Security Guide : 10. Configuring Vector to Use Kerberos : Kerberos Configuration in the Enterprise
 
Share this page                  
Kerberos Configuration in the Enterprise
Before using Kerberos with Vector, Kerberos should be appropriately configured in your enterprise.
A primary component of Kerberos is the Key Distribution Center (KDC). The KDC is a server process that performs the core authentication. The authentication protocol is a set of encrypted tickets that are passed from the KDC to client processes or intermediate agents known as “service principals.” For the sake of simplicity, let us assume that a single KDC will perform the Kerberos authentication.
If the enterprise contains only one DBMS Server, a possible option is to execute the KDC on the same machine as the DBMS Server:
If enough resources are available, it is desirable to install the KDC on a network node separate from the Vector installation. In this way, security restrictions can be imposed on the Kerberos node that may not be possible if Kerberos resided on the same machine as a DBMS Server:
The example above demonstrates why Kerberos is sometimes referred to as “distributed authentication.” The KDC performs authentication for all Vector nodes in the enterprise, even though the KDC itself resides on a separate network node.
Note:  The above example assumes all the Vector nodes will use Kerberos for authentication, but this is not a requirement; some nodes may continue to use INGRES authentication.
Kerberos Configuration Files--Configure Kerberos for Vector
Here are examples of Kerberos configuration files. These examples assume that the KDC resides on the node foo.xyz.com and the Kerberos domain is named MYDOMAIN.XYZ.COM,
The krb5.conf file may look like this:
[libdefaults]
    default_realm = MYDOMAIN.XYZ.COM
 
[realms]
    SSF.XYZ.COM = {
        kdc = foo.xyz.com
        admin_server = foo.xyz.com
    }
 
[domain_realm]
        .xyz.com = MYDOMAIN.XYZ.COM
        xyz.com = MYDOMAIN.XYZ.COM
 
[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
The kdc.conf file may look like this:
[kdcdefaults]
    kdc_ports = 88
 
[realms]
    MYDOMAIN.XYZ.COM = {
        kadmind_port = 749
        max_life = 12h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
    }