Propagation

Configuring for Multi-realm Enterprises

Configuring for Multi-realm Enterprises

When you support multiple realms, there are additional configuration steps required for both the Security Servers and Clients. This section addresses the Server requirements.

Number of Realms per Database

A single Primary Security Server can support more than one realm. If you have a centralized administration group that controls the security needs for your enterprise, you can support all realms in one primary server.

Alternatively, if you have decentralized administration groups, you may need to support a single realm per Primary Server. This arrangement has different configuration requirements.

If you are only supporting one realm per Primary Server, you configure the server normally, and then create the required trust relationships, as described in “Configuring Direct Trust Relationships” on page 250.

If you are supporting more than one realm per Primary Server, there are additional configuration tasks that you must perform.

Primary Servers That Support Multiple Realms

If you choose to support more than one realm in a Primary Server’s database, then you must decide if all the Secondary Servers will support multiple realms. Alternatively, you can have different branches of Secondary Servers, one branch for each realm supported in the principal database.

Propagation can be configured to propagate only selected realms to a Secondary Server. This enables you to maximize the benefits of creating multiple security boundaries in your enterprise. In the event that a authentication server in one branch is compromised, database information about other branches are still secure.

Chapter 7

239

Page 239
Image 239
HP UX Kerberos Data Security Software manual Configuring for Multi-realm Enterprises, Number of Realms per Database