Key Distribution Center Configuration

Use this window to view the Key Distribution Center (KDC) servers that are used by this HMC for Kerberos remote authentication, and to add KDC servers to or remove KDC servers from this HMC.

To use Kerberos remote authentication for this HMC, you must complete the following.

You must enable the NTP service on the HMC and set the HMC and the KDC servers to synchronize time with the same NTP server. You can enable the NTP service on the HMC by accessing Change Date and Time under HMC Management.
You must set the user profile of each remote user to use Kerberos remote authentication instead of local authentication. A user that is set to use Kerberos remote authentication will always use Kerberos remote authentication, even when the user logs onto the HMC locally. (You do not need to set all users to use Kerberos remote authentication. You can set some user profiles so that the users can use local authentication only.)
You must ensure that a working network connection exists between the HMC and the KDC servers.

Optionally, you can import a service-key file into the HMC. The service-key file contains the host principal that identifies the HMC to the KDC server. Service-key files are also known as keytabs.

To add a new KDC server to this HMC, click Actions, choose Add KDC Server, and enter the realm and the host name or IP address of the KDC server.

To remove a KDC server from this HMC, select the KDC server that you want to remove in the KDC Servers table, click Actions, and choose Remove KDC Server.

To import a service-key file into this HMC, click Actions and choose Import Service Key. After importing a service-key file into the HMC, you must reboot the HMC for the change to take effect.

To delete a service-key file from this HMC, click Actions and choose Remove Service Key. You must reboot the HMC after deleting a service-key file from the HMC.

KDC Servers

This table lists the Key Distribution Center (KDC) servers that are currently used by this HMC. To remove a KDC server from this HMC, select the KDC server that you want to remove in this table, click Actions, and choose Remove KDC Server.
This table contains the following information for each KDC server:

IP Address or Hostname

This is the host name or IP address for each KDC server.

Realm

This is the Kerberos realm that is currently used for each KDC server.

Default realm

Specify the default Kerberos realm that you want to use for this HMC. Unless you specify a different realm when you add the KDC server to this HMC, this realm is associated with all Key Distribution Center (KDC) servers that are added to this HMC. A Kerberos realm is an administrative domain, site, or logical network that uses Kerberos remote authentication. Each realm uses a master Kerberos database that contains information about the users and services for that realm. A realm might also have one or more slave servers, which store read-only copies of the master Kerberos database for that realm. By convention, a realm name is the same as the domain name associated with that realm, except that the realm name uses uppercase letters instead of lowercase letters. (For example, MIT.EDU is a valid realm name.) The realm name must be the same as the domain name if you import a service-key file into the HMC.

Ticket lifetime

Specify the number of seconds for which a ticket issued by the Key Distribution Center (KDC) server will be valid. The default ticket lifetime is 24000 seconds (6 hours and 40 minutes).

Clock skew

Specify the maximum number of seconds that the HMC time is allowed to differ from the Key Distribution Center (KDC) server time for a successful authentication. This allows users to authenticate successfully even when the HMC time and the KDC server time differ slightly.

The default clock skew is 120 seconds.