Connector Guides › Connectors Guide › Connecting to Endpoints › Kerberos Connector › Kerberos Installation and Deployment › Keytab and Cross-realm Paths Setup › How to Set Up the CA IAM CS Host to be a Member of the Target Realm

How to Set Up the CA IAM CS Host to be a Member of the Target Realm

The following section shows an example you how you can set up the host for use with CA IAM CS where the host will be a member of the target realm.

Note: This scenario is only applicable where CA IAM CS is on a Solaris computer that is not a member of the realm and you want to make it a member of the realm. If your CA IAM CS is on Windows or Linux, configure the connector to use SSH instead.

1. Ensure that the SSH server is a member of the realm.
2. Copy the file /etc/krb5/krb5.conf from the key distribution center to the CA IAM CS host. Ensure that:
   • The default_realm entry in the libdefaults section points to the target realm.
   • The KDC entry in the appropriate realm relation in the realms section points to the target KDC.
   • The domain_realm section has the correct mapping of the CA IAM CS host to the target realm.
3. Modify the logging and appdefaults sections in the /etc/krb5/krb5.conf file as required.
4. On the KDC, create a host principal for the CA IAM CS host and give it a random key. For example, use the following command in kadmin to create a new host principal:

   add_principal -randkey host/jcs_host.ca.com
   

5. Set up authentication to use one of the following:
   • CA IAM CS host principal
   • CA IAM CS host principal and a custom keytab
   • A principal other than CA IAM CS host principal and the default keytab
   • A principal other than CA IAM CS host principal and a custom keytab
   • Principal and password authentication

Note: For information on using the host for other Kerberos-related purposes, such as hosting other Kerberos applications or services, see the relevant sections on kadmin, ktutil and krb5.conf in the Solaris 10 System Administration Guide: Security Services.