IBM SG24-5131-00 manual Configuring Kerberos Security with Hacmp Version

allow the clients to get service tickets to be used with other servers without the need to give them the password every time they request services.

So, given a user has a ticket-granting ticket, if a user requests a kerberized service, he has to get a service ticket for it. In order to get one, the kerberized command sends an encrypted message, containing the requested service name, the machine’s name, and a time-stamp to the Kerberos server. The Kerberos server decrypts the message, checks whether everything is in order, and if so, sends back a service ticket encrypted with the service’s private key, so that only the requested service can decrypt it. The client sends his request along with the just received ticket to the service provider, who in turn decrypts and checks authorization, and then, if it is in order, provides the requested service to the client.

9.2.1 Configuring Kerberos Security with HACMP Version 4.3

With HACMP Version 4.3 there is a handy script to do the kerberos setup for you, called cl_setup_kerberos. It sets up all the IP labels defined to the HACMP cluster together with the needed kerberos principals, so that remote kerberized commands will work.

On an SP the setup_authent command does the SP-related kerberos setup, which is based on the IP labels found in the SDR. Since the SDR does not allow multiple IP labels to be defined on the same interface, whereas HACMP needs to have multiple IP labels on one interface during IPAT, the kerberos setup for HACMP has to be redone, every time the setup_authent command is run explicitly or implicitly through the setup_server command.

You can either do that manually, or use the cl_setup_kerberos tool. To manually add the kerberos principals, use the kadmin command. Necessary principals for kerberized operation in enhanced security mode are the (remote) rcmd principals and the godm principals. As always, a kerberos principal consists of a name, godm for example, an IP label, like hadave1_stby and a realm, so that the principal in its full length would look like godm.hadave1_stby@ITSO.AUSTIN.IBM.COM.

Now after adding all the needed principals to the kerberos database, you must also add them to the /etc/krb-srvtab file on the nodes. To do that, you will have to extract them from the database and copy them out to the nodes, replacing their kerberos file.

Now you can extend root’s .klogin file and /etc/krb.realms file to reflect the new principals, and copy these files out to the node as well.

Special RS/6000 SP Topics 189