In order to start a z/OS NFS server with Kerberos authentication
features, a Kerberos Key Distribution Center must be ready before
the z/OS NFS server starts. This section lists the basic steps involved
in setting up the z/OS KDC which will be compatible with the z/OS
NFS server environment. For more advanced configurations and detailed
explanations of the setup steps and the reasoning behind, please
refer to z/OS Integrated Security Services Network Authentication Service Administration.
For other platforms'KDC setups, please consult your vendor specific
documentation.
These steps assume that Resource Access Control Facility (RACF®)
is available in the system. If you have a different but equivalent
external security manager, please refer to the documentation of the
product for instructions.
- Copy the SKRBKDC started task procedure from EUVF.SEUVFSAM to
SYS1.PROCLIB. The SYS1.PROCLIB(SKRBKDC) should look like the following:
//*********************************************************************
//*
//* Procedure for starting the Kerberos SKRBKDC started task
//* Specify PARMS='-kdc' to enable the Kerberos KDC services.
//* Specify PARMS='-nokdc' to disable the Kerberos KDC services.
//*
//*********************************************************************
//SKRBKDC PROC REGSIZE=256M,OUTCLASS='A',PARMS='-kdc'
//*--------------------------------------------------------------------
//GO EXEC PGM=EUVFSKDC,REGION=®SIZE,TIME=1440,
// PARM=('ENVAR("LANG=En_US.IBM-1047"),TERM(DUMP) / &PARMS X
// 1>DD:STDOUT 2>DD:STDERR')
//STDOUT DD SYSOUT=&OUTCLASS,DCB=LRECL=250,
// FREE=END,SPIN=UNALLOC
//STDERR DD SYSOUT=&OUTCLASS,DCB=LRECL=250,
// FREE=END,SPIN=UNALLOC
//SYSOUT DD SYSOUT=&OUTCLASS,
// FREE=END,SPIN=UNALLOC
//CEEDUMP DD SYSOUT=&OUTCLASS,
// FREE=END,SPIN=UNALLOC
- Copy the sample Kerberos configuration file in z/OS® UNIX from
/usr/lpp/skrb/examples/krb5.conf to /etc/skrb/krb5.conf. The permission
bits of this file should allow only the administrator to modify it
but everyone else to be able to read.
Note: If the z/OS
NFS server will be supporting multiple platforms of NFS clients,
IBM recommends using des-cbc-crc encryption types only for compatibility,
as shown in the copy that follows.
;---------------------------------------------------------------------;
; Sample Kerberos configuration file ;
; ; ;
; Copy this file to /etc/skrb/krb5.conf and then tailor it for ;
; your Kerberos configuration ;
; ; ;
; Do not enable DES3 encryption unless all of the systems in the ;
; realm have DES3 support. In order to use DES3 encryption for ;
; tickets, you must set the SKDC_TKT_ENCTYPES environment variable ;
; in /etc/skrb/home/kdc/envar. ;
;---------------------------------------------------------------------;
[libdefaults]
default_realm = KRB390.IBM.COM
kdc_default_options = 0x40000010
use_dns_lookup = 0
; Default encryption types if DES3 is not supported
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
KRB390.IBM.COM = {
kdc = dcesec4.krb390.ibm.com:88
kpasswd_server = dcesec4.krb390.ibm.com:464
admin_server = dcesec4.krb390.ibm.com:749
}
KRB2000.IBM.COM = {
kdc = sstone1.krb2000.ibm.com:88
admin_server = sstone1.krb2000.ibm.com:749
}
[domain_realm]
.krb390.ibm.com = KRB390.IBM.COM
.krb2000.ibm.com = KRB2000.IBM.COM
- Copy the environment variable definitions from /usr/lpp/skrb/examples/
skrbkdc.envar to /etc/skrb/home/kdc/envar. Depending on which type
of KDC is being set up, the environment variable SKDC_DATABASE should
be set to SAF or NDBM accordingly (default is set to SAF registry
type KDC). The file permissions should allow only the administrator
to read and update.
- Add the path "PATH=/usr/lpp/skrb/bin:$PATH" in the z/OS UNIX to
the user’s “.profile” and export the “PATH”.
- Issue the following RACF commands (entering each command on a
single line). If needed, consult z/OS Integrated Security Services Network Authentication Service Administration for
explanations.
RDEFINE FACILITY IRR.RUSERMAP UACC(read)
SETROPTS RACLIST(FACILITY) REFRESH
AU skrbkdc DFLTGRP(sys1) NOPASSWORD OMVS(UID(0) PROGRAM('/bin/sh')
HOME('/etc/skrb/home/kdc'))
RDEFINE REALM KERBDFLT KERB(KERBNAME(KRB390.IBM.COM)
PASSWORD(password) MINTKTLFE(15) DEFTKTLFE(36000)
MAXTKTLFE(86400))
Note: KERBNAME(KRB390.IBM.COM)
should be changed to match your Kerberos Realm.
- For SAF registry KDC, continue with the following steps. For NDBM
registry KDC, skip to step 7.
- Issue the following RACF commands, entering each command on a
single line:
SETROPTS CLASSACT(appl) RACLIST(appl)
RDEFINE APPL SKRBKDC UACC(read)
SETROPTS CLASSACT(ptktdata) RACLIST(ptktdata)
RDEFINE PTKTDATA SKRBKDC UACC(none) SSIGNON(keymasked(3734343237343131))
SETROPTS RACLIST(appl ptktdata) REFRESH
SETROPTS GENERIC(started)
RDEFINE STARTED SKRBKDC.** STDATA(user(skrbkdc))
RDEFINE STARTED SKRBWTR.** STDATA(user(skrbkdc))
SETROPTS RACLIST(started) REFRESH
AU KADMIN DFLTGRP(sys1) PASSWORD(password)KERB(KERBNAME(kadmin/admin))
ALU KADMIN PASSWORD(password) NOEXPIRED
PASSWORD KADMIN NOINTERVAL
AU CHANGEPW DFLTGRP(sys1) PASSWORD(password)
KERB(kerbname(kadmin/changepw))
ALU CHANGEPW PASSWORD(password) NOEXPIRED
PASSWORD CHANGEPW NOINTERVAL
- For multiple Kerberos realms environment, create ticket-granting
tickets with RACF commands:
RDEFINE REALM /.../KRB390.IBM.COM/KRBTGT/KRB2000.IBM.COM
KERB(PASSWORD(password))
RDEFINE REALM /.../KRB2000.IBM.COM/KRBTGT/KRB390.IBM.COM
KERB(PASSWORD(password))
Note: - KRB390.IBM.COM is the local realm. Change to match the realm of
your KDC.
- KRB2000.IBM.COM is the remote realm, Change to match the name
of the remote realm.
- Add Kerberos segments to existing user definitions. These Kerberos
segments serve as the Kerberos principals in the Kerberos database.
To
add a RACF userid, issue RACF command, for example:
AU (userid1) OWNER (IBMUSER) OMVS(UID(101))
To
define Kerberos segment to this user definition, issue RACF command:
ALTUSER userid1 PASSWORD(password) NOEXPIRED
KERB(KERBNAME(user1))
- Start the skrbkdc task.
- Continue to step 8 to complete KDC setup.
- For NDBM registry type KDC, follow these steps.
- To create initial registry database files, issue z/OS UNIX command:
kdb5_ndbm create
IBMUSER
and IBMUSER/admin user principals are now created with initial password
of IBMUSER.
- Copy sample KDC configuration file from /usr/lpp/skrb/examples/
kdc.conf to /etc/skrb/home/kdc/kdc.conf and set the values inside
as needed or leave them to default values.
- Copy the sample administration access control file from /usr/lpp/skrb/examples/kadm5.acl
to /etc/skrb/home/kdc/kadm5.acl . The administrator can choose to
customize it or leave it as default.
- Start the skrbkdc task.
- Create NFS principal for the z/OS NFS
server using the kadmin interface in z/OS UNIX.
To
enter the kadmin interface, issue z/OS UNIX command:
kadmin -p IBMUSER/admin -w IBMUSER
To
create NFS principal, enter:
kadmin> addprinc nfs/host.domain
- For multiple Kerberos realm environment, create ticket-granting
tickets in kadmin interface:
kadmin> addprinc -e des-cbc-crc:normal krbtgt/KRB390.IBM.COM@KRB2000.IBM.COM
kadmin> addprinc -e des-cbc-crc:normal krbtgt/KRB2000.IBM.COM@KRB390.IBM.COM
Note: The “-e des-cbc-crc:normal” should be used in order
to support various UNIX platforms. The passwords
specified for these two principals should be the same.
- Add Kerberos principals into the Kerberos database through the
kadmin interface:
kadmin> addprinc user1
kadmin> addprinc user2
- See Configuring a secure z/OS NFS server and Configuring a secure z/OS NFS client.