HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration

Installing and Configuring Kerberos on OpenVMS Version 8.2 or Higher

 » Table of Contents

 » Glossary

 » Index

Kerberos Version 3.0 is automatically installed during the installation of OpenVMS Version 8.3, or during an upgrade from a previous version of OpenVMS to Version 8.3.

Configure HP TCP/IP Services for OpenVMS to Change Hostname Definition to Fully Qualfied Domain Name

Before configuring or starting Kerberos, check the HP TCP/IP Services for OpenVMS Local Host Database to determine whether your hostname definition is the short name (for example, node1) or the Fully Qualified Domain Name (FQDN) (for example, node1.hp.com).

NOTE: If your hostname definition is the short name, you must run TCPIP$CONFIG to change the definition to the fully qualified name. If your hostname definition is the FQDN, continue to “Configuring Kerberos for OpenVMS on OpenVMS 8.2 or Higher”.

Example 2-1 contains a log of such a change.

Example 2-1 Changing Hostname Definition from Short Name to Fully Qualified Domain Name

$ TCPIP SHOW HOST/LOCAL NODE1

LOCAL database

Host address Host name

1.2.3.4 node1

$ @SYS$STARTUP:TCPIP$CONFIG

TCP/IP Network Configuration Procedure

This procedure helps you define the parameters required
to run HP TCP/IP Services for OpenVMS on this system.

Checking TCP/IP Services for OpenVMS configuration database files.

HP TCP/IP Services for OpenVMS Configuration Menu

Configuration options:

1 - Core environment
2 - Client components
3 - Server components
4 - Optional components

5 - Shutdown HP TCP/IP Services for OpenVMS
6 - Startup HP TCP/IP Services for OpenVMS
7 - Run tests

A - Configure options 1 - 4
[E] - Exit configuration procedure

Enter configuration option: 1

HP TCP/IP Services for OpenVMS Core Environment Configuration Menu

Configuration options:

1 - Domain
2 - Interfaces
3 - Routing
4 - BIND Resolver
5 - Time Zone

A - Configure options 1 - 5
[E] - Exit menu

Enter configuration option: 2

HP TCP/IP Services for OpenVMS Interface & Address Configuration Menu

Hostname Details: Configured=node1, Active=node1

Configuration options:

1 - WE0 Menu (EWA0: TwistedPair 1000mbps)
2 - 1.2.3.4/21 node1 Configured,Active

3 - IE0 Menu (EIA0: TwistedPair 100mbps)

I - Information about your configuration

[E] - Exit menu

Enter configuration option: 2

HP TCP/IP Services for OpenVMS Address Configuration Menu

WE0 1.2.3.4/21 node1 Configured,Active WE0

Configuration options:

1 - Change address
2 - Set “node1” as the default hostname
3 - Delete from configuration database
4 - Remove from live system
5 - Add standby aliases to configuration database (for failSAFE IP)

[E] - Exit menu

Enter configuration option: 1

IPv4 Address may be entered with CIDR bits suffix.
E.g. For a 16-bit netmask enter 10.0.1.1/16

Enter IPv4 Address [1.2.3.4/21]:
Enter hostname [node1]: node1.hp.com

Requested configuration:

Address : 1.2.3.4/21
Netmask : 255.255.248.0 (CIDR bits: 21)
Hostname : node1.hp.com

* Is this correct [YES]:

“node1” is currently associated with address “1.2.3.4”.
Continuing will associate “node1.hp.com” with “1.2.3.4”.

* Continue [NO]: YES
Deleted host node1 from host database
Added hostname node1.hp.com (1.2.3.4) to host database
* Update the address in the configuration database [NO]: YES
Updated address WE0:1.2.3.4 in configuration database
* Update the active address [NO]: YES
WE0: delete active inet address node1.hp.com
Updated active address to be WE0:1.2.3.4

HP TCP/IP Services for OpenVMS Interface & Address Configuration Menu

Hostname Details: Configured=node1, Active=node1

Configuration options:

1 - WE0 Menu (EWA0: TwistedPair 1000mbps)
2 - 1.2.3.4/21 node1.hp.com Configured,Active

3 - IE0 Menu (EIA0: TwistedPair 100mbps)

I - Information about your configuration

[E] - Exit menu

Enter configuration option: E

HP TCP/IP Services for OpenVMS Core Environment Configuration Menu

Configuration options:

1 - Domain
2 - Interfaces
3 - Routing
4 - BIND Resolver
5 - Time Zone

A - Configure options 1 - 5
[E] - Exit menu

Enter configuration option: E

HP TCP/IP Services for OpenVMS Configuration Menu

Configuration options:

1 - Core environment
2 - Client components
3 - Server components
4 - Optional components

5 - Shutdown HP TCP/IP Services for OpenVMS
6 - Startup HP TCP/IP Services for OpenVMS
7 - Run tests

A - Configure options 1 - 4
[E] - Exit configuration procedure

Enter configuration option: E

$ TCPIP SHOW HOST/LOCAL NODE1

LOCAL database

Host address Host name

1.2.3.4 node1.hp.com

Configuring Kerberos for OpenVMS on OpenVMS 8.2 or Higher

If you have not previously configured an earlier version of Kerberos on your system, you must run the configuration program before starting Kerberos.

NOTE: If you are reconfiguring Kerberos on a system on which Kerberos was previously configured, you must enter the kdestroy command before you run the configuration command procedure SYS$STARTUP:KRB$CONFIGURE.COM. The kdestroy command is defined in KRB$SYMBOLS.COM.

After you have a valid configuration, start Kerberos with the following command:

$ @SYS$STARTUP:KRB$STARTUP.COM

Example 2-2 shows a configuration log.

Example 2-2 Kerberos Configuration Log on OpenVMS

  $ @SYS$STARTUP:KRB$CONFIGURE
      Kerberos V3.0 for OpenVMS Configuration Menu

Configuration options:

1 - Setup Client configuration
2 - Edit Client configuration

3 - Setup Server configuration
4 - Edit Server configuration

5 - Shutdown Servers
6 - Startup Servers

E - Exit configuration procedure

Enter Option: 1

Where will the OpenVMS Kerberos 5 KDC be running [ system ]:
What is the OpenVMS Kerberos 5 default domain [ abc.xyz.com ]:
What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.ABC.XYZ.COM ]:

Press Return to continue ...

Kerberos V3.0 for OpenVMS Configuration Menu

Configuration options:

1 - Setup Client configuration
2 - Edit Client configuration

3 - Setup Server configuration
4 - Edit Server configuration

5 - Shutdown Servers
6 - Startup Servers

E - Exit configuration procedure

Enter Option: 3

Where will the OpenVMS Kerberos 5 KDC be running [ system ]:
What is the OpenVMS Kerberos 5 default domain [ abc.xyz.com ]:
What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.ABC.XYZ.COM ]:
The type of roles the KDC can perform are:
NO_KDC -- where the KDC will not be run
SINGLE_KDC -- where the KDC is the only one in the realm
MASTER_KDC -- where the KDC is the master of 1 or more other KDCs
SLAVE_KDC -- where the KDC is slave to another KDC
What will be the KDC’s role on this node [ SINGLE_KDC ]:
Create the OpenVMS Kerberos 5 database [ Y ]:

Creating OpenVMS Kerberos 5 database ...
Initializing database ‘krb$root:[krb5kdc]principal’ for realm
‘SYSTEM.ABC.XYZ.COM’,
master key name ‘K/M@SYSTEM.ABC.XYZ.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.

Enter KDC database master key:
Re-enter KDC database master key to verify:
Priority: info
No dictionary file specified, continuing without one.

Please enter a default OpenVMS Kerberos 5 administrator [ SYSTEM ]:
Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password.

Enter password for principal “SYSTEM/admin@SYSTEM.ABC.XYZ.COM”:
Re-enter password for principal “SYSTEM/admin@SYSTEM.ABC.XYZ.COM”:
Principal “SYSTEM/admin@SYSTEM.ABC.XYZ.COM” created.
Priority: info
No dictionary file specified, continuing without one.
WARNING: no policy specified for SYSTEM/admin@SYSTEM.ABC.XYZ.COM; defaulting to no policy
Create OpenVMS Kerberos 5 principals [ Y ]: N
Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password.
Priority: info
No dictionary file specified, continuing without one.
KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.

KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.

Authenticating as principal SYSTEM/admin@SYSTEM.ABC.XYZ.COM with password.
Priority: info No dictionary file specified, continuing without one.
KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.

KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB.
Press Return to continue ...

Kerberos V3.0 for OpenVMS Configuration Menu

Configuration options:

1 - Setup Client configuration
2 - Edit Client configuration

3 - Setup Server configuration
4 - Edit Server configuration

5 - Shutdown Servers
6 - Startup Servers

E - Exit configuration procedure

Enter Option: 6

Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)...

Starting OpenVMS Kerberos server KRB$KRB5KDC ...
%RUN-S-PROC_ID, identification of created process is 00000060
Starting OpenVMS Kerberos server KRB$KADMIND ...
%RUN-S-PROC_ID, identification of created process is 00000061

Press Return to continue ...

Kerberos V3.0 for OpenVMS Configuration Menu

Configuration options:

1 - Setup Client configuration
2 - Edit Client configuration

3 - Setup Server configuration
4 - Edit Server configuration

5 - Shutdown Servers
6 - Startup Servers

E - Exit configuration procedure

Enter Option: E