Kerberos authentication made easy on OpenVMS



Similar documents
Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

HP Device Manager 4.6

HP Device Manager 4.7

HP Software as a Service. Federated SSO Guide

Single Sign-On for Kerberized Linux and UNIX Applications

HP Software as a Service

Implementing a Kerberos Single Sign-on Infrastructure

Synchronizing ProCurve IDM and Windows Active Directory

Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

How to configure MAC authentication on a ProCurve switch

Guide to SASL, GSSAPI & Kerberos v.6.0

HP Device Manager 4.7

How to Configure Web Authentication on a ProCurve Switch

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Architecture of Enterprise Applications III Single Sign-On

HOBCOM and HOBLink J-Term

OpenHRE Security Architecture. (DRAFT v0.5)

Single Sign-on (SSO) technologies for the Domino Web Server

How to configure 802.1X authentication with a Windows XP or Vista supplicant

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

HP Asset Manager. Implementing Single Sign On for Asset Manager Web 5.x. Legal Notices Introduction Using AM

Integration with Active Directory. Jeremy Allison Samba Team

HP Connection Manager. Administrator's Guide

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

CA Performance Center

Installing and Configuring Windows Server 2012 (20410) H4D00S

HP LeftHand SAN Solutions

HP A-IMC Firewall Manager

HJ594S. Configuring, Managing and Mantaining Windows Server 2008 Servers (6419)

Network Access Control ProCurve and Microsoft NAP Integration

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Centrify Identity and Access Management for Cloudera

Sharing Pictures, Music, and Videos on Windows Media Center Extender

HP ProLiant Essentials Vulnerability and Patch Management Pack Release Notes

Enabling Active Directory Authentication with ESX Server 1

Samba on HP StorageWorks Enterprise File Services (EFS) Clustered File System Software

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Send to Network Folder. Embedded Digital Sending

HP IMC Firewall Manager

QuickSpecs. HP Device Manager

HP Device Manager 4.7

Authentication Applications

HP Access Control Smartcard Solution

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

Vintela Single Sign-on for Java from Quest Software. Deployment Guide WebSphere Edition 3.2

IceWarp Server - SSO (Single Sign-On)

VMS Authentication Module Version 3.1

HP Device Manager 4.6

Kerberos -Based Active Directory Authentication to Support Smart Card and Single Sign-On Login to DRAC5

Integrating F5 BIG-IP load balancer administration with HP ProLiant Essentials Rapid Deployment Pack

HP Operations Orchestration Software

HP OpenView Performance Insight Report Pack for Databases

HP Data Protector best practices for backing up and restoring Microsoft SharePoint Server 2010

Event Monitoring Service Version A Release Notes

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

White Paper. Software version: 5.0

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

Active Directory and Oxford Single Sign-On

HP Security Assessment Services

Parallels Plesk Panel

HP Priority Services. Priority Access

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Customizing Asset Manager for Managed Services Providers (MSP) Software Asset Management

Intel Active Management Technology Integration with Microsoft Windows* Active Directory

HP Insight Remote Support

ASX SFTP External User Guide

SSL VPN Technology White Paper

Administering Windows Server 2012 (20411) H4D01S

Implementing an Advanced Server Infrastructure (20414) H4D07S

HP ProtectTools Embedded Security Guide

Connecting Web and Kerberos Single Sign On

HP Device Manager 4.6

QLIKVIEW MOBILE SECURITY

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

HP PROTECTTOOLS RELEASE MANAGER

SUSE Manager 1.2.x ADS Authentication

Vertica OnDemand Getting Started Guide HPE Vertica Analytic Database. Software Version: 7.2.x

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Intel vpro Provisioning

Using HP StoreOnce Backup Systems for NDMP backups with Symantec NetBackup

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

Integrating HP Insight Management WBEM (WMI) Providers for Windows with HP System Insight Manager

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

How To Use Kerberos

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

HP Web Jetadmin Database Connector Plug-in reference manual

HP ThinPro. Table of contents. Connection Configuration for RDP Farm Deployments. Technical white paper

Kerberos and Active Directory symmetric cryptography in practice COSC412

FTP Server Configuration

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Transcription:

Kerberos authentication made easy on OpenVMS Author: Srinivasa Rao Yarlagadda yarlagadda-srinivasa.rao@hp.com Co-Author: Rupesh Shantamurty rupeshs@hp.com OpenVMS Technical Journal V18 Table of contents Overview... 2 What is Kerberos?... 3 How Kerberos works?... 3 Principal name... 3 Realm... 4 The Kerberos database... 4 Tickets... 4 Ticket-granting service... 4 KDC... 4 Authenticating OpenVMS users with Kerberos... 5 Kerberos authentication with Active Directory... 6 Kerberized Telnet and SSH... 6 Secure automatic logins on OpenVMS... 6 Summary... 7 For more information... 7

Figure 1: Kerberos Protocol Key distribution center Authentication service Ticket granting service 1. Authentication request 2. TGT 3. Service request 4.TGS ticket with session key 5. Actual communication using TGS ticket Application server Client Overview Single sign-on capabilities on OpenVMS are an integral part of integrating OpenVMS into a hybrid computing environment consisting of various other platforms like Windows Linux or UNIX. This article provides an introduction to Kerberos protocol and important concepts and features of Kerberos authentication on OpenVMS. The article includes detailed information about Kerberos-based, single sign-on operations and automated authentication process using Kerberized applications like Kerberized telnet on OpenVMS. Once enabled, this would open up several possibilities for a secure authentication among various platforms in an enterprise environment in a seamless manner. 2

What is Kerberos? Kerberos is a network authentication protocol developed by MIT (Massachusetts Institute of Technology). It provides authenticated access for users and services on a computer network. The name Kerberos comes from Greek mythology. Kerberos is the name of the three-headed dog that guarded the gates of Hades (underworld) in Greek mythology. The three heads involved in the protocol are the client, the server, and a trusted third party that performs secure verification of users and services. The Kerberos protocol uses strong cryptography, so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity. Kerberos uses secret-key cryptography, which lets entities communicating over networks prove their identity to each other while preventing eavesdropping or replay attacks. It also provides data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using encryption standards such as Advanced Encryption Standard (AES). Kerberos is based on the concept of a trusted third party that performs secure verification of users and services. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC). Kerberos is used to verify that users and the network services they use are really who and what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache and can be used in place of the standard username-and-password authentication mechanism. The ticket can then be embedded in virtually any other network protocol, thereby confirming the identity of the principals involved to the processes implementing that protocol.. How Kerberos works? Instead of client sending a password to the application server, Kerberos requests for a ticket from a trusted third party called the KBC. The ticket and the encrypted request are then sent to application server. The following are commonly used Kerberos terms and their definitions: Principal name A principal is a unique identity to which Kerberos can assign tickets. It is analogous to an OpenVMS user. The Kerberos database, which performs a function similar to the SYSUAF.DAT file on OpenVMS, stores information about principals. By convention, a principal name is divided into three parts: 1. A primary for a user, a user name. For a system, the word host. 2. The instance an optional string that qualifies the primary. 3. The realm generally, the DNS domain name in uppercase letters. 3

Realm The administrative domain that encompasses Kerberos clients and servers is called a realm. Each Kerberos realm has at least one Kerberos server, zero or more Kerberos slave servers, and any number of clients. The master Kerberos database for that site or administrative domain is stored on the Kerberos server. Slave servers have read-only copies of the database that are periodically propagated from the master server. The Kerberos database The Kerberos database contains all of the realm s Kerberos principals, their passwords, and other administrative information about each principal. Tickets Kerberos tickets are known as credentials, and are a set of electronic information used to verify the client s identity. Kerberos tickets can be stored in a file, or they may exist only in memory. The first ticket you obtain is a generic ticket-granting ticket (TGT), which is granted upon your initial login to the Kerberos realm. The TGT allows you to obtain additional tickets that give you permission for specific services. Ticket-granting service Once authenticated, a principal will be granted a TGT and a ticket session key, which give the principal the right to use the ticket. This combination of the ticket and its associated key is known as your credentials. A principal s credentials are stored in a credentials cache, which is often just a file in the principal s local directory tree. KDC The ticket-granting service (TGS) and the authentication server are usually collectively known as the Key Distribution Center (KDC). Each KDC contains its own copy of the Kerberos database. The master KDC contains the primary copy of the database, which it propagates at regular intervals to the slave KDCs. All database changes are made on the master KDC. Slave KDCs provide ticket-granting services only, with no database administration. This allows clients to continue to obtain tickets when the master KDC is unavailable. 4

Authenticating OpenVMS users with Kerberos The Kerberos Authentication and Credential Management (ACME) Agent on OpenVMS provides login authentication of OpenVMS users via a Kerberos principal name and password. This agent is provided as part of the Kerberos Version 3.2 release. After you install and configure Kerberos Version 3.2 on OpenVMS, perform the following steps to configure and start the Kerberos ACME agent. 1. Install ACME Login See the file SYS$HELP:ACME_DEV_README.TXT for information about installation and setup. 2. Install the Kerberos persona extension by entering the following commands: $ MCR SYSMAN SYSMAN> SYS_LOADABLE ADD/LOG KERBEROS KRB$ACME_KRB_PERSONA_EXT %SYSMAN-I-IMGADDED, added image KRB$ACME_KRB_PERSONA_EXT for product KERBEROS $@SYS$UPDATE:VMS$SYSTEM_IMAGES.COM 3. Reboot the system. This is required one time only, after you have installed the Kerberos persona extension. 4. To start the Kerberos ACME agent automatically, edit the file SYS$MANAGER:ACME$START.COM to uncomment the following line: $! @SYS$STARTUP:KRB$STARTUP_KERBEROS_ACME 5. Edit the file SYSTARTUP_VMS.COM to include the following command after all dependent software is started: $ SET SERVER ACME/RESTART 6. Create an OpenVMS account with the EXTAUTH flag set. 7. Create a Kerberos principal name that exactly matches (including case) the OpenVMS account name created in step six. Passwords do not need to match. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal. 8. SET HOST or Telnet to the system on which you installed the ACME Agent and the Kerberos persona extension in steps 1 and 2. Enter one of the following commands: $ TELNET NODE1 or $ SET HOST NODE1 9. Enter the username and password. For example: Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3 Username: ACMEUSER Password: **** Logon Message from ACME_KRB_DOI ACME Agent *** 10. Kerberos login Ticket cache file is stored in the user s default directory. The Kerberos ACME agent on OpenVMS provides functionality similar to that of the pam_krb5 utility on UNIX systems. 5

Figure 2: Kerberos authentication on OpenVMS Telnet Authentication and Credential Management (ACME) ACME server VMS ACME Kerberos ACME KDC Kerberos authentication with Active Directory Kerberos is an integral part of Windows Active Directory domain. The domain controllers (dc) are Kerberos Key Distribution Centers, and the client systems use the Kerberos protocol to authenticate users with the domain controller servers. Using the Kerberos ACME agent on OpenVMS, users can be authenticated with Active Directory domains. This would enable the integration of OpenVMS into an existing enterprise where Kerberos framework exists. Kerberized Telnet and SSH OpenVMS offers Kerberos authentication for telnet and SSH applications. The Kerberos authentication means that once you have a valid Kerberos ticket (obtained manually (kinit) or via a login using Kerberos ACME agent), the applications can use this ticket as an authentication token and once authenticated, successful access will be provided without the need for a password. Configuration steps for kerberized telnet and SSH applications are explained in the Kerberos documentation. Secure automatic logins on OpenVMS Using kerberized telnet and SSH applications, users can login securely without entering the password. Following are some of the use cases of having this solution on OpenVMS. 1. Network backup administrators can use this for automated backups in a secure manner. 2. Secure authentication to various platforms (HP-UX, Linux, and Windows) from OpenVMS. 3. Integration of OpenVMS into the existing enterprise-wide, single sign-on framework. 4. Administrators can automate remote testing and secure patch/kit installation procedures. 6

Summary Adding Kerberos to a network can increase the overall security available to the users and administrators of that network. Integrating OpenVMS into an existing Kerberos framework had previously required a lot of custom-made solutions to be developed. Kerberos ACME agent on OpenVMS provides the basic authentication infrastructure so that it can be integrated/extended to an enterprise-wide, single sign-on framework. For more information Kerberos for HP OpenVMS Documentation http://h71000.www7.hp.com/openvms/products/kerberos/ Smoothly integrate OpenVMS into your Kerberos framework and enhance your single sign-on experience; visit: www.hp.com/go/openvms Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Windows is a U.S. registered trademark of Microsoft Corporation. UNIX is a registered trademark of The Open Group. 4AA4-0526ENW, Created April 2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information