Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Kerberos Server Version 3.12 Administrator's Guide: HP-UX 11i v3 > Chapter 8 Administering the Kerberos Server

Maintenance Tasks
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Following are the maintenance tasks associated with the Kerberos server:

Protecting Security Server Secrets

The Kerberos server stores the following types of secrets:

  • host/fqdn@REALM service principal

  • Master password

It is crucial that these secrets not be compromised. Performing simple maintenance tasks and following password protection guidelines help prevent security breaches.

host/fqdn@REALM

You require the host/fqdn@REALM service principal name for database propagation. You must change this key by generating a new key, extracting it to the server’s service key table file, and deleting the old key. See “Maintaining Secret Keys in the Key Table File”, for more information on performing these tasks.

NOTE: During key generation and extraction of the host/fqdn@REALM principal, the current service tickets become invalid; because service tickets are created at each application logon, application users are not affected by the update.

Master Password

You must enter the master password when installing a Kerberos server and when using the principal database utilities. You must select a strong password and make sure that it is kept safe from intruders. See “Database Master Password”, for more information on selecting and protecting the master password.

Backing Up primary security server Data

Save the copied information to a CD or tape — whatever your preferred archive method is.

Be aware that primary security server files contain sensitive information; therefore, do not copy files unless you intend to properly secure the backup copies.

Be sure to make backup copies of the following:

  • admin_acl_file

  • password.policy (password.pol)

  • Principal database files

  • krb.conf

Certain files contain extremely sensitive information, and HP recommends that you do not make backup copies of the following files:

  • .k5.REALM — Instead, recreate this file by using the kdb_stash utility. You must know the master password and specify the correct encryption type to run this utility.

  • v5srvtab — Instead, recreate this file by re-extracting the key for any service principal contained in the file — Typically, the host/principal for the primary security server.

Backing Up the Principal Database

If you have a server architecture that uses a second level of propagation servers, you can back up your principal database with minimal effect on application users. See Chapter 9 “Propagating the Kerberos Server”.

NOTE: If you do not use secondary security servers as propagation servers, you can temporarily halt propagation to one of the secondary security servers acting as an authentication server, provided you have a properly configured redundant server.

To back up your principal database, complete the following steps:

  1. Stop the services and daemons.

    • Run the following command as a root user:

      # /sbin/init.d/krbsrv stop

  2. Copy the principal.dat, principal.idx, and principal.ok files from one of the propagation servers to your desired destination, for example, CD-ROM or tape. The files are located at /opt/krb5.

  3. Restart the services and daemons by running the following command as a a root user:

    # /opt/krb5/sbin/kpropd

    All the new principal database information recorded on the primary security server during your database backup is copied to each secondary security server when propagation resumes.



Starting and Stopping Daemons
  		 


Removing Unused Space from the Database  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007 Hewlett-Packard Development Company, L.P.