Special RS/6000 SP Topics
189
allow the clients to get service tickets to be used with other servers without
the need to give them the password every time they request services.
So, given a user has a ticket-granting ticket, if a user requests a kerberized
service, he has to get a service ticket for it. In order to get one, the kerberized
command sends an encrypted message, containing the requested service
name, the machine’s name, and a time-stamp to the Kerberos server. The
Kerberos server decrypts the message, checks whether everything is in
order, and if so, sends back a service ticket encrypted with the service’s
private key, so that only the requested service can decrypt it. The client sends
his request along with the just received ticket to the service provider, who in
turn decrypts and checks authorization, and then, if it is in order, provides the
requested service to the client.
9.2.1 Configuring Kerberos Security with HACMP Version 4.3
With HACMP Version 4.3 there is a handy script to do the kerberos setup for
you, called
cl_setup_kerberos
. It sets up all the IP labels defined to the
HACMP cluster together with the needed kerberos principals, so that remote
kerberized commands will work.
On an SP the
setup_authent
command does the SP-related kerberos setup,
which is based on the IP labels found in the SDR. Since the SDR does not
allow multiple IP labels to be defined on the same interface, whereas HACMP
needs to have multiple IP labels on one interface during IPAT, the kerberos
setup for HACMP has to be redone, every time the
setup_authent
command is
run explicitly or implicitly through the
setup_server
command.
You can either do that manually, or use the
cl_setup_kerberos
tool. To
manually add the kerberos principals, use the
kadmin
command. Necessary
principals for kerberized operation in enhanced security mode are the
(remote) rcmd principals and the godm principals. As always, a kerberos
principal consists of a name, godm for example, an IP label, like
hadave1_stby and a realm, so that the principal in its full length would look
like [email protected].
Now after adding all the needed principals to the kerberos database, you
must also add them to the /etc/krb-srvtab file on the nodes. To do that, you
will have to extract them from the database and copy them out to the nodes,
replacing their kerberos file.
Now you can extend root’s .klogin file and /etc/krb.realms file to reflect the
new principals, and copy these files out to the node as well.
Summary of Contents for AIX HACMP SG24-5131-00
Page 2: ......
Page 10: ...viii IBM Certification Study Guide AIX HACMP...
Page 12: ...x IBM Certification Study Guide AIX HACMP...
Page 14: ...xii IBM Certification Study Guide AIX HACMP...
Page 18: ...xvi IBM Certification Study Guide AIX HACMP...
Page 24: ...6 IBM Certification Study Guide AIX HACMP...
Page 110: ...92 IBM Certification Study Guide AIX HACMP...
Page 133: ...HACMP Installation and Cluster Definition 115...
Page 134: ...116 IBM Certification Study Guide AIX HACMP...
Page 160: ...142 IBM Certification Study Guide AIX HACMP...
Page 200: ...182 IBM Certification Study Guide AIX HACMP...
Page 216: ...198 IBM Certification Study Guide AIX HACMP...
Page 222: ...204 IBM Certification Study Guide AIX HACMP...
Page 226: ...208 IBM Certification Study Guide AIX HACMP...
Page 232: ...214 IBM Certification Study Guide AIX HACMP...
Page 240: ...Printed in the U S A SG24 5131 00 IBM Certification Study Guide AIX HACMP SG24 5131 00...