Administration Guide
Before proceeding, you should be familiar with terms in the following
list. Some terms apply mostly to Kerberos V4 and others also apply to
DCE and Kerberos V5. Some terms, however, might be defined differently
in DCE documentation. For a complete understanding of DCE terminology,
see the appropriate DCE publication. See Suggested reading for using DCE for references.
- Access control
- The process of limiting access to system resources only to authorized
principals.
- ACL
- Access Control List. A list that defines who has permission to
access certain services; that is, for whom a server may perform certain
tasks. This is usually a list of principals with the type of access
assigned to each.
- AFS
- A distributed file system that uses Kerberos V4 authentication and
includes authentication services that can be used by an SP system.
- authentication
- The process of validating the identity of either a user of a service or
the service itself. The process of a principal proving the authenticity
of its identify.
- authentication Database
- A set of files containing the names and authentication information of all
principals within a realm. An authentication realm has one primary
database and may have multiple secondary databases. Secondary databases
are backup copies of the primary database and may be provided to improve
performance or availability.
- authenticator
- An authentication protocol string created each time authentication occurs
and sent with the ticket to the server. It contains a time-stamp
encrypted in the session key that can reliably show that the authentication
request actually came from the client identified in the ticket.
- authorization
- (1) The process of obtaining permission to access resources or perform
tasks. In SP security services, authorization is based on the principal
identifier. (2) The granting of access rights to a principal.
- cell
- An independently administered collection of file server and client
machines running DCE or AFS. An AFS cell is equivalent to a Kerberos V4
realm.
- client
- The user of the shared services of a server. This term can refer to
a program (a process requesting a service) or to the person who invoked
it. For authentication purposes it is a principal identifier registered
in the authentication database.
- credentials
- A protocol message, or part thereof, containing a ticket and an
authenticator supplied by a client and used by a server to verify the
client's identity. The message can contain additional information
used by the server to verify its identity to the client.
- Data Encryption Standard (DES)
- The secret-key (also known as "private-key") encryption algorithm
that is used by Kerberos V4.
|
- |DCE
- |The Distributed Computing Environment designed and developed through the
|Open Group. AIX DCE is an implementation of DCE for IBM
|pSeries and RS/6000 systems.
- discretionary access control
- A means of restricting access to objects based on the identify of the
principal.
- domain
- A collection of systems over which an administrator exercises
control.
- identification
- The process of stating the identity of a principal. No proof of
authenticity of the identity is implied.
- instance
- A qualifier for a principal name. For services, an instance
represents a particular occurrence of the server. For users, an
instance allows a single user to assume additional (or alternate) roles with
different authority.
- Kerberos
- A service for authenticating users in a distributed environment by
providing mutual authentication of two principals using a trusted third
party.
- Kerberos V4
- Version 4 of the Kerberos authentication service from the Massachusetts
Institute of Technology (MIT). The use of some implementation of
Kerberos V4 is required in pre-PSSP 3.2 nodes for authentication within
some SP administrative services. An SP implementation of Kerberos V4 is
provided with PSSP.
- Kerberos V5
- Version 5 of the Kerberos authentication method from MIT. Kerberos
V5 is not protocol-compatible with earlier versions of Kerberos.
Kerberos V5 is used as the basis of distributed service authentication within
DCE.
- key
- A value used to encrypt protocol strings used for authentication.
The private keys of principals are stored in the authentication
database. Session keys are contained (encrypted) in tickets and other
protocol strings.
- key management
- The process of periodically changing the key associated with the DCE
principal of a server in order to prevent the key from expiring and thereby
disabling the server.
- Kerberos V4 master key
- The key derived from the Kerberos V4 Master Password supplied initially by
the administrator when the primary SP authentication server is created.
This key is saved in the /.k file which the Kerberos V4
daemons read instead of prompting for a password. It can also be read
by certain database utility commands for the same purpose.
- Kerberos V4 master password
- The password the administrator supplies when initializing the primary
authentication server.
- mutual authentication
- the process of two principals proving their identities to each
other.
- object
- an entity that contains or receives information. Access to an
object potentially implies access to the information it contains.
Examples of objects are: files, jobs, queues, nodes, services, and
users.
- per-node key management
- The process of providing key management on each node in an SP
system.
- principal
- An entity whose identifier and key are maintained in the authentication
database. A principal can represent a user, an instance of a service,
or an instance of trusted client code whose identity is to be
authenticated.
- realm
- A domain which shares an authentication database and servers. There
is a single name-space for principal name/instance pairs within a
realm. A realm is also a logical collection of clients and servers
registered in the database.
- security policy
- The set of rules, established by an organization's management, that
determines how a system manages, protects, and distributes sensitive
information and access to its resources.
- server
- A functional unit (usually a daemon program and child processes) running
on a particular host that provides shared services to users over a
network. A process providing a service.
- service
- The name of a principal whose identity is assumed by a server for purposes
of authentication. Multiple servers can use the same service
name.
- server key file
- (Also referred to as a srvtab) A file containing the names and
private keys of the local instances of services. It is accessible only
to processes that run under the UID of the user owning the server
daemons. On an SP system, all services run as root.
- session key
- A temporary key supplied by an authentication server to clients and
servers, that is used to encrypt parts of authentication protocol
messages. Its lifetime is the same as the ticket with which it is
created.
- trusted service
- A service which is responsible for enforcing some part of the security
policy of the system.
- ticket
- An encrypted protocol message used to pass the identity of a user from a
client to a server. Tickets are created by the Kerberos V4
authentication server and cached in disk files on the client's
system.
- ticket-granting-ticket
- The initial ticket obtained by a user. It is used by client
programs to obtain additional tickets for authentication with application
services.
[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]