Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering Internet Services: HP 9000 Networking > Chapter 3 Secure Internet Services

Configuration Requirements of the Secure Environment
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

spacerspacerspacer
spacer
spacer
  		 
 

The main purpose of this chapter is to provide information required specifically for the Secure Internet Services. However, since the successful usage of the Secure Internet Services requires a correctly configured secure environment, this section discusses some general requirements of the secure environment.

For specific configuration information, refer to your KDC (security server) provider's and your security client provider's documentation.

For configurations that include any HP nodes (HP DCE Security Server, HP DCE client, HP Kerberos Client), see Using HP DCE 9000 Security with Kerberos Applications, available in postscript and ASCII form in the directory /opt/dce/newconfig/RelNotes/ in the files krbWhitePaper.ps and krbWhitePaper.text.

Requirements on the KDC

  1. The KDC (Security Server) software should be running.

  2. User accounts should be created, as necessary.

  3. User and service (host and optionally ftp) principals should exist in the KDC database.

Requirements on the Security Clients

  1. The following port must exist in the /etc/services file or in the NIS services map.

    kerberos5 88/udp kdc

  2. The security client software should be installed.

    The Kerberos commands kinit, klist and kdestroy should all exist.

    For HP DCE and HP Kerberos clients the HP DCE file set, DCE-Core.DCE-CORE-RUN, must be configured.

  3. A configuration file called /krb5/krb.conf must exist.

    This file specifies the default realm or cell name and also maps realm or cell names to KDCs. Suggested ownership and permissions for this file are root, sys, -r--r--r--.

    For HP DCE Clients this file is automatically created when the client is configured into the HP DCE cell. Additional entries can be added manually.

  4. A realms file called /krb5/krb.realms must exist.

    This file is used to associate host names to realm or cell names. Suggested ownership and permissions for this file are root, sys, -r--r--r--.

  5. A keytab file called /krb5/v5srvtab must exist.

    This file must be owned by root and only root can have read and write permissions.

    This keytab file must contain the service principal names and their associated secret keys. The application server uses the key found in its keytab file to decrypt the service ticket sent to it by the application client.

    HP Kerberos Security Clients

    • For HP Kerberos security clients even though the service principal's secret key is required to be in a file on the security client, it must first be created on the KDC. On an HP DCE Security Server use the dcecp command. On a non-HP Kerberos V5 KDC use the appropriate command.

      The keytab then needs to be securely copied to the target client node. This can be somewhat difficult if you have no secure means to copy the file over the network. A removable media (for example, a floppy disk) may be necessary to ensure proper security.

    HP DCE Security Clients

    • For HP DCE security clients the keytab file can be created and edited on the client itself, using dcecp keytab commands. This is very useful in that the problem of securely copying the keytab file information from the KDC is no longer an issue, since the file is created on the client.

  6. A $HOME/.k5login file should exist in each login user's home directory.

    This file must be owned by the login user, and only the login user can have write permission.

    This file lists the user principals and their associated realm or cell names that have access permission to the login user's account. The user principals are for the user that originally performed the kinit or dce_login command. The term "login user" refers to the user whose account is being accessed on the remote host. This is not necessarily the same user who originally issued the kinit or dce_login command.

    Assume amy has already issued the kinit command. In this example, amy enters the following:

    $ rlogin hostA -l robert

    In this example, robert is the login user, and amy must have an entry in Robert's $HOME/.k5login file on the application server (hostA).

    Alternatively, the client can use an authorization name database file called /krb5/aname. An entry in this file will authorize a user principal name to the specified login name. A tool for the administration of an aname file is not provided by DCE.

    For the Secure Internet Services, login is allowed even without entries in the login user's $HOME/.k5login file or the aname database, provided that the login user's name matches the user principal user's name, and that the Kerberos realm of the client matches the default realm of the application server.

  7. The login user must have an entry in the /etc/passwd file on the application server.



Overview of the Secure Environment and the Kerberos V5 Protocol
  		 


Installing and Enabling the Secure Internet Services  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1996 Hewlett-Packard Development Company, L.P.