Planning Volume 2, Control Workstation and Software Environment

Checklists for authentication planning

Use each checklist that applies to an authentication method that you plan to enable.

Using DCE security services

The following summarizes what you need to do from the SP point of view (for DCE-specific tasks, see the DCE publications):

1. Obtain the product to install. See the book IBM DCE Version 3.1 for AIX: Quick Beginnings which describes DCE and explains how to plan for, install, and configure the product.
2. Plan the cell.
3. Plan the master and replica servers.
4. Ensure the SP control workstation and nodes have connectivity.
5. Plan which security services to install on the control workstation and nodes.
6. Plan if you need to exclude any SP network interfaces.
7. Plan which authentication methods to enable in each SP system partition for root user execution of remote commands.
8. Plan which authentication methods to enable in each SP system partition for the SP trusted services.
9. Considering the granularity of access control you require and the existing names in your DCE database, plan any partition-specific or other DCE group and principal names for which you might want to override the SP default names.
10. Ensure authorizations are established in the DCE database in order to be able to install PSSP with DCE security services.
11. Ensure the DCE servers are completely installed and functional before installing PSSP.

Using Kerberos V4 authentication servers

Decide what authentication realms your network will have.

For each realm:

1. Decide on the name of the realm.
2. Determine the administrative principal you will use for installing the SP authentication on the control workstation and other |pSeries or RS/6000 workstations. Either this administrative user or another that you define later must be assigned UID 0 in order to perform SP installation tasks that require both root privileges and Kerberos administrative authority.
3. Decide which system is the primary server.

   If it will be an SP authentication server:

   • Make sure no other Kerberos system is installed.

   Otherwise, it must be an existing (primary) Kerberos server.

   • Make sure the authentication server is installed and running.
   • Make sure the kshell service (rsh/rcp daemon) is available.
   • Make sure that network interfaces and name resolution are set up to allow it to access the primary server.
4. Decide which systems will be secondary servers.
5. Make sure that network interfaces and name resolution are set up to allow it to access the primary server and the SP system.

   If any

   • Decide how you will order the entries in the /etc/krb.conf configuration file.
   • Decide how often you want to automatically propagate the authentication database from the primary server to the secondaries.
   • For each secondary server
     • Make sure no other Kerberos system is installed.
     • Make sure that network interfaces and name resolution are set up to allow it to access the primary server.
6. Identify any other |pSeries or RS/6000 systems that will be clients.

   If any other |pSeries or RS/6000 systems will be clients:

   • Decide how you will order the entries in the /etc/krb.conf configuration file.
   • Make sure that network interfaces and name resolution are set up to allow it to access the primary server and the SP system.

Using AFS authentication

If you choose to use AFS authentication servers with your SP system, take into account the following unique considerations:

1. Any |pSeries or RS/6000 workstation on which you are installing the SP authentication support, including the control workstation, must have already been set up as either an AFS client system or as an AFS server.
2. If the AFS configuration files, CellServDB and ThisCell, are installed in a directory other than /usr/vice/etc, or if the kas program is not installed in /usr/afsws/etc or /usr/afs/etc, you must create symbolic links at the directory level so the SP setup_authent program can find these files.
3. You must have a user defined with the AFS admin attribute that can be used during SP authentication setup and installation. This user will also be the default user defined with administrative authority in the System Monitor's access control list file. You can add other administrators later.
4. In order for users to use the authentication service on the SP nodes, you must also install AFS client services on those systems. See the instructions for AFS client customization of the SP nodes in the sample file afsclient.cust in the PSSP: Administration Guide
5. The authentication server (kaserver) in AFS 3.4 for AIX 4.1 accepts Kerberos V4 protocol requests using the well-defined udp port assigned to the kerberos service. AIX 4.1 assigns the Kerberos V5 port number 88 to work with DCE. PSSP authentication services based on Kerberos V4, uses a default port number of 750. The PSSP commands use the service name kerberos4 to avoid this conflict with the Kerberos V5 service name. For PSSP authentication commands to communicate with an AFS 3.4 kaserver on AIX 4.1, you must do one of the following steps:
   • Stop the kaserver, redefine the udp port number for the kerberos service to 750 on the AFS Authentication server system, then restart the kaserver.
   • Add a statement to /etc/services that defines the udp port for the kerberos4 service as 88 on the SP control workstation and on any other independent workstation that will be a client system for PSSP authenticated services.