HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration

Configuring and Starting the Kerberos ACME Agent

  Table of Contents

  Glossary

  Index

HP OpenVMS Version 8.3 includes support for an Advanced Developer’s Kit containing a Kerberos ACME agent. The Kerberos ACME agent is an addition to the existing Kerberos authentication provided by the Kerberos utilities. The Kerberos ACME provides functionality similar to the pam_krb5 utility on UNIX systems using Kerberos.

To use Kerberos with previous versions of OpenVMS, you needed to log in twice: once to log in to OpenVMS itself, and once to obtain Kerberos credentials. These steps worked with separate principal, or user, names, and with separate passwords.

With the Kerberos ACME agent, you can obtain your Kerberos credentials as part of the OpenVMS login process. The user authentication is processed against the Kerberos KDC database instead of against the OpenVMS User Authorization File (UAF).

After you install and configure Kerberos Version 3.0, perform the following steps to configure and start the Kerberos ACME agent.

  1. Install ACME Login from a privileged account. In OpenVMS Version 8.3, ACME Login is provided in an Advanced Developer's Kit. See the file SYS$HELP:ACME_DEV_README.TXT for information about installation and set up.

  2. Install the Kerberos persona extension by entering the following commands:

       $ MCR SYSMAN 
    SYSMAN> SYS_LOADABLE ADD/LOG KERBEROS KRB$ACME_KRB_PERSONA_EXT
    %SYSMAN-I-IMGADDED, added image KRB$ACME_KRB_PERSONA_EXT for product KERBEROS

    $ @SYS$UPDATE:VMS$SYSTEM_IMAGES.COM
  3. Reboot the system. This is required one time only, after you have installed the Kerberos persona extension.

  4. To start the Kerberos ACME agent automatically, edit the file SYS$MANAGER:ACME$START.COM to uncomment the following line:

       $! @SYS$STARTUP:KRB$STARTUP_KERBEROS_ACME
  5. Edit the file SYSTARTUP_VMS.COM to include the following command after all dependent software is started:

       $ SET SERVER ACME/RESTART
  6. Create an OpenVMS account with the EXTAUTH flag set.

  7. Create a Kerberos principal name that exactly matches (including case) the OpenVMS account name created in step 6. Passwords do not need to match. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal.

    The first example below shows the DCL commands. The second example shows the UNIX-style commands. Both styles of commands are entered on an OpenVMS system.

         DCL:

    $ KERBEROS/ADMIN
    KerberosAdmin> login “SYSTEM/admin”
    Enter password:
    Authenticating as principal SYSTEM/admin with password.
    KerberosAdmin> list principal
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/node1@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM
    KerberosAdmin> create principal “ACMEUSER”
    Authenticating as principal SYSTEM/admin with password.
    WARNING: no policy specified for ACMEUSER@NODE1.HP.COM; defaulting to
    no policy
    Enter password for principal “ACMEUSER@NODE1.HP.COM”:
    Re-enter password for principal “ACMEUSER@NODE1.HP.COM”:
    Principal “ACMEUSER@NODE1.HP.COM” created.
    KerberosAdmin> list principal
    Authenticating as principal SYSTEM/admin with password.
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    ACMEUSER@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/node1@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM

    UNIX:

    $ kinit “SYSTEM/admin”
    Password for SYSTEM/admin@NODE1.HP.COM:
    $ kadmin
    Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
    Enter password:
    KADMIN: listprincs
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/node1@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM
    KADMIN: addprinc “ACMEUSER”
    WARNING: no policy specified for ACMEUSER@NODE1.HP.COM; defaulting to no policy
    Enter password for principal “ACMEUSER@NODE1.HP.COM”:
    Re-enter password for principal “ACMEUSER@NODE1.HP.COM”:
    Principal “ACMEUSER@NODE1.HP.COM” created.
    KADMIN: listprincs
    K/M@NODE1.HP.COM
    SYSTEM/admin@NODE1.HP.COM
    USER1@NODE1.HP.COM
    kadmin/admin@NODE1.HP.COM
    kadmin/changepw@NODE1.HP.COM
    kadmin/node1@NODE1.HP.COM
    kadmin/history@NODE1.HP.COM
    krbtgt/NODE1.HP.COM@NODE1.HP.COM
  8. SET HOST or Telnet to the system on which you installed the ACME Agent and the Kerberos persona extension in steps 1 and 2. Enter one of the following commands:

    $ TELNET NODE1

    or

    $ SET HOST NODE1

  9. Enter the username and password. You must enclose the username in quotes so that the case of the username is preserved. For example:

     Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3

    Username: “ACMEUSER”
    Password:

    **** Logon Message from ACME_KRB_DOI ACME Agent ***

    The logon message indicates that you successfully obtained your Kerberos credentials as part of the OpenVMS login process.