Configuring the Primary and Secondary Security Server

Configuring the Secondary Security Servers with C-Tree

Configuring the Secondary Security Servers with C-Tree

You can now configure the secondary security servers. Assuming that you are setting up the primary security server so that you can easily switch the primary security server with one of the secondary security servers, you must perform each of the steps on the primary security server as well as on the secondary security server.

All secondary security servers require the following basic configuration tasks:

Creating the principal database.

Copying the Kerberos configuration files.

Creating a host/<fqdn> principal and extract its key.

Creating the Principal Database

By default, the Kerberos security server uses DES3 to encrypt the principal database. If you are using DES encryption to secure your principal database, use the following command:

kdb_create -s -e enctype

where enctype is DES-CBC-CRC, DES-CBC-MD5, or DES3-CBC-MD5. You can also specify 1 for DES-CBC-CRC, 3 for DES-CBC-MD5, and 5 for DES3-CBC-MD5.

Copying the Kerberos Configuration File

Each secondary security server must have a copy of the Kerberos configuration files from the primary security server. The following is the default path and file name:

/opt/krb5/krb.conf

Following lists the default configuration files required on the secondary security server:

krb.conf

krb.realms

Chapter 7

103

Page 103
Image 103
HP UX Kerberos Data Security Software manual Configuring the Secondary Security Servers with C-Tree