Managing Multiple Realms

Considering a Trust Relationship

Hierarchical Trust

In interrealm authentication, hierarchical trust allows principals in one realm to access resources in another realm if there is a chain of trust established between the realms. The chain relies on a hierarchical realm naming scheme.

For example, IT.BAMBI.COM and DEER.JUNGLE.COM are child realms of their respective parent realms, BAMBI.COM and JUNGLE.COM. If both child realms have two-way trust with the parent realm, and the two parent realms have a direct trust link, IT.BAMBI.COM and DEER.JUNGLE.COM can have hierarchical interrealm trust between them.

To support hierarchical trust in Kerberos servers, you must have a realm hierarchy, where each realm has a direct relationship with a parent and potentially several children.

Other Types of Trust

You may choose to interoperate with other Kerberos implementations. HP Kerberos server, Microsoft Windows 2000, and MIT Kerberos servers provide Kerberos security solutions following the same IETF standard. HP Kerberos server can interoperate with these other solutions, which allows you to selectively deploy the platforms you choose to meet the needs of your company.

Fore more information on interoperability with Windows 2000, see

Chapter 4, “Interoperability with Windows 2000,” on page 51.

278

Chapter 10

Page 278
Image 278
HP UX Kerberos Data Security Software manual Hierarchical Trust, Other Types of Trust