171 lines
10 KiB
HTML
171 lines
10 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Plan a Kerberos server" />
|
|
<meta name="abstract" content="Plan for a Kerberos server based on your operating system." />
|
|
<meta name="description" content="Plan for a Kerberos server based on your operating system." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhplan.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhprealm.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakhpkdc" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Plan a Kerberos server</title>
|
|
</head>
|
|
<body id="rzakhpkdc"><a name="rzakhpkdc"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Plan a Kerberos server</h1>
|
|
<div><p>Plan for a Kerberos server based on your operating system.</p>
|
|
<div class="p">A Kerberos server or key distribution center (KDC) maintains a database
|
|
of principals and their associated passwords. It is composed of the authentication
|
|
server and the ticket-granting server. When a principal logs into a Kerberos
|
|
network, the authentication server validates the principal and sends them
|
|
a ticket-granting ticket. When planning to use Kerberos authentication you
|
|
need to decide what system you want to configure as a Kerberos server. <div class="note"><span class="notetitle">Note:</span> The
|
|
network authentication service information focuses on Kerberos servers that
|
|
run in either i5/OS™ PASE
|
|
or Windows<sup>®</sup> 2000
|
|
server. Most scenarios and examples assume that a Windows 2000 server has been configured
|
|
as a Kerberos server, unless explicitly mentioned otherwise. If you are using
|
|
any of these other operating systems or third-party applications for Kerberos
|
|
authentication, see the corresponding documentation.</div>
|
|
The following list
|
|
provides details on Kerberos server support on three key operating systems:</div>
|
|
<div class="p"><dl class="dlexpand"><dt class="dltermexpand">Microsoft<sup>®</sup> Windows 2000
|
|
and Windows Server
|
|
2003</dt>
|
|
<dd>Both Microsoft Windows 2000 and Windows Server
|
|
20003 operating systems support Kerberos authentication as their default security
|
|
mechanism. When administrators add users and services though Microsoft Windows Active
|
|
Directory, they are in effect creating Kerberos principals for those users
|
|
and services. If you have a Windows 2000 or 2003 server in your
|
|
network, you have a Kerberos server built into those operating systems. For
|
|
information how Kerberos authentication is used on Microsoft Windows servers, see <a href="http://www.microsoft.com/windows2000/en/server/help/" target="_blank">Microsoft Windows Help</a><img src="www.gif" alt="Link outside the Information center" />.</dd>
|
|
<dt class="dltermexpand">AIX<sup>®</sup> and i5/OS PASE</dt>
|
|
<dd>Both AIX and i5/OS PASE
|
|
supports a Kerberos server through the kadmin command. Administrators need
|
|
to enter the PASE environment (by entering <tt>call QP2TERM</tt>) to configure
|
|
and manage the PASE Kerberos server. i5/OS PASE support for a Kerberos server
|
|
is new for V5R3. i5/OS PASE
|
|
provides a run-time environment for AIX applications, such as a Kerberos server.
|
|
The following documentation can help you configure and manage a Kerberos server
|
|
in AIX.<ul><li><cite>IBM<sup>®</sup> Network
|
|
Authentication Service AIX, Linux<sup>®</sup>, and Solaris Administrator's and User's Guide</cite>.</li>
|
|
<li><cite>IBM Network
|
|
Authentication Service AIX, Linux, and Solaris Application Development Reference</cite>.<div class="note"><span class="notetitle">Note:</span> You
|
|
can find this documentation in the <a href="http://www-1.ibm.com/servers/aix/products/bonuspack/aix5l/details.html" target="_blank">AIX
|
|
5L™ Expansion Pack and Bonus Pack</a> CD. <img src="www.gif" alt="Link outside the Information center" /></div>
|
|
</li>
|
|
</ul>
|
|
</dd>
|
|
<dt class="dltermexpand">z/OS<sup>®</sup></dt>
|
|
<dd>Security Server Network Authentication Service for z/OS is the IBM z/OS program based on Kerberos Version
|
|
5. Network Authentication Service for z/OS provides Kerberos security services
|
|
without requiring that you purchase or use a middleware program. These services
|
|
support for a native Kerberos server. See <a href="http://publibz.boulder.ibm.com/epubs/pdf/euvb3a20.pdf" target="_blank">z/OS Security Server Network Authentication Service
|
|
Administration</a> <img src="www.gif" alt="Link outside the Information center" /> for details on configuring and managing a z/OS Kerberos server.</dd>
|
|
</dl>
|
|
</div>
|
|
<p>No matter what operating system provides the Kerberos server, you need
|
|
to determine the server ports for the Kerberos server, secure access to the
|
|
Kerberos server and ensure that time between clients and the Kerberos server
|
|
are synchronized.</p>
|
|
<div class="p"><dl><dt class="dlterm">Determining server ports </dt>
|
|
<dd>Network authentication service uses port 88 as the default for the Kerberos
|
|
server. However, other ports can be specified in the configuration files of
|
|
the Kerberos server. You should verify the port number in the Kerberos configuration
|
|
files located on the Kerberos server. </dd>
|
|
<dt class="dlterm">Securing access to the Kerberos server</dt>
|
|
<dd>The Kerberos server should be located on a secure, dedicated system, to
|
|
help ensure that the database of principals and passwords is not compromised.
|
|
Users should have limited access to the Kerberos server. If the system on
|
|
which the Kerberos server resides is also used for some other purpose, such
|
|
as a Web server or an FTP server, someone might take advantage security flaws
|
|
within these applications and gain access to the database stored on the Kerberos
|
|
server. For a Kerberos server in Microsoft Windows Active Directory, you can optionally
|
|
configure a password server that principals can use to manage and update their
|
|
own passwords stored on the Kerberos server. If you have configured a Kerberos
|
|
server in i5/OS PASE
|
|
and you are unable to dedicate the iSeries™ to Kerberos authentication, you
|
|
should ensure that only your administrator has access to the Kerberos configuration.</dd>
|
|
<dt class="dlterm">Synchronizing system times</dt>
|
|
<dd>Kerberos authentication requires that system time is synchronized. Kerberos
|
|
will reject any authentication requests from a system or client whose time
|
|
is not within the specified maximum clock skew of the Kerberos server. Since
|
|
each ticket is imbedded with the time it was sent to a principal, hackers
|
|
cannot resend the same ticket at a later time to attempt to be authenticated
|
|
to the network. The iSeries system will also reject tickets from a Kerberos
|
|
server if its clock is not within the maximum clock skew set during network
|
|
authentication service configuration. The default value is 300 seconds (five
|
|
minutes) for the maximum clock skew. During network authentication service
|
|
configuration the maximum clock skew is set to this default; however, if necessary
|
|
you can change this value. It is not recommended to raise the value over 300
|
|
seconds. See <a href="rzakhsync.htm">Synchronize system times</a> for
|
|
details on how to work with system times.</dd>
|
|
</dl>
|
|
</div>
|
|
<div class="p">
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Example planning work sheet for Kerberos server. This planning work sheet provides an example of how an administrator
|
|
planned the Kerberos server for a network</caption><thead align="left"><tr><th valign="top" id="d0e214">Questions</th>
|
|
<th valign="top" id="d0e216">Answers</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e214 ">On which operating system do you plan to configure your
|
|
Kerberos server?<ul><li>Windows 2000
|
|
Server</li>
|
|
<li>Windows Server
|
|
2003</li>
|
|
<li>AIX Server</li>
|
|
<li>i5/OS PASE
|
|
(V5R3 or later)</li>
|
|
<li>zSeries<sup>®</sup></li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" headers="d0e216 ">i5/OS Portable Application Solutions Environment (PASE)</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e214 ">What is the fully qualified domain name for the Kerberos
|
|
server?</td>
|
|
<td valign="top" headers="d0e216 ">iseriesa.myco.com</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e214 ">Are times between the PCs and systems that connect to
|
|
the Kerberos server synchronized? What is the maximum clock skew?</td>
|
|
<td valign="top" headers="d0e216 ">Yes, 300 seconds</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e214 "><p><img src="./delta.gif" alt="Start of change" />Should I install the Network Authentication
|
|
Enablement (5722-NAE) product?<img src="./deltaend.gif" alt="End of change" /></p>
|
|
</td>
|
|
<td valign="top" headers="d0e216 ">Yes, if you plan to configure a Kerberos server in i5/OS PASE
|
|
on a V5R4 system. In V5R4, the network authentication server ships as a separate
|
|
product, <dfn class="term">Network Authentication Enablement</dfn> (5722-NAE). <p><img src="./delta.gif" alt="Start of change" />If
|
|
you are using i5/OS V5R3,
|
|
you need to install Cryptographic Access Provider (5722-AC3) instead to configure
|
|
a Kerberos server in i5/OS PASE.<img src="./deltaend.gif" alt="End of change" /></p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhplan.htm" title="Before implementing network authentication service or a Kerberos solution on your network it is essential to complete the necessary planning tasks.">Plan network authentication service</a></div>
|
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhprealm.htm" title="Understanding your enterprise can help you plan for realms in your environment.">Plan realms</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |