Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i: HP 9000 Networking > Chapter 8 Inter-realm

Considering Trust Relationships
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You may establish a multiple realm environment within your enterprise. Regardless of the reason, if principals in one realm need access to secured services supported in a different realm, you must establish a trust relationship between the realms.

When two distinct realms share secret keys, the two realms are said to trust one another. With that trust in place, principals can securely access services in their native realm as well as those in the trusted foreign realm.

Inter-realm authentication begins with relying on secure authentication between users and the Security Server in a single realm. The shared inter-realm key between trusted servers provides the extra link to create a chain of trust that allows a principal in one realm to authenticate to a service in a trusted foreign realm. To establish a trust relationship, administrators for both realms must have a prior agreement.

You can configure your Kerberos Servers for inter-realm authentication based on either:

  • one-way trust

  • two-way trust

  • hierarchical trust

One-way Trust

In inter-realm authentication, one-way trust authenticates principals in Realm Q to the services in Realm S, but prevents principals in Realm S from accessing services in Realm Q.

In simple terms, if Harry trusts Sally with his secrets, but Sally does not trust Harry with her secrets, Harry and Sally have a one-way trust relationship between them.

Two-way Trust

In inter-realm authentication, two-way trust authenticates principals in Realm Q to the services in Realm S, and principals in Realm S to the accessing services in Realm Q.

In simple terms, if Harry trusts Sally with his secrets, and Sally trusts Harry with her secrets, Harry and Sally have a two-way trust relationship between them.

Hierarchical Trust

In inter-realm authentication, hierarchical trust allows principals in one realm to access resources in another realm if there is a chain of trust established between the realms. The chain relies on a hierarchical realm naming scheme.

For example, IT.BAMBI.COM and DEER.JUNGLE.COM are child realms of their respective parent realms, BAMBI.COM and JUNGLE.COM. If both child realms have two-way trust with the parent realm, and the two parent realms have a direct trust link, then IT.BAMBI.COM and DEER.JUNGLE.COM can have hierarchical inter-realm trust between them.

To support hierarchical trust in Kerberos Servers, you must have a realm hierarchy, where each realm has a direct relationship with a parent and potentially several children.

Other Types Of Trust

You may choose to interoperate with other Kerberos implementations. HP's Kerberos Server, Microsoft Windows 2000, and MIT Kerberos Servers provide Kerberos security solutions following the same IETF standard. HP's Kerberos Server can interoperate with these other solutions, which allows you to selectively deploy the platforms you choose to meet the needs of your company.

Information on interoperability with Windows 2000 is provided in Chapter 4 “Interoperability With Windows 2000”.



Chapter 8 Inter-realm
  		 


Configuring for Multi-realm Enterprises  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2002 Hewlett-Packard Development Company, L.P.