IBM SG24-5131-00 Benutzerhandbuch
Special RS/6000 SP Topics
189
allow the clients to get service tickets to be used with other servers without
the need to give them the password every time they request services.
the need to give them the password every time they request services.
So, given a user has a ticket-granting ticket, if a user requests a kerberized
service, he has to get a service ticket for it. In order to get one, the kerberized
command sends an encrypted message, containing the requested service
name, the machine’s name, and a time-stamp to the Kerberos server. The
Kerberos server decrypts the message, checks whether everything is in
order, and if so, sends back a service ticket encrypted with the service’s
private key, so that only the requested service can decrypt it. The client sends
his request along with the just received ticket to the service provider, who in
turn decrypts and checks authorization, and then, if it is in order, provides the
requested service to the client.
service, he has to get a service ticket for it. In order to get one, the kerberized
command sends an encrypted message, containing the requested service
name, the machine’s name, and a time-stamp to the Kerberos server. The
Kerberos server decrypts the message, checks whether everything is in
order, and if so, sends back a service ticket encrypted with the service’s
private key, so that only the requested service can decrypt it. The client sends
his request along with the just received ticket to the service provider, who in
turn decrypts and checks authorization, and then, if it is in order, provides the
requested service to the client.
9.2.1 Configuring Kerberos Security with HACMP Version 4.3
With HACMP Version 4.3 there is a handy script to do the kerberos setup for
you, called
you, called
cl_setup_kerberos
. It sets up all the IP labels defined to the
HACMP cluster together with the needed kerberos principals, so that remote
kerberized commands will work.
kerberized commands will work.
On an SP the
setup_authent
command does the SP-related kerberos setup,
which is based on the IP labels found in the SDR. Since the SDR does not
allow multiple IP labels to be defined on the same interface, whereas HACMP
needs to have multiple IP labels on one interface during IPAT, the kerberos
setup for HACMP has to be redone, every time the
allow multiple IP labels to be defined on the same interface, whereas HACMP
needs to have multiple IP labels on one interface during IPAT, the kerberos
setup for HACMP has to be redone, every time the
setup_authent
command is
run explicitly or implicitly through the
setup_server
command.
You can either do that manually, or use the
cl_setup_kerberos
tool. To
manually add the kerberos principals, use the
kadmin
command. Necessary
principals for kerberized operation in enhanced security mode are the
(remote) rcmd principals and the godm principals. As always, a kerberos
principal consists of a name, godm for example, an IP label, like
hadave1_stby and a realm, so that the principal in its full length would look
like godm.hadave1_stby@ITSO.AUSTIN.IBM.COM.
(remote) rcmd principals and the godm principals. As always, a kerberos
principal consists of a name, godm for example, an IP label, like
hadave1_stby and a realm, so that the principal in its full length would look
like godm.hadave1_stby@ITSO.AUSTIN.IBM.COM.
Now after adding all the needed principals to the kerberos database, you
must also add them to the /etc/krb-srvtab file on the nodes. To do that, you
will have to extract them from the database and copy them out to the nodes,
replacing their kerberos file.
must also add them to the /etc/krb-srvtab file on the nodes. To do that, you
will have to extract them from the database and copy them out to the nodes,
replacing their kerberos file.
Now you can extend root’s .klogin file and /etc/krb.realms file to reflect the
new principals, and copy these files out to the node as well.
new principals, and copy these files out to the node as well.