To restore previously saved values for a principalTo change ticket information Changing Ticket InformationChapter 133 Example Rules for Setting Maximum Ticket LifetimeExamples Rules for Setting Maximum Renew TimeTo change the password information Changing Password InformationPassword at their next logon A principal’s password. You must inform the principalPassword Tab Principal Information Window Password Tab Principal InformationWindow Chapter 139 Change Password Window Password Tab Change Password window Password tabChapter 141 To change a DES principal’s key type to 3DES Changing Key TypesChapter 143 To change principal attributes Changing Principal AttributesAttributes Tab Principal Information Window Attributes Tab Principal Information146 Chapter 147 148 Chapter 149 To delete a service principal Deleting a Service PrincipalTo securely extract principal keys to the service key Extracting Service Keys152 Extract Service Key Table Window Extract Service Key Table window154 To edit the default group Using Groups to Control SettingsGroup Information window Principal Group Information Window Default Principal Attributes Setting the Default Group Principal AttributesPrincipal Attributes To set administrative permissions Setting Administrative PermissionsAdministrative Permissions Administrative PermissionsChapter 161 162 Realms Tab Realms Tab10 Realm Information Window Realms Tab Realm Information window Realms tabTo add a realm Adding a RealmTo delete a realm Deleting a RealmRemote Administrator kadminui 168 Administration Manual Administration Using kadmin Chapter 171 Add Random Key Add a New PrincipalChange Password to a New Randomly Generated Password Specify New PasswordDelete a Principal Extract a Principal Modifying a Principal List the Attributes of a PrincipalNumber of Authentication failures fcnt To modify the principal admin, you need to do the followingAttributes Key Version Number AttributeAllow Renewable Attribute Allow Postdated AttributeAllow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Preauthentication AttributeRequire Password Change Attribute Lock Principal Attribute Allow as Service AttributeFollowing Require Initial Authentication AttributeTgtbased Authentication Set As Password Change Service AttributePassword Expiration Attribute Maximum Ticket Lifetime Attribute Principal Expiration AttributeKey Type Attribute Maximum Renew Time AttributeSalt Type Attribute Chapter 189 Principal Database Utilities If you want to Use This Tool Principal Database UtilitiesCreating the Kerberos Database 192 Database Encryption Database Master Password Destroying the Kerberos Database Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key Chapter 199 Starting and Stopping Daemons Services Situation Daemons and ServicesSituations that require Starting and Stopping Daemons Master Password Maintenance TasksProtecting Security Server Secrets Host/fqdn@REALMSpecial Note on Backing up the Principal Database Backing Up Primary Server DataChapter 203 Removing Unused Space From the Database Chapter 205 206 Propagation 208 Propagation Relationships Propagation HierarchyExtracting a Key to the Service Key Table File Service Key Table v5srvtabMaintaining Secret Keys In The Key Table File Deleting Older Keys From the Service Key Table File Creating a New Service Key Table FilePropagation Tools If You Want To Use This Tool Propagation ToolsChapter 213 Kpropd Mkpropcf 216 Kpropd.ini Sections Defaultvalues sectionChapter 219 Secsrvname Section All servers contain the following entries Examples222 Prpadmin Setting Up Propagation Chapter 225 226 Chapter 227 228 Monitoring Propagation Critical Error MessagesMonitoring the Log File Monitoring for Old File Date and Large File Size Monitoring Propagation Queue FilesComparing the Database to its Copies Principal.ok Time Stamp Does Not UpdateAdministration Appears Normal Authentication Problems OccurAuthentication Tests Succeed Log Files Indicate ProblemsNumber of Principals Does Not Match KdbdumpRestarting Propagation Using the Simple Process Propagation Failure Restarting Propagation Using the Full Dump MethodConverting a Secondary Server to a Primary Server Cleaning the Temp Directory Restarting Services238 Number of Realms per Database Conﬁguring for Multi-realm EnterprisesPrimary Servers That Support Multiple Realms Adding More Realms to a Multi-realm Database Multiple Primary Servers That Support a Single RealmDatabase Propagation for Multi-realm Databases To Conﬁgure a propagation in a multi-realm environment 242 Inter-realm 244 One-way Trust Considering Trust RelationshipsTwo-way Trust Other Types Of Trust Hierarchical TrustChapter 247 248 Chapter 249 Conﬁguring Direct Trust Relationships Direct Trust Relationship Example Hierarchical Chain of Trust Hierarchical Inter-realm TrustHierarchical Inter-realm Example Hierarchical Inter-realm Conﬁguration 254 Chapter 255 256 Chapter 257 258 Troubleshooting 260 Chapter 261 Characterizing the Problem Chapter 263 Diagnostic Tools Diagnostic Tools SummaryError Messages Troubleshooting KerberosLogging Capabilities Unix Syslog File Services ChecklistTroubleshooting Techniques Table of Errors Messages Chapter 269 270 Forgotten Passwords General ErrorsLocking and Unlocking Accounts Clock Synchronization Decrypt integrity check failed Typical User Error MessagesPassword has expired while getting initial ticket Administrative Error MessagesService key not available while getting initial ticket ActionChapter 275 Reporting Problems to Your Hewlett-Packard Support Contact Chapter 277 278 Glossary Glossary Glossary 281 Ticket-granting-ticket Index Symbols284 285

Related manuals

Manual 327 pages 9.34 Kb

Manual 13 pages 9.67 Kb