Sun Microsystems, Inc.
spacer |
black dot
8.  Configuring SEAM (Tasks) Administering the Kerberos Database How to Set Up Parallel Propagation Example--Setting Up Parallel Propagation  Previous   Contents   Next 

Administering the Stash File

The stash file contains the master key for the Kerberos database, which is automatically created when you create a Kerberos database. If the stash file gets corrupted, you can use the stash command of the kdb5_util utility to replace the corrupted file. The only time you should need to remove a stash file is after removing the Kerberos database with the destroy command of kdb5_util. Because the stash file isn't automatically removed with the database, you have to remove it to finish the cleanup.

How to Remove a Stash File

  1. Become superuser on the KDC that contains the stash file.

  2. Remove the stash file.

    # rm stash-file

    In this example, stash-file is the path to the stash file. By default, the stash file is located at /var/krb5/.k5.realm.

If you need to re-create the stash file, you can use the -f option of the kdb5_util command.

Increasing Security

Follow these steps to increase security on SEAM application servers and on KDC servers.

How to Restrict Access to KDC Servers

Both master KDC servers and slave KDC servers have copies of the KDC database stored locally. Restricting access to these servers so that the databases are secure is important to the overall security of the SEAM installation.

  1. Disable remote services in the /etc/inetd.conf file.

    To provide a secure KDC server, all nonessential network services should be disabled by commenting out the entry that starts the service in the /etc/inetd.conf file. In most circumstances, the only services that would need to run would be time and krdb5_kprop. In addition, any services that use loopback tli (ticlts, ticotsord, and ticots) can be left enabled. After you edit the file, it should look similar to the following (to shorten the example many comments have been removed):

    kdc1 # cat /etc/inetd.conf
    #ident  "@(#)inetd.conf 1.33    98/06/02 SMI"   /* SVr4.0 1.5   */
    #name     dgram   udp     wait    root    /usr/sbin/in.tnamed     in.tnamed
    #shell    stream  tcp     nowait  root    /usr/sbin/in.rshd       in.rshd
    #login    stream  tcp     nowait  root    /usr/sbin/in.rlogind    in.rlogind
    #exec     stream  tcp     nowait  root    /usr/sbin/in.rexecd     in.rexecd
    #comsat   dgram   udp     wait    root    /usr/sbin/in.comsat     in.comsat
    #talk     dgram   udp     wait    root    /usr/sbin/in.talkd      in.talkd
    #uucp     stream  tcp     nowait  root    /usr/sbin/in.uucpd      in.uucpd
    #finger   stream  tcp     nowait  nobody  /usr/sbin/in.fingerd    in.fingerd
    # Time service is used for clock synchronization.
    time      stream  tcp     nowait  root    internal
    time      dgram   udp     wait    root    internal
    100234/1  tli rpc/ticotsord wait  root    /usr/lib/gss/gssd     gssd 
    #dtspc    stream  tcp     nowait  root    /usr/dt/bin/dtspcd      /usr/dt/bin/dtspcd
    #100068/2-5 dgram rpc/udp wait    root    /usr/dt/bin/rpc.cmsd    rpc.cmsd
    100134/1 tli rpc/ticotsord wait   root    /usr/lib/ktkt_warnd kwarnd
    krb5_prop stream  tcp     nowait  root    /usr/lib/krb5/kpropd  kpropd

    Reboot the KDC server after the changes are made.

  2. Restrict access to the hardware that supports the KDC.

    In order to restrict physical access, make sure that the KDC server and its monitor are located in a secure facility. Users should not be able to access this server in any way.

  3. Store KDC database backups on local disks or on the KDC slaves.

    Make tape backups of your KDC only if the tapes are stored securely. Follow the same practice for copies of keytab files. It would be best to store these files on a local file system that is not shared to other systems. The storage file system can be on either the master KDC server or any of the slave KDCs.

  Previous   Contents   Next