[an error occurred while processing this directive]

HP OpenVMS Systems Documentation
Content starts here
HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 2 Installation and Configuration

Configuring and Starting the Kerberos ACME Agent

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

HP OpenVMS Version 8.3 includes support for an Advanced Developer’s Kit containing a Kerberos ACME agent. The Kerberos ACME agent is an addition to the existing Kerberos authentication provided by the Kerberos utilities. The Kerberos ACME provides functionality similar to the pam_krb5 utility on UNIX systems using Kerberos.

To use Kerberos with previous versions of OpenVMS, you needed to log in twice: once to log in to OpenVMS itself, and once to obtain Kerberos credentials. These steps worked with separate principal, or user, names, and with separate passwords.

With the Kerberos ACME agent, you can obtain your Kerberos credentials as part of the OpenVMS login process. The user authentication is processed against the Kerberos KDC database instead of against the OpenVMS User Authorization File (UAF).

After you install and configure Kerberos Version 3.0, perform the following steps to configure and start the Kerberos ACME agent.

  1. Install ACME Login from a privileged account. In OpenVMS Version 8.3, ACME Login is provided in an Advanced Developer's Kit. See the file SYS$HELP:ACME_DEV_README.TXT for information about installation and set up.

  2. Install the Kerberos persona extension by entering the following commands:

       $ MCR SYSMAN 
       SYSMAN> SYS_LOADABLE ADD/LOG KERBEROS KRB$ACME_KRB_PERSONA_EXT 
       %SYSMAN-I-IMGADDED, added image KRB$ACME_KRB_PERSONA_EXT for product KERBEROS
     
       $ @SYS$UPDATE:VMS$SYSTEM_IMAGES.COM

  3. Reboot the system. This is required one time only, after you have installed the Kerberos persona extension.

  4. To start the Kerberos ACME agent automatically, edit the file SYS$MANAGER:ACME$START.COM to uncomment the following line:

       $! @SYS$STARTUP:KRB$STARTUP_KERBEROS_ACME

  5. Edit the file SYSTARTUP_VMS.COM to include the following command after all dependent software is started:

       $ SET SERVER ACME/RESTART

  6. Create an OpenVMS account with the EXTAUTH flag set.

  7. Create a Kerberos principal name that exactly matches (including case) the OpenVMS account name created in step 6. Passwords do not need to match. For the Kerberos configuration, you can use either DCL or UNIX-style commands to create the principal.

    The first example below shows the DCL commands. The second example shows the UNIX-style commands. Both styles of commands are entered on an OpenVMS system.

         DCL:
     
         $ KERBEROS/ADMIN
         KerberosAdmin> login “SYSTEM/admin”
         Enter password:
         Authenticating as principal SYSTEM/admin with password.
         KerberosAdmin> list principal
         K/M@NODE1.HP.COM
         SYSTEM/admin@NODE1.HP.COM
         kadmin/admin@NODE1.HP.COM
         kadmin/changepw@NODE1.HP.COM
         kadmin/node1@NODE1.HP.COM
         kadmin/history@NODE1.HP.COM
         krbtgt/NODE1.HP.COM@NODE1.HP.COM
         KerberosAdmin> create principal “ACMEUSER”
         Authenticating as principal SYSTEM/admin with password.
         WARNING: no policy specified for ACMEUSER@NODE1.HP.COM; defaulting to
                  no policy
         Enter password for principal “ACMEUSER@NODE1.HP.COM”:
         Re-enter password for principal “ACMEUSER@NODE1.HP.COM”:
         Principal “ACMEUSER@NODE1.HP.COM” created.
         KerberosAdmin> list principal
         Authenticating as principal SYSTEM/admin with password.
         K/M@NODE1.HP.COM
         SYSTEM/admin@NODE1.HP.COM
         ACMEUSER@NODE1.HP.COM
         kadmin/admin@NODE1.HP.COM
         kadmin/changepw@NODE1.HP.COM
         kadmin/node1@NODE1.HP.COM
         kadmin/history@NODE1.HP.COM
         krbtgt/NODE1.HP.COM@NODE1.HP.COM
     
         UNIX:
     
         $ kinit “SYSTEM/admin”
         Password for SYSTEM/admin@NODE1.HP.COM:
         $ kadmin
         Authenticating as principal SYSTEM/admin@NODE1.HP.COM with password.
         Enter password:
         KADMIN: listprincs
         K/M@NODE1.HP.COM
         SYSTEM/admin@NODE1.HP.COM
         kadmin/admin@NODE1.HP.COM
         kadmin/changepw@NODE1.HP.COM
         kadmin/node1@NODE1.HP.COM
         kadmin/history@NODE1.HP.COM
         krbtgt/NODE1.HP.COM@NODE1.HP.COM
         KADMIN: addprinc “ACMEUSER”
         WARNING: no policy specified for ACMEUSER@NODE1.HP.COM; defaulting to no policy
         Enter password for principal “ACMEUSER@NODE1.HP.COM”:
         Re-enter password for principal “ACMEUSER@NODE1.HP.COM”:
         Principal “ACMEUSER@NODE1.HP.COM” created.
         KADMIN: listprincs
         K/M@NODE1.HP.COM
         SYSTEM/admin@NODE1.HP.COM
         USER1@NODE1.HP.COM
         kadmin/admin@NODE1.HP.COM
         kadmin/changepw@NODE1.HP.COM
         kadmin/node1@NODE1.HP.COM
         kadmin/history@NODE1.HP.COM
         krbtgt/NODE1.HP.COM@NODE1.HP.COM

  8. SET HOST or Telnet to the system on which you installed the ACME Agent and the Kerberos persona extension in steps 1 and 2. Enter one of the following commands:

    $ TELNET NODE1

    or 

    $ SET HOST NODE1

  9. Enter the username and password. You must enclose the username in quotes so that the case of the username is preserved. For example:

     Welcome to OpenVMS (TM) Alpha Operating System, Version 8.3
     
           Username: “ACMEUSER”
           Password:         
           
           **** Logon Message from ACME_KRB_DOI ACME Agent ***

    The logon message indicates that you successfully obtained your Kerberos credentials as part of the OpenVMS login process.



Configuring HP TCP/IP Services for OpenVMS Telnet with Kerberos
  		 


Chapter 3 Kerberos Client Programs