sun.com docs.sun.com My Sun Worldwide Sites

This document is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License
  Previous Contents Index Next
Appendix C

Kerberos Key Distribution Center Example Setup

The Kerberos Key Distribution Center (KDC) can be set up on the same or remote machine as long as the system under test is networked to it.

C.1 Setup

The following is an example of the setup process for a Sun Microsystems machine running the Solaris platform, version 2.8.

Note - If your network already has a KDC, skip to To Add Kerberos Principals for JCK Testing.

The setup process consists of the following tasks:

C.1.1 Obtaining the Kerberos Software

You can obtain the Kerberos software on CD-ROM or by download from Sun as well as from other vendors.

C.1.1.1 Kerberos Software on CD-ROM

You can order the software CD-ROM for the Solaris platform, version 2.8, from Sun Microsystems, Inc. with this title and part number:

Solaris 8 Admin Pack CD-ROM January 2000, Revision A Part #704-7142-10
C.1.1.2 Kerberos Software by Download

You can download the software for free from the following web site:

http://www.sun.com/bigadmin/content/adminPack/index.html

You do not have to have a sign-on account to download the Kerberos software from this site.

After you log in and agree to the license agreement, you are presented with multiple options from the download list. Choose the following option:

Download Software CD Image, Solaris/Intel, Solaris/SPARC, Windows/Intel (80.20 MB)
C.1.1.3 Kerberos Software From Other Vendors

You can also use comparable products from other software vendors and distributors. However, Sun has not installed or tested these products. If you are unable to set up the KDC and run security tests using products from other software vendors and distributors, obtain the Kerberos software from Sun either on CD-ROM or by download.

C.1.2 Installing Kerberos Software on a Solaris Platform

The following is an example of the installation process for a Sun Microsystems machine running Solaris platform, version 2.8. If your network already has a KDC, skip to C.1.3 Adding Kerberos Principals for JCK Testing.

Caution - The KDC machine's clock must be set within five minutes of the test machine clock.

To Install Kerberos Software on a Solaris Platform
  1. In the directory where you have saved the downloaded binary, unzip the Solaris_8_Admin_Pack.zip file and run the installation script as follows: 
    %unzip Solaris_8_Admin_Pack.zip
%chmod +x installer
%installer

    This requires the root password of your machine. The installation script brings up the wizard to guide you through the installation.

    Note - The following figures illustrate the basic steps required to set up an example Kerberos realm called PLOP, on a machine called plop.sfbay.sun.com, in an example network domain name jlaps.sfbay.sun.com.

  2. Click Next at the bottom of the Welcome dialog, Figure C-1.
    Figure C-1 Welcome Screen - Solaris 8 Admin Pack
    Solaris 8 Admin Pack Welcome screen
  3. For this installation, choose Custom Install on the Select Type of Install dialog box, Figure C-2.
    Figure C-2 Select Type of Install
    Solaris 8 Admin Pack Select Type of Install screen
  4. Click Next to continue.
  5. For this installation, choose Sun Enterprise Authentication Mechanism on the Product Selection dialog box, Figure C-3.
    Figure C-3 Product Selection
    Solaris 8 Admin Pack Product Selection screen

    Note - Additional products can be installed, but the Sun Enterprise Authentication Mechanism is the minimum installation required to set up a KDC.

  6. Click Next to continue.
  7. For this installation, choose SEAM Master KDC on the Component Selection dialog box, Figure C-4.
    Figure C-4 Component Selection
    Solaris 8 Admin Pack Component Selection screen
  8. Click Next to continue.
  9. Configure the site for the KDC by using the buttons and text fields on the Site Configuration dialog box, Figure C-5.

    Note - You might want to consult your system administrator before completing the Site Configuration screen.

    Figure C-5 Site Configuration
    Solaris 8 Admin Pack Site Configuration screen

    The following Site Configuration settings are required for JCK testing:

    • Realm Name - The Kerberos realm of the configured machine (such as TESTING, EXAMPLE, or JCK).

    • Master KDC - The fully qualified name of the host or master KDC. In this example, Master KDC is plop.sfbay.sun.com and the name of the machine is plop.

    • Slave KDC - Not required.

    • DNS Domain Name of Realm - The domain name of the configured machine.

    • URL for Online Help - URL for the online help page. Use the default value.

    • Ticket Lifetime in Hours - The maximum life of the ticket before it must be renewed. Use the default value of 8 hours.

    • Ticket Renewal Limit in Days - The maximum number of days that a ticket can be renewed. Use the default value of 7 days.

  10. Click the Exit button after the site configuration settings are completed.
  11. Reboot your machine.

C.1.3 Adding Kerberos Principals for JCK Testing

Note - For current detailed information regarding Kerberos, including Sun Enterprise Authentication Mechanism Guide (SEAM), open web page http://docs.sun.com and search for the keyword kerberos. A list of documents is displayed that you can refer to for current information.

To Add Kerberos Principals for JCK Testing
  1. Verify the krb5.conf file is installed.

    See Example C-1 for an example of the krb5.conf file.

  2. Verify the kdc.conf file is installed.

    See Example C-2 for an example of the kdc.conf file.

  3. Create the KDC Database using kdb5_util.
    1. Enter the following command: 
      %/usr/krb5/sbin/kdb5_util create -r PLOP -s

      The system displays the following:

      Initializing database '/var/krb5/principal' for realm 'PLOP'
master key name 'PLOP@PLOP'
Enter KDC database master key: <type the key>
    2. At the prompt, enter KDC database master key.

      The system displays the following:

      Re-enter KDC database master key to verify: <type it again>
    3. At the prompt, re-enter the KDC database master key.
  4. Create Kerberos principals using kadmin.local.
    1. Enter the following command: 
      %/usr/krb5/sbin/kadmin.local

      The system displays the following:

      kadmin.local: ank user1
    2. At the prompt, enter the password for principal user1@PLOP.
    3. Record the password for later use.
    4. At the prompt, re-enter the password for principal user1@PLOP.

      The system displays the following:

      Principal "user1@PLOP" created.
kadmin.local: ank user2
Enter password for principal user2@PLOP: <type the password>
    5. At the prompt, enter the password for principal user2@PLOP.

      The system displays the following:

      Re-enter password for principal user2@PLOP: <type it again>
    6. At the prompt, re-enter password for principal user2@PLOP.

      The system displays the following:

      Principal "user2@PLOP" created.
Example C-1 Sample krb5.conf File 
%cat /etc/krb5/krb5.conf
# Copyright (c) 1998, by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)krb5.conf 1.10 98/11/11 SMI"
[libdefaults]
default_realm = PLOP
[realms]
PLOP = {
kdc = plop.sfbay.sun.com
kdc = plop.sfbay.sun.com
admin_server = plop.sfbay.sun.com
}
[domain_realm]
.jlaps.sfbay.sun.com = PLOP
...
Example C-2 Sample kdc.conf File 
%cat /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[realms]
PLOP = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /var/krb5/kadm5.keytab
acl_file = /var/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
Previous Contents Index Next
Company Info Contact Terms of Use Privacy Copyright 1994-2008 Sun Microsystems, Inc.