Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i: HP 9000 Networking > Chapter 7 Propagation

Configuring for Multi-realm Enterprises
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

When you support multiple realms, there are additional configuration steps required for both the Security Servers and Clients. This section addresses the Server requirements.

Number of Realms per Database

A single Primary Security Server can support more than one realm. If you have a centralized administration group that controls the security needs for your enterprise, you can support all realms in one primary server.Alternatively, if you have decentralized administration groups, you may need to support a single realm per Primary Server. This arrangement has different configuration requirements.

If you are only supporting one realm per Primary Server, you configure the server normally, and then create the required trust relationships, as described in “Configuring Direct Trust Relationships”. If you are supporting more than one realm per Primary Server, there are additional configuration tasks that you must perform.

Primary Servers That Support Multiple Realms

If you choose to support more than one realm in a Primary Server's database, then you must decide if all the Secondary Servers will support multiple realms. Alternatively, you can have different branches of Secondary Servers, one branch for each realm supported in the principal database.

Propagation can be configured to propagate only selected realms to a Secondary Server. This enables you to maximize the benefits of creating multiple security boundaries in your enterprise. In the event that a authentication server in one branch is compromised, database information about other branches are still secure.

Multiple Primary Servers That Support A Single Realm

You must have one Primary Server for each realm, if you have a de-centralized administrative groups where each group maintains its own realm information.

You cannot propagate changes from one Primary Server to another. You can only propagate changes from a Primary Server to a Secondary Server. Therefore, when you have multiple Primary Servers supporting only a single database, you are not required to change your propagation configuration from the single realm scheme.

Adding More Realms to a Multi-realm Database

Before you can begin adding realms to a database, you must have the basic infrastructure completed. This means you must:

  • Install the Primary Security Server and create the database.

  • Install each Secondary Server and create their respective databases.

  • Create the first administrative principal, and to this principal assign permissions for all realms.

In the following section, we assume that you have not yet configured propagation before you start adding realms.

To add realms to the database, you can authenticate from a client using the administrative principal account and run the Remote Administrator, kadmin_ui, or you can log on to the Primary Security Server and run the Local Administrator, kadminl_ui.

Once you are running Administrator, add additional realms using the Realms tab. For more information on creating realms, refer to“Realms Tab”.

Once all realms are added to the database, you must decide on the Secondary Servers that will support the multiple realms.

Database Propagation for Multi-realm Databases

If you plan to support more than one realm in a single principal database on a Primary Security Server and you plan to propagate only selected realms to certain Secondary Security Servers, you must perform additional steps when you configure propagation.

You can follow the standard propagation configuration if you have configured a multi-realm environment that has only one realm for every Primary Security Server. In other words, you have multiple Primary Security Servers or if you want to propagate all realms from the Primary Server to each Secondary Server, follow the steps mentioned below.

In the following steps, we assume you are familiar with the propagation setup procedure. Refer to, “Propagation Hierarchy”, for details.

To Configure a propagation in a multi-realm environment

  1. Edit the Kerberos configuration file, krb.conf, on the Primary Server to contain one entry for each Secondary Server that supports a given realm. If a Secondary Server supports more than one realm, you must add multiple entries to the file for that server, one for each supported realm. Be sure to also add one primary server entry for each realm that the primary server supports. Once all entries are added, save and close the file.

  2. Run the mkpropcf utility to create an initial version of the kpropd.ini file or registry key.

  3. You must edit the file/registry key to contain the correct information for your propagation design. For instance, if you want to propagate only certain realms to a selected secondary server, you must edit the entry/key for the parent of that server to indicate only the required realms. For more information on indicating only select realms to propagate, refer to the kpropd.ini manpage.

  4. Once you have configured the primary server's kpropd.ini correctly, follow the propagation configuration steps.

    Note that on each Kerberos Security Server, you need to only extract a host/key for the primary server's default realm, not each realm that the secondary server supports. Even if the secondary server does not support the primary server's default realm, you must still create a host/ principal for the secondary server and extract the key to the secondary server's key table file.



Monitoring Propagation
  		 


Chapter 8 Inter-realm  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2002 Hewlett-Packard Development Company, L.P.