informix培训与指导课程23_Informix_Security【管理培训资料】.ppt

* * * * See chapter 4 in IBM Informix Security Guide for more information on how to setup SSO for Informix. * * * During conversion from older server to 11.10 SETSESSIONAUTH privilege is granted to DBA For backward compatibility. * Kerberos is one of the key Single Sign-On solutions on the market. It is based on an open standard. Kerberos is essentially a secure network authentication protocol that employs a system of shared secret keys and is able to provide robust security against impersonation and reply attacks. With Kerberos, passwords are never flown on the wire, and the server and client may authenticate one another (referred to as mutual authentication). However, the solution relies upon a trusted third entity called the Key Distribution Centre (KDC), which has access to all keys. Another strong incentive for using Kerberos is that it provides a central repository for user IDs (or principals), thus centralizing and simplifying principal or identity management. In the existing Informix server, traditional authentication and PAM are the only two way to authenticate the clients. However, with SSO we are providing a third way for authentication. The general picture for single sign-on is that the client signs on to their local machine once, obtaining the TGT. In general, that ticket can be used by any kerberized application on their machine to connect to any kerberized service which will authorize them to do so (authorization is different from authentication!). However, unless the ticket is forwardable, the TGT is only usable for direct connections to the kerberized services; it is not possible to send it to a kerberized service and have the kerberized service forward it to other kerberized services that it in turn needs to use. The Generic Security Services Application Programming Interface (GSSAPI) is a generic API RFC 2743 for client server communication specifically used for authentication. Kerberos is an Internet Engineering Task Force (IETF) standard R