HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration
Installing and Configuring Kerberos on OpenVMS Version 8.2 or Higher
Kerberos Version 3.0 is automatically installed during the
installation of OpenVMS Version 8.3, or during an upgrade from a
previous version of OpenVMS to Version 8.3. Configure
HP TCP/IP Services for OpenVMS to Change Hostname Definition to Fully
Qualfied Domain Name | |
Before configuring or starting Kerberos, check the HP TCP/IP
Services for OpenVMS Local Host Database to determine whether your
hostname definition is the short name (for example, node1) or the
Fully Qualified Domain Name (FQDN) (for example, node1.hp.com). Example 2-1 contains a log of such a change. Example 2-1 Changing
Hostname Definition from Short Name to Fully Qualified Domain Name |
$ TCPIP SHOW HOST/LOCAL NODE1
LOCAL database
Host address Host name
1.2.3.4 node1
$ @SYS$STARTUP:TCPIP$CONFIG
TCP/IP Network Configuration Procedure
This procedure helps you define the parameters required
to run HP TCP/IP Services for OpenVMS on this system.
Checking TCP/IP Services for OpenVMS configuration database files.
HP TCP/IP Services for OpenVMS Configuration Menu
Configuration options:
1 - Core environment
2 - Client components
3 - Server components
4 - Optional components
5 - Shutdown HP TCP/IP Services for OpenVMS
6 - Startup HP TCP/IP Services for OpenVMS
7 - Run tests
A - Configure options 1 - 4
[E] - Exit configuration procedure
Enter configuration option: 1
HP TCP/IP Services for OpenVMS Core Environment Configuration Menu
Configuration options:
1 - Domain
2 - Interfaces
3 - Routing
4 - BIND Resolver
5 - Time Zone
A - Configure options 1 - 5
[E] - Exit menu
Enter configuration option: 2
HP TCP/IP Services for OpenVMS Interface & Address Configuration Menu
Hostname Details: Configured=node1, Active=node1
Configuration options:
1 - WE0 Menu (EWA0: TwistedPair 1000mbps)
2 - 1.2.3.4/21 node1 Configured,Active
3 - IE0 Menu (EIA0: TwistedPair 100mbps)
I - Information about your configuration
[E] - Exit menu
Enter configuration option: 2
HP TCP/IP Services for OpenVMS Address Configuration Menu
WE0 1.2.3.4/21 node1 Configured,Active WE0
Configuration options:
1 - Change address
2 - Set “node1” as the default hostname
3 - Delete from configuration database
4 - Remove from live system
5 - Add standby aliases to configuration database (for failSAFE IP)
[E] - Exit menu
Enter configuration option: 1
IPv4 Address may be entered with CIDR bits suffix.
E.g. For a 16-bit netmask enter 10.0.1.1/16
Enter IPv4 Address [1.2.3.4/21]:
Enter hostname [node1]: node1.hp.com
Requested configuration:
Address : 1.2.3.4/21
Netmask : 255.255.248.0 (CIDR bits: 21)
Hostname : node1.hp.com
* Is this correct [YES]:
“node1” is currently associated with address “1.2.3.4”.
Continuing will associate “node1.hp.com” with “1.2.3.4”.
* Continue [NO]: YES
Deleted host node1 from host database
Added hostname node1.hp.com (1.2.3.4) to host database
* Update the address in the configuration database [NO]: YES
Updated address WE0:1.2.3.4 in configuration database
* Update the active address [NO]: YES
WE0: delete active inet address node1.hp.com
Updated active address to be WE0:1.2.3.4
HP TCP/IP Services for OpenVMS Interface & Address Configuration Menu
Hostname Details: Configured=node1, Active=node1
Configuration options:
1 - WE0 Menu (EWA0: TwistedPair 1000mbps)
2 - 1.2.3.4/21 node1.hp.com Configured,Active
3 - IE0 Menu (EIA0: TwistedPair 100mbps)
I - Information about your configuration
[E] - Exit menu
Enter configuration option: E
HP TCP/IP Services for OpenVMS Core Environment Configuration Menu
Configuration options:
1 - Domain
2 - Interfaces
3 - Routing
4 - BIND Resolver
5 - Time Zone
A - Configure options 1 - 5
[E] - Exit menu
Enter configuration option: E
HP TCP/IP Services for OpenVMS Configuration Menu
Configuration options:
1 - Core environment
2 - Client components
3 - Server components
4 - Optional components
5 - Shutdown HP TCP/IP Services for OpenVMS
6 - Startup HP TCP/IP Services for OpenVMS
7 - Run tests
A - Configure options 1 - 4
[E] - Exit configuration procedure
Enter configuration option: E
$ TCPIP SHOW HOST/LOCAL NODE1
LOCAL database
Host address Host name
1.2.3.4 node1.hp.com |
|
Configuring Kerberos for OpenVMS on OpenVMS
8.2 or Higher | |
If you have not previously configured an earlier version of
Kerberos on your system, you must run the configuration program
before starting Kerberos. | | | |  | NOTE: If you are reconfiguring Kerberos on a system on which
Kerberos was previously configured, you must enter the kdestroy command
before you run the configuration command procedure SYS$STARTUP:KRB$CONFIGURE.COM.
The kdestroy command is defined in KRB$SYMBOLS.COM. | | | | |
After you have a valid configuration, start Kerberos with
the following command: $ @SYS$STARTUP:KRB$STARTUP.COM Example 2-2 shows a configuration log. Example 2-2 Kerberos
Configuration Log on OpenVMS $ @SYS$STARTUP:KRB$CONFIGURE |
|
|
Kerberos V3.0 for OpenVMS Configuration Menu
Configuration options:
1 - Setup Client configuration
2 - Edit Client configuration
3 - Setup Server configuration
4 - Edit Server configuration
5 - Shutdown Servers
6 - Startup Servers
E - Exit configuration procedure
Enter Option: 1
Where will the OpenVMS Kerberos 5 KDC be running [ system ]:
What is the OpenVMS Kerberos 5 default domain [ abc.xyz.com ]:
What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.ABC.XYZ.COM ]:
Press Return to continue ...
Kerberos V3.0 for OpenVMS Configuration Menu
Configuration options:
1 - Setup Client configuration
2 - Edit Client configuration
3 - Setup Server configuration
4 - Edit Server configuration
5 - Shutdown Servers
6 - Startup Servers
E - Exit configuration procedure
Enter Option: 3
Where will the OpenVMS Kerberos 5 KDC be running [ system ]:
What is the OpenVMS Kerberos 5 default domain [ abc.xyz.com ]:
What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.ABC.XYZ.COM ]:
The type of roles the KDC can perform are:
NO_KDC -- where the KDC will not be run
SINGLE_KDC -- where the KDC is the only one in the realm
MASTER_KDC -- where the KDC is the master of 1 or more other KDCs
SLAVE_KDC -- where the KDC is slave to another KDC
What will be the KDC’s role on this node [ SINGLE_KDC ]:
Create the OpenVMS Kerberos 5 database [ Y ]:
Creating OpenVMS Kerberos 5 database ...
Initializing database ‘krb$root:[krb5kdc]principal’ for realm
‘SYSTEM.ABC.XYZ.COM’,
master key name ‘K/M@SYSTEM.ABC.XYZ.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Priority: info
No dictionary file specified, continuing without one.
Please enter a default OpenVMS Kerberos 5 administrator [ SYSTEM ]:
Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password.
Enter password for principal “SYSTEM/admin@SYSTEM.ABC.XYZ.COM”:
Re-enter password for principal “SYSTEM/admin@SYSTEM.ABC.XYZ.COM”:
Principal “SYSTEM/admin@SYSTEM.ABC.XYZ.COM” created.
Priority: info
No dictionary file specified, continuing without one.
WARNING: no policy specified for SYSTEM/admin@SYSTEM.ABC.XYZ.COM; defaulting to no policy
Create OpenVMS Kerberos 5 principals [ Y ]: N
Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password.
Priority: info
No dictionary file specified, continuing without one.
KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.
KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.
Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password.
Priority: info No dictionary file specified, continuing without one.
KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.
KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.
Press Return to continue ...
Kerberos V3.0 for OpenVMS Configuration Menu
Configuration options:
1 - Setup Client configuration
2 - Edit Client configuration
3 - Setup Server configuration
4 - Edit Server configuration
5 - Shutdown Servers
6 - Startup Servers
E - Exit configuration procedure
Enter Option: 6
Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)...
Starting OpenVMS Kerberos server KRB$KRB5KDC ...
%RUN-S-PROC_ID, identification of created process is 00000060
Starting OpenVMS Kerberos server KRB$KADMIND ...
%RUN-S-PROC_ID, identification of created process is 00000061
Press Return to continue ...
Kerberos V3.0 for OpenVMS Configuration Menu
Configuration options:
1 - Setup Client configuration
2 - Edit Client configuration
3 - Setup Server configuration
4 - Edit Server configuration
5 - Shutdown Servers
6 - Startup Servers
E - Exit configuration procedure
Enter Option: E |
|
|
