Policy Server Guides › Policy Design Guide › SiteMinder Kerberos Authentication › Kerberos Configuration Examples › KDC Configuration on UNIX Example

KDC Configuration on UNIX Example

The process listed following exemplifies how to configure a KDC Kerberos Realm on a UNIX host to support SiteMinder Kerberos authentication.

1. Install MIT Kerberos, if necessary.
2. Use the kdb5_util command to create the Kerberos database and an optional stash file. The stash file is used to authenticate the KDC to itself automatically before starting the kadmind and krb5kdc daemons as part of the host auto-boot sequence.

   Both the stash file and the keytab file are potential point-of-entry for a break-in. If you install a stash file, it must be readable only by root, must not be backed up, and must exist only on the KDC local disk. If you do not want a stash file, run the kdb5_util without the -s option.

   This example generates the following five database files in the directory specified in kdc.conf file:

   • Two Kerberos database files: principal.db and principal.ok
   • One Kerberos administrative database file: principal.kadm5
   • One administrative database lock file: principal.kadm5.lock
   • One stash file: .k5stash

     [root@rhasmit init.d]# kdb5_util create -r EXAMPLE.COM -s
     Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
     master key name 'K/M@EXAMPLE.COM'
     You will be prompted for the database Master Password.
     It is important that you NOT FORGET this password.
     Enter KDC database master key:
     Re-enter KDC database master key to verify:
     

3. Create a user principal (testkrb).
4. Create a user principal (for example, testwakrb), a host principal (host/win2k3iis6.example.com@EXAMPLE.COM, and a service principal (HTTP/win2k3iis6.example.com@EXAMPLE.COM) for the web server host. The password used for creating host account must be same as the password specified when using the ksetup utility on the web server host.
5. Create a user principal (testpskrb), host principal (host/win2kps.example.com@EXAMPLE.COM) and service principal (smps/win2kps.example.com@EXAMPLE.COM) for the Policy Server host. The password used for creating host account must be same as the password specified when using the ksetup utility on the Policy Server host.
6. Create a keytab file for the web server service principal as follows:

   ktadd -k /tmp/win2k3iis6.keytab HTTP/win2k3iis6.example.com
   

7. Create keytab for Policy Server service principal as follows:

   ktadd -k /tmp/win2kps.keytab smps/win2kps.example.com
   

The Kerberos Realm is configured for SiteMInder on a UNIX host.