ITEM: L6214L

DCE: How to extend certificate life time



Question:

The customer has  AIX 3.2.5 and DCE 1.2 installed.

He has an application that he wants to run 24x7. But the ticket
expires after 8 hours. He tried modifying the parameters but it didn't
make a difference. 

Response:

NOTE: Please refer to the AIX DCE 1.2 Release Notes (SC23-2434-01)
"Notes on ticket lifetimes" page 25.

A summary of the Release Notes:

The lifetime of a TGT is the MINIMUM of the following:

 - Registry Properties: 
     default certificate lifetime
 - Registry Authentication policy:
     maximum certificate lifetime
     maximum renewable lifetime
 - DCE principal - the account of the principal logging in
     maximum certificate lifetime
 - krbtgt/\ - the account of the Ticket Granting Service  
     maximum certificate lifetime

A workaround for this problem is to increase the "Max Certificate Lifetime"
value for the Authentication Policy (for the entire DCE cell) to a 
larger value and change the Registry Properties  "Default Certificate
Lifetime" to a larger value. New DCE accounts usually have
the default certificate lifetime unless a maximum lifetime is specified
when the acount is created.

How to increase the maximum certificate lifetime for the DCE cell 
(Authorization Policy): 
(This example changes the max certificate lifetime from 1 day to 2 days)

\# dce_login cell_admin
\# rgy_edit
rgy_edit> authpolicy

  Authentication Policy:
    Max certificate lifetime:                 1d
    Max renewable lifetime:                   4w
Do you wish to make changes [y/n]? (n) y
Enter maximum certificate lifetime in hours or 'forever': (1d) 2d
Enter maximum certificate-renewable lifetime in hours or 'forever': (4w) 
rgy_edit=> quit
\#

How to change the default certificate lifetime for the DCE cell:
(This example changes it from 10 hours to 36 hours)

\# dce_login cell_admin
\# rgy_edit

rgy_edit=> properties
  Properties:
    Properties for Registry at:               /.../dcecell1
    Registry is NOT read-only
    Certificates to this server may be generated at any site.
    Encrypted passwords are hidden
    Unix IDs ARE embedded in PGO UUIDs
    Low UID for principal creation:           100
    Low UID for group creation:               100
    Low UID for org creation:                 100
    Maximum possible UID:                     32767
    Minimum certificate lifetime              5m
    Default certificate lifetime              10h
Do you wish to make changes [y/n]? (n) y

Stamp registry read-only [y/n]? (n)
Should encrypted passwords be hidden [y/n]? (y)
Lower bound on principal unix id for automatic UID assignment: (100)
Lower bound on group     unix id for automatic UID assignment: (100)
Lower bound on org       unix id for automatic UID assignment: (100)
Maximum allowable unix id: (32767)
Minimum certificate lifetime (minutes): (5m)
Default certificate lifetime (hours): (10h) 36h
rgy_edit=> quit

This can also be done from SMIT.
 (SMIT allows you to change both the maximum certificate lifetime and the
default certificate lifetime from one SMIT menu. This example changes
the maximum certificate lifetime from 1 to 2 days and the default
certificate lifetime from 10 hours to 36 hours).

\# dce_login cell_admin
\# smitty
  select Communications Applications and Services
  select DCE (Distributed Computing Environment)
  select DCE Security & Users Administration
  select Registry Policies and Properties
  select Authenticated Policies and Properties

                     Authenticated Policies and Properties

Type or select values in entry fields.
Press Enter AFTER making all desired changes.
  
                                                        [Entry Fields]
  MINIMUM ticket lifetime (in minutes)               [5m]
  DEFAULT ticket lifetime (in hours)                 [36h]
  MAXIMUM ticket lifetime (in hours)                 [2d]
  Maximum RENEWABLE ticket lifetime (in hours)       [4w]
  

How to change the Max certificate lifetime for a DCE account:

(the \ key can be pressed for all prompts up to the necessary fields to 
be changed)

\# dce_login cell_admin
\# rgy_edit
rgy_edit> domain account
rgy_edit> change

Change Account=> Enter account id [pname]: ivan
Enter account group [gname]: \
Enter account organization [oname]: \
Enter new misc info: \
Enter new home directory: \
Enter new shell: \
Password valid [y/n]? \
Enter new expiration date [yy/mm/dd or 'none']: \
Allow account to be server principal [y/n]? \
Allow account to be client principal [y/n]? \
Account valid for login [y/n]? \
Allow account to obtain post-dated certificates [y/n]? \
Allow account to obtain forwardable certificates [y/n]? \
Allow certificates to this account to be issued via TGT auth [y/n]? \
Allow account to obtain renewable certificates [y/n]? \
Allow account to obtain proxiable certificates [y/n]? \
Allow account to obtain duplicate session keys [y/n]? \
Good since date [yy/mm/dd or 'now']: \

This is the part that changes the ticket lifetime for a DCE account:
(This example changes it to 24 hours).

 
Create/Change auth policy for this acct [y/n]? (n) y
Enter maximum certificate lifetime in hours or 'forever': 24h
Enter maximum certificate-renewable lifetime in hours or 'forever': 5w
Change account "ivan encina_user_ugrp none" [y/n/g/q]? y
Change Account=> Enter account id [pname]: 
rgy_edit=> 

This can also be done using SMIT:

\# dce_login cell_admin
\# smitty
  select Communications Applications and Services
  select DCE (Distributed Computing Environment)
  select DCE Security & Users Administration
  select accounts
  select Change / Show Characteristics of an Account

                  Change / Show Characteristics of an Account

Type or select a value for the entry field.
Press Enter AFTER making all desired changes.
  
                                                        [Entry Fields]
  ACCOUNT name                                       [ivan]               +
  
  
(either enter the account name, or press F4 key to select)

                  Change / Show Characteristics of an Account

Type or select values in entry fields.
Press Enter AFTER making all desired changes.
  
[TOP]                                                   [Entry Fields]        
  Principal account is for                            ivan
  GROUP associated with this account                  none
  ORGANIZATION associated with this account           none
  New PRINCIPAL account is for                       [ivan]                   +
  LOGIN user?                                         yes                     +
  New GROUP associated with this account             [none]                   +
  New ORGANIZATION associated with this account      [none]                   +
  HOME directory                                     [/]
  Initial PROGRAM                                    []
  ACCOUNT information                                []
  Require user to CHANGE PASSWORD on next login?      no                      +
  Allow account to be a SERVER principal?             yes                     +
  Allow account to be a CLIENT principal?             yes                     +
  Maximum ticket LIFETIME                            [24h]
  Maximum ticket RENEWABLE lifetime                  [4w]                      
  EXPIRATION date ([YY]YY/MM/DD.hh:mm)               [none]                    
  GOOD SINCE date ([YY]YY/MM/DD.hh:mm)               [1994/07/26.12:04]
[BOTTOM]

NOTE: the relevant fields are:

 Maximum ticket LIFETIME                (same as "maximum certificate lifetime"
                                        from rgy_edit)          
 Maximum ticket RENEWABLE lifetime      (same as "maximum certificate-renewable
                                        lifetime" from rgy_edit)

In this example, the account "ivan" had his maximum ticket lifetime set to "2d"
(1 days or 24 hours) and his maximum ticket renewable lifetime set to "5w" (5 
weeks). If a number is enters without any qualifier (h=hour, d=day, w=week) then
the number will be interpreted as hours.

In the examples shown above, the DCE registry cell maximum is 2 days, but
the registry default is 36 hours. So, any account that has its account
certificate lifetime set to the default or a higher value, will have a
ticket lifetime of 36 hours.

For the ivan account, its certificate lifetime will be 24 hours, because
there is a maximum certificate lifetime for the account.

The only other certificate lifetime that could affect the lifetime for
an account is that of the cell Ticket Granting Service (krbtgt/cellname
account). It is set to the default value for the registry. 



Support Line: DCE: How to extend certificate life time ITEM: L6214L
Dated: November 1994 Category: N/A
This HTML file was generated 99/06/24~13:30:40
Comments or suggestions? Contact us