Installing and Administering Internet Services
344 Chapter 11
Secure Internet Services
Overview of the Secure Environment and the Kerberos V5 Protocol
When using the HP DCE Security Service as a KDC, the term cell is
used. A cell is roughly equivalent to a realm. An HP DCE cell name must
be lowercase. It appears as a prefix and has a leading “/.../” in a principal
name (/.../my_kdc_cell.com/david).
Domains
A P/SS domain defines an administrative structure and is equivalent to
a Kerberos realm and an HP DCE cell. Like an HP DCE cell, its name
must be lowercase. It appears as a prefix and has a leading “/.../” in a
principal name (/.../my_domain/david).
Cross-Realm Authentication
Cross-realm authentication occurs when a client from one realm wishes
to access a server from a different realm. Since each KDC administers
tickets for a specific realm, cross-realm operation requires using
inter-realm keys with the KDC. Cross-realm authentication is also
referred to as inter-realm authentication.
Currently it is not possible to set up heterogeneous cross-realm
authentication between an HP DCE or P/SS KDC and a Kerberos V5
KDC. Cross-realm authentication is available between realms hosted by
KDCs of the same type. In other words, for cross-realm configurations
with the Secure Internet Services, all the KDCs must be HP DCE
Security Services, all the KDCs must be HP P/SSs, or all the KDCs must
be Kerberos V5 KDCs.
Principals
Principals are uniquely named network entities, including users and
services. Principal names contain the cell to which they belong, and each
principal has a unique key associated with it. All principals that
participate in Kerberos V5 authentication and authorization are
required to be included in the KDC’s database. The KDC database does
not distinguish between types of principal names. However, it is useful to
describe two kinds of principal names: user principal names and service
principal names.
User Principal Names. A user principal name is associated with a
specific user of the Secure Internet Services. User principal names
consist of a user ID and a realm, cell, or domain name. All users must
have one or more user principal names in the KDC’s database. Some
examples of user principal names are the following: