- If you do not want the DCE primary server to run on the control
workstation, it must be accessible on some external system.
- Install the DCE security client, directory client, and RPC (and the
servers, if desired) on the control workstation. You must ensure that
DCE is properly configured and running on the control workstation before
further configuration of DCE in the system.
- To indicate that DCE security should be installed and configured on the
nodes, issue:
spsetauth -p partition1 -i dce k4
The preceding example assumes that Kerberos V4 was the current
setting.
- To define DCE host names for the control workstation and for all of the
nodes, issue:
create_dcehostname
If create_dcehostname was run previously, it is not necessary to
run it again unless new nodes were added to the system.
- To update the SDR with DCE Master Security and CDS Server host names,
issue:
setupdce -u -s master_security_server_host -d cds_primary_server_host
- In this step, you will be prompted to enter the cell administrator's
password. You do not need to be root to run this command.
Optionally, you can use the -c and -l flags or you can
accept the defaults for the cell administrator ID and the LAN profile
ID. To configure the "admin" portion of the nodes' DCE
clients, issue:
setupdce
Notes:
- You can stop at this point in the configuration if you only want to
install and configure DCE clients on the node without enabling the SP system
to use DCE services. The DCE clients will be installed the next time
the nodes are rebooted. You will need to continue with the remaining
steps to enable DCE usage.
- To run this command off of the SP, you must set the SP_NAME environment
variable on the remote workstation to point to the SDR of the SP system being
configured. The value must be a resolvable address. For
example:
export SP_NAME=spcws.abc.com
- To configure SP Trusted Services to use DCE authentication,
issue:
config_spsec -v
Notes:
- You must be logged in as the cell administrator to perform this
task.
- To run this command remotely off of the SP, you must set the SP_NAME
environment variable to point to the SDR you want to access. Refer to
the config_spsec command in PSSP: Command and Technical
Reference for a description of the -r (remote) flag.
- To create SP Trusted Services keyfiles and keytab objects,
issue:
create_keyfiles -v
- Note:
- You must be root with default DCE credentials to perform this task.
- To select DCE as an authorization method for AIX remote commands,
issue:
spsetauth -p partition1 -d dce k4
This step generates the necessary authorization files for each selected
method and removes files or entries that are not needed. When adding
dce, you will need to add it to the current setting. This
implies that if k4 was previously set, it must also be set
now.
- Note:
- To enable DCE for authenticated remote commands, but not for SP Trusted
Services, you can skip steps involving SP Trusted Services (Step 10 and Step 14) and continue to Step 11.
- To start the Key Management daemon on the control workstation,
issue:
/usr/lpp/ssp/bin/spnkeyman_start
- All affected nodes must be shut down. Use the
cshutdown command (without the -r flag because the nodes
should not be rebooted at this time).
- |To create and authorize a DCE SP administrative principal, follow
|the instructions in Step 22.3: Create SP administrative principals. You should obtain credentials for the DCE SP
|administrative principal before performing the next step.
- To enable authentication methods for AIX remote commands,
issue:
chauthpar -c -p partition1 k5 k4
- To enable authentication methods for SP Trusted Services,
issue:
chauthpts -c -p partition1 dce compat
- Reboot all affected nodes.
Before rebooting all affected nodes, see Note (NT1).
- |Run updauthfiles on all nodes in system partitions not
|changed during the transition to DCE. Issue:
|export SP_NAME=partition_name
|
|dsh -av /usr/lpp/ssp/bin/updauthfiles
Your system is now configured and enabled to use DCE as an authentication
method.
