HP Integrity rx2800 System Management Homepage User Guide - Page 52

HP SMH Kerberos Authentication, Kerberos Administrator, Single Sign-On SSO, users

Get HP Integrity rx2800 - i2 PDF manuals and user guides View all HP Integrity rx2800 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 52 highlights

Timestamps are used in Kerberos to avoid replication attacks. The clock skew among machines cannot exceed a specific limit. 2. The TGS decrypts the authenticator and sends two new messages back to the client: • The client-to-server ticket received from the TGS • Another authenticator, made up of the client's ID and the current timestamp, encrypted with the client/server session key 3. The service decrypts the client-to-server ticket with its own secret key and sends the client a message with the received timestamp plus one, confirming its true identity. This message is encrypted with the client/server session key. 4. The client decrypts the message and checks the timestamp. If it is correct, requests may be issued to the service and it sends responses back as expected. HP SMH Kerberos Authentication HP SMH provides Kerberos Single Sign-On (SSO), allowing users in a Kerberos realm to log in without entering a user name and password in the Sign In page. If an allowed user accesses HP SMH and has valid Kerberos credentials, the Home page appears inside HP SMH. Kerberos authentication is done using the special URL /proxy/Kerberos in HP SMH. By accessing the URL, SMH looks for Kerberos credentials in the request and perform user authentication. If the user does not have valid Kerberos credentials or if an error occurs during the authentication process, the Sign In page appears, showing an error message. For example, if the clock skew among the machines involved in authentication is too large, you receive an error message and are taken to the Sign In page. Kerberos authentication does not work on the following local access situations: • Accessing HP SMH from the machine where the KDC (AD) is installed • Accessing HP SMH from the machine where HP SMH is installed When an authentication error occurs, the system administrator should check the SMH HTTP server error log to obtain more information about the error. For example, when the clock skew among the machines is too large, the following log message is written: Thu Jun 25 16:55:09 2009] [error] client 2001:db8:c18:1:b8ca:fcdf:d49d:b5c6] mod_spnego: Kerberos SSO (QueryContextAttributes) failed; SSPI: The function requested is not supported\r\n(-2146893054). The following levels of user authorizations are available: • Administrator Users with Administrator access can view all information provided through HP SMH. The appropriate default user group, Administrators for Windows operating systems and root for HP-UX and Linux, always has administrative access. • Operator Users with Operator access can view and set most information provided through HP SMH. Some web applications limit access to the most critical information to administrators only. • User Users with User access can view most information provided through HP SMH. Some web applications restrict viewing of critical information from individuals with User access. To enable or disable Kerberos and add groups to the allowed Kerberos group list, complete the following steps for each level of access. Kerberos support is provided on a per-user basis. Kerberos Administrator To add a Kerberos Administrator: 1. Select Settings from the menu. 2. In the System Management Homepage box, click the Security link. 3. Click the Kerberos Authorization link. 4. In the Kerberos Configuration area, select the box beside Enable Kerberos Support. 52 The Settings Page

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
Timestamps are used in
Kerberos
to avoid replication attacks. The clock skew among machines cannot
exceed a specific limit.
2.
The TGS decrypts the authenticator and sends two new messages back to the client:
The client-to-server ticket received from the TGS
Another authenticator, made up of the client’s ID and the current timestamp, encrypted with the
client/server session key
3.
The service decrypts the client-to-server ticket with its own secret key and sends the client a message
with the received timestamp plus one, confirming its true identity. This message is encrypted with the
client/server session key.
4.
The client decrypts the message and checks the timestamp. If it is correct, requests may be issued to the
service and it sends responses back as expected.
HP SMH Kerberos Authentication
HP SMH provides
Kerberos
Single Sign-On (SSO)
, allowing
users
in a
Kerberos
realm to log in without
entering a user name and password in the
Sign In
page. If an allowed user accesses HP SMH and has valid
Kerberos
credentials, the
Home
page appears inside HP SMH.
Kerberos
authentication is done using the special
URL /proxy/Kerberos
in HP SMH. By accessing the
URL, SMH looks for
Kerberos
credentials in the request and perform user authentication.
If the user does not have valid
Kerberos
credentials or if an error occurs during the authentication process,
the
Sign In
page appears, showing an error message. For example, if the clock skew among the machines
involved in authentication is too large, you receive an error message and are taken to the
Sign In
page.
Kerberos authentication does not work on the following local access situations:
Accessing HP SMH from the machine where the KDC (AD) is installed
Accessing HP SMH from the machine where HP SMH is installed
When an authentication error occurs, the system administrator should check the SMH HTTP server error log
to obtain more information about the error.
For example, when the clock skew among the machines is too large, the following log message is written:
Thu Jun 25 16:55:09 2009] [error] client 2001:db8:c18:1:b8ca:fcdf:d49d:b5c6]
mod_spnego: Kerberos SSO (QueryContextAttributes) failed; SSPI: The function
requested is not supported\r\n(-2146893054)
.
The following levels of user authorizations are available:
Administrator
Users with
Administrator
access can view all information provided through HP SMH.
The appropriate default user group,
Administrators
for Windows operating systems and
root
for HP-UX
and Linux, always has administrative access.
Operator
Users with
Operator
access can view and set most information provided through HP SMH.
Some web applications limit access to the most critical information to administrators only.
User
Users with
User
access can view most information provided through HP SMH. Some web
applications restrict viewing of critical information from individuals with
User
access.
To enable or disable
Kerberos
and add groups to the allowed
Kerberos
group list, complete the following
steps for each level of access.
Kerberos
support is provided on a per-user basis.
Kerberos Administrator
To add a
Kerberos
Administrator:
1.
Select
Settings
from the menu.
2.
In the
System Management Homepage
box, click the
Security
link.
3.
Click the
Kerberos Authorization
link.
4.
In the
Kerberos Configuration
area, select the box beside
Enable Kerberos Support
.
52
The Settings Page