Policy Server Guides › Policy Design Guide › SiteMinder Kerberos Authentication › Kerberos Configuration Examples › Kerberos Configuration at the Policy Server on UNIX Example
Kerberos Configuration at the Policy Server on UNIX Example
The process listed following exemplifies how to configure a Policy Server on a UNIX host to support SiteMinder Kerberos authentication.
- Create a user, for example, sol8psuser, with the same password used for creating service account for the Policy Server host (sol8ps) in Active Directory.
- Add the host to test.com domain and login to host with user sol8psuser.
- Install and configure SiteMinder Policy Server.
- Install and configure policy store directory services.
- Add a Host Configuration Object referencing the Solaris Policy Server.
- Add an Agent Configuration Object and add the following three new parameters:
|
Parameter
|
Value
|
|
KCCExt
|
.kcc
|
|
HttpServicePrincipal
|
Specify the web server principal name.
Example: HTTP/win2k3iis6.test.com@TEST.COM
|
|
SmpsServicePrincipal
|
Specify the Policy Server principal name.
Example: smps/win2kps.test.com@TEST.COM
|
- Create a user directory.
- Create a new user, fr exanple, testkrb, in the user directory.
- Configure a new Authentication Scheme using the SiteMinder Admin UI:
- Create the scheme using the custom template.
- Specify the SiteMinder Kerberos Authentication Scheme library.
- Select the parameter field and mention the following three values in same order delimited by a semicolon:
- Server name and target fields.
- Policy Server's principal name from the Windows 2003 Kerberos realm.
- Mapping between the user's principal and an LDAP search filter.
Sample parameter field:
http://sol8sunone.test.com/siteminderagent/Kerberos/creds.kcc;smps/sol8ps.test.com@TEST.COM;(uid=%{UID})
- Configure a policy domain.
- Add a realm to protect a resource using the Authentication Scheme.
- Add Rules and Policies to allow access for the user, testkrb.
- Configure a Kerberos configuration file (krb5.ini) and place krb5.ini in /etc/krb5 system path
- Configure the KDC for the Windows 2003 Kerberos realm (domain) to use the Windows 2003 domain controller.
- Configure krb5.ini to use the Windows 2003 KDC keytab file containing the policy server principal’s credentials.
See the sample krb5.ini listed following:
[libdefaults]
ticket_lifetime = 24000
default_realm=TEST.COM
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
proxiable = true
[realms]
TEST.COM = {
kdc = winkdc.test.com:88
admin_server = winkdc.test.com:749
default_domain = test.com
}
[domain_realm]
.test.com=TEST.COM
test.com=TEST.COM
- Use the ktutil porgram to merge the keytab files (sol8ps_smps.keytab & sol8ps_host.keytab) containing the host principal and service principal names for the policy Server host in /etc/krb5.keytab file:
ktutil: rkt sol8ps_host.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
ktutil: rkt sol8ps_smps.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
- Verify the created krb5.keytab as follows:
klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/sol8ps.test.com@TEST.COM
3 smps/sol8ps.test.com@TEST.COM
- Deploy the Windows 2003 KDC keytab file containing the host and Policy Server principal credentials to a secure location on the Policy Server.
- Verify that the following environment variable is set before starting the Policy Server:
KRB5_CONFIG=/etc/krb5/krb5.conf
The Policy Server on a UNIX host is configured for Kerberos authentication.
