Installing and Administering Internet Services

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software

351

352

353

354

355

356

357

358

359

360

Chapter 11 355

Secure Internet Services

Conﬁguration and Kerberos Version Interoperability Requirements

• The conﬁguration ﬁle and realms ﬁle are combined into one

conﬁguration ﬁle with a new format. The new conﬁguration ﬁle is

named /etc/krb5.conf.

The /etc/krb5.conf ﬁle speciﬁes (1) defaults for the realm and for

Kerberos applications, (2) mappings of host names onto Kerberos

realms, and (3) the location of KDCs for the Kerberos realms.

For HP DCE clients, the /etc/krb5.conf ﬁle must be created and

maintained manually.

For HP P/SS clients, the /etc/krb5.conf ﬁle is created

automatically but it must be maintained manually. Also, to ensure

that the ﬁle is created correctly, the patch PHSS_7877 must have

been installed before the P/SS client is conﬁgured.

If you were using the pre-HP-UX 11.0 Secure Internet Services, and

so the conﬁguration and realms ﬁles were previously conﬁgured, you

can use a migration tool to combine the two ﬁles into the one ﬁle used

by HP-UX 11.0. See “Migrating Version 5 Beta 4 Files to Version 5

Release 1.0” on page 361 for instructions on how to use the tool.

Note that, because the kinit, klist, and kdestroy commands still

require the V5 Beta 4 /krb5/krb.conf and /krb5/krb.realms

ﬁles, you must still keep these ﬁles in the secure environment’s

conﬁguration, and their conﬁguration information must match that of

the V5-1.0 ﬁle. If you make any changes to the V5-1.0 ﬁle

(/etc/krb5.conf), you must also manually make the same changes

to both of the V5 Beta 4 ﬁles.

• To ensure interoperability between V5 Beta 4 and V5-1.0, the

checksum and encryption types must be synchronized. So, you need to

ensure that the[libdefaults] section of the /etc/krb5.conf ﬁle

is correct, as follows:

• If using an HP DCE KDC, the following entries must be in

the[libdefaults] section of the /etc/krb5.conf ﬁle:

kdc_req_checksum_type = 2

ccache_type = 2

• If using a non-HP DCE V5 Beta 4 KDC, the following entries must

be in the[libdefaults] section of the /etc/krb5.conf ﬁle:

checksum_type = 1

default_tgs_enctypes = des-cbc-crc

default_tkt_enctypes = des-cbc-crc

ccache_type = 2