The ClearPath Kerberos Security enables MCP environment users and application programs to participate in a Kerberos authentication domain. Kerberos is configured through the Kerberos module of Security Center. Kerberos Security provides MCP support for the following:
-
A secured network log-on process that does not send passwords in clear text over the network.
-
MCP participation in a single network log-on over multiple types of terminal transfer protocols within the authentication domain.
-
A front end (GSS–API) that enables user-written applications and system software to call Kerberos Security for end-user authentication, data integrity checks, and data encryption.
Data or message encryption is available only with a special run-time key. Distribution of this run-time key is subject to U.S. export regulations.
-
User administration, including managing principals, the Kerberos Security Key Table, configuration files, and performing other administrative tasks.
-
External users
Terminal users transferring from a Kerberos-capable source to an MCP environment with Kerberos Security enabled are authenticated by means of Kerberos Security and automatically logged on to MARC. MARC does not prompt for a usercode and password as is usual without Kerberos Security. A password is not sent in the Kerberos protocol.
Principal ID
On a server running Kerberos Security, each user will have a principal ID. A principal ID is made up of two components, a principal name and a realm name. A principal name must be unique within a realm, which means the principal ID must be unique within a Kerberos authentication domain. The principal name component of the principal ID can be the same as the user's usercode for MCP users.
On ClearPath MCP servers, the principal ID is mapped to a usercode, and hence, has the same access rights associated with that usercode. When using Kerberos authentication, a user must have both of the following items:
-
A principal ID defined in the Kerberos database
-
A mapping from this principal ID to a usercode defined in the USERDATAFILE
For information about how to establish a usercode mapping to a Kerberos identity, refer to the System Software Utilities Operations Reference Manual.
For detailed information about the principal ID, Kerberos concepts, and the installation, configuration, and administration of the Kerberos Security, refer to the Kerberos Security Configuration and Administration Guide.
