Installing and Administering Internet Services
354 Chapter 11
Secure Internet Services
Configuration and Kerberos Version Interoperability Requirements
This file is automatically created when the client is configured into
the HP DCE cell (for HP DCE clients) or the HP P/SS domain (for HP
P/SS clients). Additional entries can be added manually.
• A realms file named /krb5/krb.realms.
This file is used to associate host names to realm or cell names.
Suggested ownership and permissions for this file are root, sys,
-r--r--r--.
• A keytab file named /krb5/v5srvtab.
This file must be owned by root and only root can have read and
write permissions.
This keytab file must contain the service principal names and their
associated secret keys. The application server uses the key found in
its keytab file to decrypt the service ticket sent to it by the application
client, as follows:
• HP Kerberos security clients
For HP Kerberos security clients, even though the service
principal’s secret key is required to be in a file on the security
client, it must first be created on the KDC. On an HP DCE
Security Service or P/SS, use the dcecp command. On a non-HP
Kerberos V5 KDC use the appropriate command.
The keytab then needs to be securely copied to the target client
node. This can be somewhat difficult if you have no secure means
to copy the file over the network. A removable media (for example,
a floppy disk) might be necessary to ensure proper security.
• HP DCE security clients and HP P/SS security clients
For HP DCE and P/SS security clients, the keytab file can be
created and edited on the client itself, using dcecp keytab
commands. This is very useful in that the problem of securely
copying the keytab file information from the KDC is no longer an
issue, since the file is created on the client.
Beginning with HP-UX 11.0
For the Secure Internet Services beginning with HP-UX 11.0, the
configuration, realms, and keytab files described above are different, as
follows: