Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Kerberos Server Version 3.12 Administrator's Guide: HP-UX 11i v3 > Chapter 10 Managing Multiple Realms

Considering a Trust Relationship
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You can establish a multiple realm environment within your enterprise. Regardless of the reason, if principals in one realm need access to secured services supported in a different realm, you must establish a trust relationship between the realms.

When two distinct realms share secret keys, the two realms are said to trust each another. With that trust in place, principals can securely access services in their native realm as well as those in the trusted foreign realm.

Interrealm authentication begins with relying on a secure authentication between users and the security server in a single realm. The shared interrealm key between trusted servers provides the extra link to create a chain of trust that allows a principal in one realm to authenticate to a service in a trusted foreign realm. To establish a trust relationship, administrators for both realms must have a agreement.

You can configure your Kerberos servers for interrealm authentication based on one-way trust, two-way trust, or hierarchical trust.

One-Way Trust

In interrealm authentication, one-way trust authenticates principals in a realm (Q) to the services in another realm (S), but prevents principals in the realm S from accessing services in the realm Q.

In simple terms, if Harry trusts Sally with his secrets, but Sally does not trust Harry with her secrets, Harry and Sally have a one-way trust relationship between them.

Two-Way Trust

In interrealm authentication, two-way trust authenticates principals in a realm (Q) to the services in another realm (S), and principals in the realm S to the accessing services in the realm Q.

In simpler terms, if Harry trusts Sally with his secrets, and Sally trusts Harry with her secrets, Harry and Sally have a two-way trust relationship between them.

Hierarchical Trust

In interrealm authentication, hierarchical trust allows principals in one realm to access resources in another realm if there is a chain of trust established between the realms. The chain relies on a hierarchical realm naming scheme.

For example, IT.BAMBI.COM and DEER.JUNGLE.COM are child realms of their respective parent realms, BAMBI.COM and JUNGLE.COM. If both child realms have two-way trust with the parent realm, and the two parent realms have a direct trust link, IT.BAMBI.COM and DEER.JUNGLE.COM can have hierarchical interrealm trust between them.

To support hierarchical trust in Kerberos servers, you must have a realm hierarchy, where each realm has a direct relationship with a parent and potentially several children.

Other Types of Trust

You may choose to interoperate with other Kerberos implementations. HP Kerberos server, Microsoft Windows 2000, and MIT Kerberos servers provide Kerberos security solutions following the same IETF standard. HP Kerberos server can interoperate with these other solutions, which allows you to selectively deploy the platforms you choose to meet the needs of your company.

Fore more information on interoperability with Windows 2000, see Chapter 4 “Interoperability with Windows 2000”.



Chapter 10 Managing Multiple Realms
  		 


Configuring Direct Trust Relationships  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007 Hewlett-Packard Development Company, L.P.