Installing and Administering Internet Services
Chapter 11 343
Secure Internet Services
Overview of the Secure Environment and the Kerberos V5 Protocol
To summarize,
• The user obtains a TGT from the AS portion of the KDC when it first
issues the kinit, dce_login, or dess_login command to the KDC.
• When the user invokes a Secure Internet Service, the client requests
a service ticket from the TGS portion of the KDC. It obtains this
service ticket by presenting the TGT and other credentials to the TGS
portion of the KDC.
• The client sends the service ticket and other credentials received from
the TGS to the application server. This authenticates the application
client to the application server. This authentication replaces the
non-secure authentication method of sending a password, in a
readable form, to the application server.
Related Terms and Concepts
Some of the terms and concepts you might find helpful in understanding
the secure environment are briefly discussed in the paragraphs below.
Kerberos Utilities
The following utilities must exist on all security clients (HP provides
these utilities on HP clients):
• kinit: This command obtains and caches a TGT for the user. For
more information, refer to the kinit(1) man page.
• klist: This command displays the list of tickets in the user’s
credentials cache file. For more information, refer to the klist(1)
man page.
• kdestroy: This command destroys the user’s accumulated
credentials. For more information, refer to the kdestroy(1) man
page.
Realms/Cells
A realm defines an administrative boundary, and has a unique name. It
consists of the KDC and all the security clients (application servers and
application clients) registered to that KDC. By convention, Kerberos uses
uppercase realm names, which appear as suffixes in principal names
(david@MYREALM.COM).