|
|
United States-English | |
|
|
 |
|
Kerberos Server Version 3.12 Administrator's Guide: HP-UX 11i v3 > Chapter 9 Propagating
the Kerberos Server
Configuring Multirealm Enterprises |
|
|
When you support multiple realms, additional configuration steps are required for both the security servers and clients. This section discusses the servers requirements. A single primary security server supports more than one realm. If you have a centralized administration group that controls the security needs of your enterprise, you can support all the realms on one primary security server. Alternatively, if you have distributed administration groups, you may need to support a single realm for a single primary security server. This arrangement has different configuration requirements. If you are supporting only one realm per primary security server, you must configure the server normally, and create the required trust relationships, as described in “Configuring Direct Trust Relationships”. You must perform additional configuration tasks if you are supporting more than one realm per primary security server. If you choose to support more than one realm in a database of a primary security server, you must decide if all the secondary security servers also support multiple realms. Alternatively, you can have different branches of secondary security servers: one branch for each realm supported in the principal database. You can configure propagation to propagate only selected realms to a secondary security server. With this propagation configuration, you can maximize the benefits of creating multiple security boundaries in your enterprise. In the event that an authentication server in one branch is compromised, database information about other branches is still secure. You must have one primary security server for each realm if you have distributed administrative groups in which each group maintains its own realm information. You cannot propagate changes from one primary security server to another. You can only propagate changes from a primary security server to a secondary security server. Therefore, when you have multiple primary security servers supporting only a single database, you do need not to change your propagation configuration from a single-realm scheme. Before adding realms to a database, complete the following steps:
In the next section, HP assumes that you have not yet configured propagation before you start adding realms. To add realms to the database, you can authenticate from a client using the administrative principal account and run the remote administrator, kadmin_ui, or you can log on to the primary security server and run the local administrator, kadminl_ui. When you are running administrator, add additional realms using the Realms tab. For more information on creating realms, see “Realms Tab”. After adding all the realms to the database, you must decide on the secondary security servers that support multiple realms. If you plan to support more than one realm in a single principal database on a primary security server and to propagate only selected realms to certain secondary security servers, you must perform additional steps when you configure propagation. HP assumes that you are familiar with the propagation setup procedure as specified in “Propagation Hierarchy”. You can follow the standard propagation configuration if you have configured a multirealm environment that has only one realm for every primary security server. In other words, if you have multiple primary security servers or if you want to propagate all realms from the primary security server to each secondary security server, complete the following steps:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Printable version |
|
|
|
|
|
|||||||||||||||
|
|||||||||||||||
