HP-UX 11i June 2002 Release Notes
Security
HP-UX Kerberos Server
Chapter 13
235
HP-UX Kerberos Server
new for
September 2001
HP announces a new security product available on the application CD distributed in
September 2001. The HP-UX Kerberos Server (T1417AA) provides key distribution
facilities to implement the Kerberos authentication protocol in network-distributed
enterprises. It is designed to provide strong authentication for client/server applications
by using secret-key cryptography. A client can prove its identity to a server (and vice
versa) across an insecure network connection. After a client and server have used
Kerberos to prove their identity, they can also encrypt all of their communications to
assure privacy and data integrity as they go about their business.
Single sign-on: Using the Kerberos protocol, users have the foundation for secure single sign-on to
applications and resources. The server stores user profile data. Clients initially use a
password that is converted into an authorization ticket by the server. This authorization
then creates a service ticket, which is used in all applications and services that have
been Kerberized to authenticate the user and provide access to applications. In this way,
a single sign-on provides credentials to automatically access multiple applications and
services wherever they reside on the network.
Cross-realm
authentication:
The server provides both an authentication service as well as acts as a key distribution
center (KDC). An implementation of MIT Kerberos 5 version 1.2.2, the server supports
cross-realm authentication. One use is to work with Windows clients who gain Windows
2000 Kerberos credentials. These are then used to authenticate the user to the HP-UX
Kerberos server which, in turn, creates credentials for HP-UX applications and services,
all with a single sign-on.
GSSAPI support: For development, HP-UX Kerberos provides a Generic Security Services Application
Programmer Interface (GSSAPI). The GSSAPI provides a standard programming
interface that is authentication-mechanism independent and is supported on HP-UX
11.0 and 11i. This allows application developers the flexibility of using alternative
authentication technologies, including Kerberos.
The implementation of the Kerberos protocol, Kerberos server, Kerberos client, PAM
Kerberos, and Kerberized applications provides an infrastructure of DES encryption and
single sign-on ease for users in a network-distributed computing environment.