Manuals
/
Brands
/
Computer Equipment
/
Software
/
HP
/
Computer Equipment
/
Software
HP
UX Kerberos Data Security Software manual
Please, tick the box below to download manual:
Contents
Kerberos Server Version
Administrator’s Guide
Warranty
U.S. Government License
Trademark Notices
Copyright Notices
Page
Page
1. Overview
2. Installing the Kerberos Server
3. Migrating to a Newer Version of the Kerberos Server
4. Interoperability with Windows
5. Configuring the Kerberos Server With C-TreeBackend
6. Configuring the Kerberos Server with LDAP
7. Configuring the Primary and Secondary Security Server
8. Administering the Kerberos Server
Page
Page
9. Propagating the Kerberos Server
10. Managing Multiple Realms
11. Troubleshooting
Page
Tables
Page
Figures
Page
Intended Audience
What Is in This Document
•Glossary
•Index
Typographic Conventions
bold
bold fixed
width
HP-UXRelease Name and Release Identifier
Table
HP-UX11i Releases
Release
Supported
Related Documentation
Accessing the World Wide Web
Related Request for Comments (RFCs)
HP Encourages Your Comments
1 Overview
Page
Introduction
Introduction
Kerberos
How the Kerberos Server Works
How the Kerberos Server Works
Authentication Process
Authentication Process
Figure
Authentication Process
Step
Page
Page
IMPORTANT
DES Versus 3DES Key Type Settings
DES Versus 3DES Key Type Settings
Introduction to LDAP
Introduction to LDAP
LDAP Advantages
Integrating Kerberos Server v3.1 with LDAP
NOTE
How is the Kerberos Principal Integrated in to the LDAP
Directory
Integrating a Kerberos Principal in to the LDAP Directory
Installing the Kerberos Server
Page
Prerequisites
Prerequisites
System Requirements
System Requirements
Hardware Requirements
Software Requirements
Version Compatibility
Installing the Server
Installing the Server
Mark For Install
Install (analysis)
Page
Migrating to a Newer Version of
the Kerberos Server
Page
Migrating from Kerberos Server Version 1.0 to
Migrating from Kerberos Server Version 1.0 to
Page
Page
Page
Migrating from Kerberos Server Version 2.0 to Version
Migrating from Kerberos Server Version 2.0 to
Version
Page
Migrating from Kerberos Server Version 3.0 to Version
Migrating from Kerberos Server Version 3.0 to Version
Page
Interoperability with Windows
Page
Understanding the Terminology
Understanding the Terminology
Table of Analogous Terms
Kerberos Server
Windows
Kerberos Server and Windows 2000 Interoperability
Kerberos Server and Windows 2000 Interoperability
Scenario
Establishing Trust Between Kerberos Server and Windows
Establishing Trust Between Kerberos Server and Windows
Page
Single Realm (Domain) Authentication
Single Realm (Domain) Authentication
Interrealm (Interdomain) Authentication
Interrealm (Interdomain) Authentication
Special Considerations for Interoperability
Special Considerations for Interoperability
Database Considerations
Encryption Considerations
Postdated Tickets
Page
Page
Configuring the Kerberos
Server With C-TreeBackend
Configuration Files for the Kerberos Server
Configuration Files for the Kerberos Server
Security Server Files That Require Configuration
Configuration File
Function
The krb.conf File
The krb.realms File
The krb.realms File Format
Wildcard Characters
Wildcard Character
Description
Autoconfiguring the Kerberos Server
Autoconfiguring the Kerberos Server
Page
Return
Configuring the Kerberos Server with C-Tree
Page
Server with LDAP
Configuration Files for LDAP Integration
Configuration Files for LDAP Integration
LDAP Configuration Files
File
The krb5_ldap.conf File
The krb5_ldap.conf File Format
krb5_ldap.conf File Format
File Format
Parameter
krb5_ldap.conf File Format (Continued)
The krb5_schema.conf File
The krb5_schema.conf File Format
The
Page
Page
The krb5_map.conf File
Page
Planning Your LDAP Configuration
Planning Your LDAP Configuration
Before You Begin
Setting up Your LDAP Configuration
Setting up Your LDAP Configuration
Page
Page
Page
Autoconfiguring the Kerberos Server With LDAP Integration
Autoconfiguring the Kerberos Server With
LDAP Integration
Configuring the Kerberos Server with LDAP
Page
Page
Page
Manually Configuring the Kerberos Server with LDAP
Manually Configuring the Kerberos Server with LDAP
Editing the Configuration Files
Page
Page
Configuring the Primary and
Secondary Security Server
Configuring the Primary Security Server
Configuring the Primary Security Server
Create the Principal Database After Installation
Add an Administrative Principal
To add an Administrative Principal Using the HP Kerberos
Administrator
Use the Edit>Edit Administrative Permissions menu to assign ALL
Require Password Change
Create the host/<fqdn> Principal and Extracting the Service Key
Start the Kerberos Daemons
Define Secondary Security Server Network Locations
Security Policies
Security Policies
Password Policy File
The admin_acl_file
Starting the Security Server
Starting the Security Server
Configuring the Secondary Security Servers with C-Tree
Configuring the Secondary Security Servers with C-Tree
Creating the Principal Database
Copying the Kerberos Configuration File
Creating a host/<fqdn> Principal and Extracting the Key
kdb_stash
Page
Using Indexes to Improve Database Performance
Using Indexes to Improve Database Performance
Page
Administering the Kerberos
Server
Page
Administering the Kerberos Database
Administering the Kerberos Database
The kadmind Command
The kadmind Command
Configuration Files Required for kadmind
File Name
The admin_acl_file File
The admin_acl_file File
Assigning Administrative Permissions
Administrative Permission Settings
Administrator Field Name
ACL File
Character
Page
Adding Entries to admin_acl_file
Principal Information window>Attribute tab
Creating Administrative Accounts
Using Restricted Administrator
How the r/R Modifiers Work
Page
Password Policy File
Password Policy File
Editing the Default File
Default Password Policy Settings for the Base Group
Password Policy Setting
Default Value
Page
Principals
Page
Adding User Principals
Adding New Service Principals
Reserved Service Principals
K/M@REALM:
default@REALM:
krbtgt/REALM@REALM:
kadmin/REALM@REALM:
kadmin/changepw@REALM:
kcpwd/REALM@REALM:
host/fqdn@REALM:
Removing User Principals
Removing Special Privilege Settings
Protecting a Secret Key
Removing Service Principals
Page
The kadmin and kadminl Utilities
The kadmin and kadminl Utilities
Administration Utilities
Administration Utilities
Name
HP Kerberos Administrator
HP Kerberos Administrator
Standard Functionality of the Administrator
Function of OK, Apply, and Cancel Buttons
Button Name
Action
Apply
Local Administrator – kadminl_ui
Using kadminl_ui
Page
Principals Tab
Principals Tab
Principals Tab
Principals Tab Components
Component Name
Realm
Principals Tab Components (Continued)
List All
Search String
Search
List of Principals
General Tab (Principal Information Window)
Principal Information Window
Principal Information Window Components
Field Name
Principal
Principal Information Window Components (Continued)
LDAP DN
General Tab
Password Tab
Attributes Tab
General Tab Components (Continued)
Principal Expiration
Maximum Ticket Lifetime
Maximum Renew Time
Allow
Password Policy
Last Modified
Modified By
Adding Principals to the Database
Adding Principals to the Database
Principal Information>Edit>Load Default values
Change Password Window
Adding Multiple Principals with Similar Settings
Creating an Administrative Principal
Creating an Administrative Principal
Require Preauthentication
Select Principal Information>Edit>Edit Administrative
Permissions
Administrative Permissions Window
*All
Page
Searching for a Principal
Searching for a Principal
Search Criteria
Search Criteria (Continued)
Deleting a Principal
Deleting a Principal
Loading Default Values for a Principal
Loading Default Values for a Principal
Edit>Edit Default
Group
Edit >Load Default Values
Restoring Previously Saved Values for a Principal
Restoring Previously Saved Values for a Principal
Edit>Restore Values
Changing Ticket Information
Changing Ticket Information
Rules for Setting Maximum Ticket Lifetime
Rules for Setting Maximum Ticket Lifetime
General>Maximum Ticket Lifetime
Rules for Setting Maximum Renew Time
Rules for Setting Maximum Renew Time
Principal Information>General>Maximum Renew Time
Allow Renewable
window>Attributes
Information>General
Page
Changing Password Information
Changing Password Information
Password Expiration Date
Principals
Page
Password Tab (Principal Information Window)
Password Tab (Principal Information
Window)
Password Tab Components
Password Tab Components (Continued)
Password
Expiration/Date
Key Version
Number
Change Password Window (Password Tab)
Generate Random Key
Change Password Window Components
Components
Generate Random
Key
New Password
Verification
Changing a Key Type
Changing a Key Type
Changing a DES-CRCor DES-MD5Principal Key Type
to 3DES
DES-CRC
DES-MD5
Page
Changing Principal Attributes
Attributes Tab (Principal Information
Page
Page
Page
Page
Page
Page
LDAP Attributes Tab (Prinicpal Information Window)
Page
Deleting a Service Principal
Deleting a Service Principal
Yes
Extracting Service Keys
Extracting Service Keys
Select Principal Information>Edit>Extract Service Key to display
8. Select the Generate New Random Key before Extracting option. HP
Extracting a Service Key Table
Extract Service Key Table Components
Component
Service Key
Table Type
Table Name
Using Groups to Control Settings
Editing the Default Group
Choose Principal Information>Edit, and select the Edit Defaults
Page
Group Information Window (Principal Information Window)
Group Information Window (Principal
Information Window)
Page
Principal Attributes
Setting the Default Group Principal Attributes
Default Principal Attributes
Page
Setting Administrative Permissions
Setting Administrative Permissions
Choose the Principal Information>Edit, and choose the Edit
Administrative Permissions
Administrative Permissions
Administrative Permissions
Principal Information>Edit
Edit Administrative Permissions
Figure 8-11Administrative Permissions Window
Add Principals
Modify
Inquire about
Permission for this principal in This Realm box>Inquire
about Principals attribute
Group Information Window Components (Continued)
Restricted
override the Principal Information>Edit>Edit Group Default
Edit Group
Defaults
Administrative
Information>Edit>Edit Administrative
Permissions>Administrative Permissions window
All
Realms Tab
Realms Tab
Realms
Realms Tab
Realms Tab Components
List of Realms
Realm Information Window
Figure 8-13Realm Information Window
Realm Information Window Components
Adding a Realm
Adding a Realm
Deleting a Realm
Deleting a Realm
Remote Administrator – kadmin_ui
Remote Administrator – kadmin_ui
Logon Screen
Change Password Screen
Warning Message
Page
Manual Administration Using kadmin
Manual Administration Using kadmin
Page
Adding a New Principal
Adding a Random Key
Specifying a New Password
Changing Password to a New Randomly Generated
Password
Deleting a Principal
Extracting a Principal
Listing the Attributes of a Principal
Modifying a Principal
Number of Authentication Failures (fcnt)
Key Version Number Attribute
Policy Name
Allow Postdated Attribute
Allow Renewable Attribute
Allow Forwardable Attribute
Allow Proxy Attribute
Allow Duplicate Session Key Attribute
Require Preauthentication Attribute
Require Password Change Attribute
Lock Principal Attribute
Allow As Service Attribute
Require Initial Authentication Attribute
In Principal Information>Edit>Edit Administrative Permissions
Require Initial Authentication Attribute Settings
Attributes Tab Check-Box
HP Kerberos
kadmin inq
Setting
Password Expiration Attribute
Principal Expiration Attribute
Maximum Ticket Lifetime Attribute
Maximum Renew Time Attribute
Key Type Attribute
Salt Type Attribute
Principal Database Utilities
Principal Database Utilities
Principal Database Utilities
Utility
Task
Kerberos Database Utilities
Kerberos Database Utilities
Page
Database Encryption
Database Master Password
Destroying the Kerberos Database
Destroying the Kerberos Database
yes
Page
Dumping the Kerberos Database
Dumping the Kerberos Database
Loading the Kerberos Database
Loading the Kerberos Database
Stashing the Master Key
Stashing the Master Key
Page
Starting and Stopping Daemons
Starting and Stopping Daemons
Starting and Stopping Daemons and Services
Situation
Daemons and Services
Maintenance Tasks
Maintenance Tasks
Protecting Security Server Secrets
host/fqdn@REALM
Master Password
Backing Up primary security server Data
Backing Up the Principal Database
Page
Removing Unused Space from the Database
Removing Unused Space from the Database
Page
Propagating the Kerberos
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
10 Managing Multiple Realms
Page
Considering a Trust Relationship
Considering a Trust Relationship
One-WayTrust
Two-WayTrust
Hierarchical Trust
Other Types of Trust
Configuring Direct Trust Relationships
Configuring Direct Trust Relationships
Page
Hierarchical Interrealm Trust
Hierarchical Interrealm Trust
Hierarchical Chain of Trust
Hierarchical Interrealm Configuration
Figure 10-1Hierarchical Interrealm Configuration
Configuring the Local Realm
Configuring the Intermediate Realm
Configuring the Target Realm
Page
Page
11 Troubleshooting
Page
Characterizing a Problem
Characterizing a Problem
Page
Diagnostic Tools Summary
Diagnostic Tools Summary
Diagnostic Tools
Tool
Troubleshooting Kerberos
Error Messages
Logging Capabilities
UNIX Syslog File
Services Checklist
Troubleshooting Techniques
Troubleshooting Scenarios
Cause
Troubleshooting
Troubleshooting Scenarios (Continued)
Page
Troubleshooting Scenarios for your LDAP-basedKerberos
server
server (Continued)
Page
Page
General Errors
General Errors
Forgotten Passwords
Locking and Unlocking Accounts
Administrator>Principal Information>Principals
Clock Synchronization
User Error Messages
User Error Messages
Decrypt Integrity Check Failed
Explanation:
Action:
Password Has Already Been Used or Is Too Close to Current One
Administrative Error Messages
Password Has Expired While Getting Initial Ticket
Principal Information>Attributes
Service Key Not Available While Getting Initial Ticket
Page
Reporting Problems to Your HP Support Contact
Reporting Problems to Your HP Support
Contact
Page
Page
A Configuration Worksheet
Table A-1
Configuration Worksheet
Configuration Worksheet for LDAP database
Table A-2
Configuration Worksheet Explanation
Configuration Worksheet Explanation (Continued)
Page
Sample krb.conf File
Page
The services File
The services File
Page
Sample krb.realms File
Page
Glossary
A-B
kpropd.ini
kpropd.ini
krb.conf
krb.realms
mkpropcf
password.policy
v5srvtab
Ticket-grantingticket See TGT
v5srvtab
Page
Symbols
Index