 |
» |
|
|
|
The main purpose of this chapter is to provide information
required specifically for the Secure Internet Services. However,
since the successful usage of the Secure Internet Services requires
a correctly configured secure environment, this section
discusses
some general requirements of the secure environment. For specific configuration information, refer to your KDC
(security server) provider's and security client provider's
documentation. For configurations that include any HP nodes (HP DCE Security
Service, HP DCE client, HP P/SS, HP P/SS client, and HP Kerberos
client), see Using HP DCE 9000 Security with Kerberos
Applications, available in postscript and ASCII form
in the directory /opt/dce/newconfig/RelNotes/ in the files krbWhitePaper.ps and krbWhitePaper.text. For information about P/SS, see Appendix C ("Using
Praesidium/Security Service with Kerberos Applications")
in Planning and Configuring Praesidium/Security Service. File Requirements | |
Beginning with HP-UX 11.0, some of the configuration-related
files are reformatted and/or renamed for Kerberos Version 5 Release
1.0 (V5-1.0). However, because of the way DCE implements kinit, klist, and kdestroy, those commands still use the Kerberos Version
5 Beta 4 (V5 Beta 4) format of those configuration-related files.
So, to use the new Secure Internet Services mechanism, you must
have a combination of those files configured in the secure environment. The Secure Internet Services before HP-UX 11.0 use the following
files for configuration: A configuration file named /krb5/krb.conf. This file specifies the default realm, cell, or domain name
and also maps realm, cell, or domain names to KDCs. Suggested ownership and
permissions for this file are root, sys, -r--r--r--. This file is automatically created when the client is configured
into the HP DCE cell (for HP DCE clients) or the HP P/SS domain
(for HP P/SS clients). Additional entries can be added manually. A realms file named /krb5/krb.realms. This file is used to associate host names to realm or cell
names. Suggested ownership and permissions for this file are root, sys, -r--r--r--. A keytab file named /krb5/v5srvtab. This file must be owned by root and only root can have read and write permissions. This keytab file must contain the service principal names
and their associated secret keys. The application server uses the
key found in its keytab file to decrypt the service ticket sent
to it by the application client, as follows: HP Kerberos security clients For HP Kerberos security clients, even though the service principal's
secret key is required to be in a file on the security client, it
must first be created on the KDC. On an HP DCE Security Service
or P/SS, use the dcecp command. On a non-HP Kerberos V5 KDC use the appropriate
command. The keytab then needs to be securely copied
to the target client node. This can be somewhat difficult if you
have no secure means to copy the file over the network. A removable
media (for example, a floppy disk) might be necessary to ensure
proper security. HP DCE security clients and HP P/SS security clients For HP DCE and P/SS security clients, the keytab file can
be created and edited on the client itself, using dcecp keytab commands. This is very useful in that the
problem of securely copying the keytab file information from the
KDC is no longer an issue, since the file is created on the client.
Beginning with HP-UX 11.0For the Secure Internet Services beginning with HP-UX 11.0,
the configuration, realms, and keytab files described above are
different, as follows: The configuration file and realms
file are combined into one configuration file with a new format.
The new configuration file is named /etc/krb5.conf. The /etc/krb5.conf file specifies (1) defaults for the realm and
for Kerberos applications, (2) mappings of host names onto Kerberos realms,
and (3) the location of KDCs for the Kerberos realms. For HP DCE clients, the /etc/krb5.conf file must be created and maintained manually. For HP P/SS clients, the /etc/krb5.conf file is created automatically but it must be maintained
manually. Also, to ensure that the file is created correctly, the
patch PHSS_7877 must have been installed before the P/SS client
is configured. If you were using the pre-HP-UX 11.0 Secure Internet Services,
and so the configuration and realms files were previously configured,
you can use a migration tool to combine the two files into the one
file used by HP-UX 11.0. See “Migrating Version 5 Beta 4 Files to
Version 5 Release 1.0” for instructions
on how to use the tool. Note that, because the kinit, klist, and kdestroy commands still require the V5 Beta 4 /krb5/krb.conf and /krb5/krb.realms files, you must still keep these files in the
secure environment's configuration, and their configuration
information must match that of the V5-1.0 file.
If you make any changes to the V5-1.0 file (/etc/krb5.conf), you must also manually
make the same changes to both of the V5 Beta 4 files. To ensure interoperability between V5 Beta 4 and
V5-1.0, the checksum and encryption types must be synchronized.
So, you need to ensure that the[libdefaults] section of the /etc/krb5.conf file is correct, as follows: If using an HP DCE KDC, the following entries must be in the[libdefaults] section of the /etc/krb5.conf file: kdc_req_checksum_type = 2
ccache_type = 2 |
If using a non-HP DCE V5 Beta 4 KDC, the following
entries must be in the[libdefaults] section of the /etc/krb5.conf file: checksum_type = 1
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
ccache_type = 2 |
If the above entries need to be added to or changed in the configuration
file, you must make the additions or changes manually (use the text
editor of your choice). The keytab file is named /etc/krb5.keytab. Note that, when an HP DCE or HP P/SS cell is configured, the
keytab file is created automatically, but it is given the V5 Beta
4 name (/krb5/v5srvtab). So, to ensure that applications will be able
to run, you must create a link from the V5-1.0 keytab file (/etc/krb5.keytab) to the V5 Beta 4 file (/krb5/v5srvtab), by issuing this command: ln -s /krb5/v5srvtab /etc/krb5.keytab |
KDC Requirements | |
The general KDC configuration requirements of the secure environment are
the following: The KDC (security server) software
must be running. User accounts must be created, as necessary. User and service (host and optionally ftp) principals must exist in the KDC database.
Security Client Requirements | |
The general configuration requirements for each security client
are as follows: The following port must exist in the /etc/services file or in the NIS or NIS+ services database: The security client software must be installed: The Kerberos commands kinit, klist, and kdestroy must all exist. For HP DCE and HP Kerberos clients, the HP DCE file
set (DCE-Core.DCE-CORE-RUN) must be configured. For HP P/SS clients, the HP DCE file set (DCE-Core.DCE-CORE-RUN) and the HP P/SS file set (DESS-Core.DESS-CORE-RUN) must be configured.
The V5 Beta 4 configuration file, realms file, and
keytab file must exist, and the V5-1.0 configuration file and keytab
file must exist, as explained in “Beginning with HP-UX 11.0”. A $HOME/.k5login file must exist in each login user's
home directory. This file must be owned by the login user, and only the login
user can have write permission. This file lists the user principals and their associated realm
or cell names that have access permission to the login user's
account. The user principals are for the user that originally performed
the kinit, dce_login, or dess_login command. The term "login user" refers
to the user whose account is being accessed on the remote host.
This is not necessarily the same user who originally issued the kinit, dce_login, or dess_login command. Assume amy has already issued the kinit command. In this example, amy enters the following: In this example, robert is the login user, and amy must have an entry in Robert's $HOME/.k5login file on the application server (hostA). Alternatively, the client can use an authorization name database
file called /krb5/aname. An entry in this file will authorize a user principal
name to the specified login name. A tool for the administration
of an aname file is not provided by DCE or P/SS. For the Secure Internet Services, login is allowed even without entries
in the login user's $HOME/.k5login file or the aname database, provided that the login user's
name matches the user principal user's name, and that the
Kerberos realm of the client matches the default realm of the application
server. The login user must have an entry in the /etc/passwd file on the application server.
|
