Plan for a Kerberos server based on your operating system.
A Kerberos server or key distribution center (KDC) maintains a database
of principals and their associated passwords. It is composed of the authentication
server and the ticket-granting server. When a principal logs into a Kerberos
network, the authentication server validates the principal and sends them
a ticket-granting ticket. When planning to use Kerberos authentication you
need to decide what system you want to configure as a Kerberos server.
Note: The
network authentication service information focuses on Kerberos servers that
run in either i5/OS™ PASE
or Windows® 2000
server. Most scenarios and examples assume that a Windows 2000 server has been configured
as a Kerberos server, unless explicitly mentioned otherwise. If you are using
any of these other operating systems or third-party applications for Kerberos
authentication, see the corresponding documentation.
The following list
provides details on Kerberos server support on three key operating systems:- Both Microsoft Windows 2000 and Windows Server
20003 operating systems support Kerberos authentication as their default security
mechanism. When administrators add users and services though Microsoft Windows Active
Directory, they are in effect creating Kerberos principals for those users
and services. If you have a Windows 2000 or 2003 server in your
network, you have a Kerberos server built into those operating systems. For
information how Kerberos authentication is used on Microsoft Windows servers, see Microsoft Windows Help
. - Both AIX and i5/OS PASE
supports a Kerberos server through the kadmin command. Administrators need
to enter the PASE environment (by entering call QP2TERM) to configure
and manage the PASE Kerberos server. i5/OS PASE support for a Kerberos server
is new for V5R3. i5/OS PASE
provides a run-time environment for AIX applications, such as a Kerberos server.
The following documentation can help you configure and manage a Kerberos server
in AIX.
- IBM® Network Authentication Service AIX, Linux®, and Solaris Administrator's and User's Guide.
- IBM Network Authentication Service AIX, Linux, and Solaris Application Development Reference.
- Security Server Network Authentication Service for z/OS is the IBM z/OS program based on Kerberos Version
5. Network Authentication Service for z/OS provides Kerberos security services
without requiring that you purchase or use a middleware program. These services
support for a native Kerberos server. See z/OS Security Server Network Authentication Service
Administration for details on configuring and managing a z/OS Kerberos server.
No matter what operating system provides the Kerberos server, you need to determine the server ports for the Kerberos server, secure access to the Kerberos server and ensure that time between clients and the Kerberos server are synchronized.
- Determining server ports
- Network authentication service uses port 88 as the default for the Kerberos server. However, other ports can be specified in the configuration files of the Kerberos server. You should verify the port number in the Kerberos configuration files located on the Kerberos server.
- Securing access to the Kerberos server
- The Kerberos server should be located on a secure, dedicated system, to help ensure that the database of principals and passwords is not compromised. Users should have limited access to the Kerberos server. If the system on which the Kerberos server resides is also used for some other purpose, such as a Web server or an FTP server, someone might take advantage security flaws within these applications and gain access to the database stored on the Kerberos server. For a Kerberos server in Microsoft Windows Active Directory, you can optionally configure a password server that principals can use to manage and update their own passwords stored on the Kerberos server. If you have configured a Kerberos server in i5/OS PASE and you are unable to dedicate the iSeries™ to Kerberos authentication, you should ensure that only your administrator has access to the Kerberos configuration.
- Synchronizing system times
- Kerberos authentication requires that system time is synchronized. Kerberos will reject any authentication requests from a system or client whose time is not within the specified maximum clock skew of the Kerberos server. Since each ticket is imbedded with the time it was sent to a principal, hackers cannot resend the same ticket at a later time to attempt to be authenticated to the network. The iSeries system will also reject tickets from a Kerberos server if its clock is not within the maximum clock skew set during network authentication service configuration. The default value is 300 seconds (five minutes) for the maximum clock skew. During network authentication service configuration the maximum clock skew is set to this default; however, if necessary you can change this value. It is not recommended to raise the value over 300 seconds. See Synchronize system times for details on how to work with system times.
| Questions | Answers |
|---|---|
On which operating system do you plan to configure your
Kerberos server?
|
i5/OS Portable Application Solutions Environment (PASE) |
| What is the fully qualified domain name for the Kerberos server? | iseriesa.myco.com |
| Are times between the PCs and systems that connect to the Kerberos server synchronized? What is the maximum clock skew? | Yes, 300 seconds |
|
Yes, if you plan to configure a Kerberos server in i5/OS PASE
on a V5R4 system. In V5R4, the network authentication server ships as a separate
product, Network Authentication Enablement (5722-NAE).
|
Should I install the Network Authentication
Enablement (5722-NAE) product?