PreviousNext

Enabling the Public Key Authentication Protocol

By default, the public key login authentication is disabled. To enable it and to configure it for users, follow these steps:

1. Make sure the public key software is installed on the master DCE Security server and on the replica servers. Public key software is available for DCE Versions 1.2.2 and later.

2. Initialize the cell's public key environment. If the cell is migrating from DCE 1.1 to DCE 1.2.2, follow steps a and b. Otherwise, follow step b.

a. Enable the public key on the master:

dcecp> registry modify -version secd.dce.1.2.2
dcecp>

The master will propagate the version information to each replica that has the public key software installed. Any replica that does not have the public key software installed will be shut down automatically.

b. As the cell_admin, request that an initial key-pair (public and private keys) be generated for the account of the local cell's krbtgt principal:

dcecp> account modify krbtgt/cell-name pkgenprivkey value \
> mypwd pwd
dcecp>

The registry will generate a key-pair and store them. The public key portion of the pair will be stored in the DCEPKAuthentication ERA attached to the krbtgt principal for the cell. The private key portion will be stored in the registry under existing password-protection encryption.

Note that you can also use this command to modify an existing key-pair of the local cell's krbtgt principal.

3. On the cell administrator workstation, configure the user's public key account:

dcecp> account create name \> -group none \
> mypwd cell-admin-password
> -organization none \
> password user-password \
> -pkmechanism file \
> pkkeycipherusage {{generatekey default} {newpassphrase string}} \
> pksignatureusage {{generatekey default} {newpassphrase string}}

The command does the following to the public key account:

· Indicates that the private key information should be stored in a file.

· Randomly generates a new public key-pair, which has an attached new password phrase that you supply for encryption purposes. The public key portion of the key-pair is stored in the ERA, and the private key portion is stored in a file.

· Randomly generates a new signed key-pair, which has an attached new password phrase that you supply. Again, the public key portion is stored in the ERA, and the private key is stored in a file.

4. Move the public key mechanism file from the cell administrator workstation to the user's workstation and change the ownership to the user. Provide the new password phrase to the user, but strongly encourage the user to change the password phrase so no one else knows it. To change a password phrase, the user can invoke the dcecp account modify command.

By default, only the cell administrator can create or modify a public key account. However, a cell administrator can modify the ACL managers for the public key ERAs, thereby allowing users to change their own key-pairs. To modify the ACL managers:

dcecp> xattrschema modify /.:/sec/xattrschema/DCDPKAuthentication \
> -aclmgr {principal {query r} {update u} {test r} {delete m}}
dcecp> xattrschema modify /.:/sec/xattrschema/DCDPKKeyEncipherment \
> -aclmgr {principal {query r} {update u} {test r} {delete m}}