Page tree

Contents

You can upload keytab files that contain a single GSS-TSIG key or multiple GSS-TSIG keys on a single NIOS appliance. For each member in the Grid, you can upload up to 256 GSS-TSIG keys in a single keytab file. Trust relationships between AD domains and AD forests are not required. You can upload GSS-TSIG keys through Grid Manager or the Infoblox API.
Note that only superusers can manage all GSS-TSIG keys globally on a given member through Grid Manager or the Infoblox API. Using this feature, superusers can determine the keys that belong to a particular member. You can assign multiple GSS-TSIG keys to a member and all these keys are saved in the Grid. The uploaded keys will be available in the member DNS, Grid DNS, member DHCP or Grid DHCP properties. NIOS supports the following GSS-TSIG encryption types:

  • des-cbc-crc
  • des-cbc-md5
  • arcfour-hmac-md5
  • aes128-cts-hmac-sha1-96
  • aes256-cts-hmac-sha1-96

NIOS displays a warning message in Grid Manager and in the syslog if you upload a key that does not belong to the GSS-TSIG encryption types. For more information, see Logging Messages.

Limitations when Using Multiple GSS-TSIG keys

  • You can assign SPNs belonging to different domains to a DNS member, but you cannot assign SPNs belonging to different domains to a DHCP member, although two DHCP members can update the same DNS member.
  • You must ensure that the domains assigned to a DNS member are unique.
  • The GSS-TSIG domain for a remote forward or remote reverse zone is single-valued. For example, if DHCP clients ABC and XYZ from Grid 1 want to send DDNS updates to Grid 2, either client ABC or XYZ will succeed.

Scheduled Upgrade

A scheduled upgrade with one or more keys in the keytab files that you have uploaded will operate the same as prior to upgrade. NIOS will parse and extract keys from the uploaded keytab file. NIOS automatically assigns these keys to the DNS member, DHCP member, Grid DHCP or Grid DNS to which the keytab file was uploaded before the upgrade. You can assign these keys to Grid members after the upgrade is complete.
NIOS does not display an error message if the keys do not have an SPN with the DNS prefix, but it will record a warning message in the syslog.

Admin Permissions for Configuring GSS-TSIG keys

You can assign a key to a Grid member only if you have read permission for the kerberos key and read/write permission for the member. You can upload keys only if you have read/write permissions for kerberos keys. To remove a key that is assigned to a member, you must have read/write permission for the respective member.
Note that in the Administration -> Administrators -> Permissions tab, NIOS displays All Kerberos Keys and Kerberos Key in the Resource and Resource Type columns respectively for DHCP Admin and DNS Admin roles with default read/write permissions.

Enabling GSS-TSIG Authentication for DHCP

You can enable GSS-TSIG authentication at the Grid or member level and associate it with one or more keys of the same SPN or realm. When you enable GSS-TSIG authentication, make sure that you upload the keytab file from the Kerberos account for the Infoblox DHCP server. You can import keytab files with multiple keys to the Grid or to individual members. You can assign the uploaded keys to member DHCP or Grid DHCP. The appliance displays a warning message if you assign a GSS-TSIG key with service class "DNS" in its SPN to a DHCP member. For more information about GSS-TSIG keys, see Configuring GSS-TSIG keys.
The appliance displays an error message in the following cases:

  • if you assign keys of different realms to a DHCP member or Grid DHCP.
  • when you try to enable GSS-TSIG without a valid key.

The AD domain controller stores the keytab file in the directory in which you generated the keytab file. You can copy this file to a management system that connects to the NIOS appliance or launch the NIOS Grid Manager on the AD domain controller and import the keytab file to the NIOS appliance.
To enable GSS-TSIG authentication for DHCP and import keytab files:

  1. Grid: From the Data Management tab, select the DHCP tab, expand the Toolbar and click Grid DHCP Properties
    Member: From the Data Management tab, select the DHCP tab and click the Members tab -> member check box -> Edit icon. To override an inherited property, click Override next to it and complete the appropriate fields.
    Standalone DHCP: From the Data Management tab, select the DHCP tab, expand the Toolbar and click System DHCP Properties.
  2. In the IPv4 DDNS -> Basic tab or the IPv6 DDNS -> Basic tab of the editor, complete the following:
    • DDNS Updates: Select Enable DDNS Updates to enable the DHCP servers in the Grid to send DDNS updates.
    • DDNS Domain Name: Specify the domain name of the network that the appliance uses to update DNS. For IPv4 clients, you can specify this at the network, network template, range, and range template levels. For IPv6 clients, you can specify this at the Grid, member, network, shared network, and network template levels.
    • DDNS Update TTL: You can set the TTL used for A record and PTR records updated by the DHCP server. The default is shown as zero. If you do not enter a value here, the appliance by default sets the TTL to half of the DHCP lease time with a maximum of 3600 seconds. For example, a lease time of 1800 seconds results in a TTL of 900 seconds, and a lease time of 86400 seconds results in a TTL of 3600 seconds.
    • DDNS Update Method: Select the method used by the DHCP server to send DDNS updates. You can select either Interim or Standard from the drop-down list. The default is Interim. When you select Interim, TXT record will be created for DDNS updates and when you select Standard, DHCID record will be created for DDNS updates. But in the IPv4 DDNS -> Advanced tab or the IPv6 DDNS -> Advanced tab, if you have selected No TXT Record mode for the DHCP server to use when handling DNS updates, then TXT record or DHCID record is not created for DDNS updates.
      If you change the DDNS update method from Interim to Standard or vice versa, then the DHCP server changes the DHCID type used from TXT record to DHCID record or vice versa as the leases are renewed.
      This is supported for clients that acquire both IPv4 and IPv6 leases. Infoblox recommends you to configure different DDNS update method for IPV4 leases and IPv6 leases, Interim for IPv4 lease and Standard for IPv6 lease.
    • GSS-TSIG: Complete the following:
      • Enable GSS-TSIG Updates: Select this to enable the DHCP server to send GSS-TSIG authenticated DDNS updates.
      • Manage Keytab Files: To upload a keytab file, click Manage GSS-TSIG keys. In the Manage GSS-TSIG Keys dialog box, click the Add icon. In the Upload dialog box, click Select, navigate to the keytab file, select it, and then click Upload. You can also delete individual keys. For more information about managing GSS-TSIG keys, see Managing GSS-TSIG keys 9.
      • Domain Controller: Enter the resolvable host name or IP address of the AD domain controller that hosts the KDC for the domain.
      • Principal: The principal member of the key. For GSS-TSIG based DDNS updates, the SPN of the key used to carry out the update does not require the server class 'DHCP.' You can either specify an FQDN or an IP address for the <host> of an SPN.
      • GSS-TSIGKey: Select the name of the GSS-TSIG key from the drop-down list that you want the Grid to use. This is only available if you have uploaded a keytab file. Click the arrow beside the Add icon to either assign keys or upload and assign keys. You can either select AssignKeys or Upload&AssignKeys from the drop-down list.
        • Assign Keys: Select Assign Keys to select a GSS-TSIG key from the GSS-TSIG Key Selector. Click Principal, which is displayed as a hyperlink, to select it. For more information about the GSS_TSIG Key Selector, see Selecting Keys in the GSS-TSIG Key Selector .
        • Upload&Assign Keys: Select Upload&Assign Keys to upload and assign keys. In the Upload dialog box, select the file and navigate to the file you want to upload. Click Upload. The appliance assigns the keys contained in the selected keytab file.
      • The following are displayed in the table:
        • Version: The version of the key.
        • Encryption type: The encryption type of the key.
        • Last update: The timestamp when the key was uploaded.
    • Zones this member can update securely: Click Display to list the external zones to which the Grid member can send secured DDNS updates.
    • Lease Renewal Update: Select Update DNS on DHCP Lease Renewal to enable the DHCP server to update DNS when a DHCP lease is renewed.

     3. Save the configuration and click Restart if it appears at the top of the screen.

Deleting GSS-TSIG keys associated with DHCP Objects

You can delete individual keys if it is not in use by the Grid or any member. To delete a key that is assigned to a member, you must have Read/Write permission for the member. To delete individual keys:

  1. Grid: From the Data Management tab, select the DHCP tab, expand the Toolbar and click Grid DHCP Properties
    Member: From the Data Management tab, select the DHCP tab and click the Members tab -> member check box -> Edit icon.
    Standalone DHCP: From the Data Management tab, select the DHCP tab, expand the Toolbar and click System DHCP Properties.
  2. In the IPv4 DDNS tab or the IPv6 DDNS -> Basic tab of the editor, select keys from the list under GSS-TSIG Keys and click the Delete icon to delete keys.

Enabling GSS-TSIG Authentication for DNS

For GSS-TSIG based DDNS updates, the SPN of the key used to carry out the update must have 'DNS' in its service class. You can upload a keytab file to the Grid with multiple keys in which each key has an SPN in this format:  DNS/<host>@<realm> . You can associate a DNS member or a Grid DNS with one or more keys of the same SPN or realm or of different SPN or realms. You can assign the uploaded keys to member DNS or Grid DNS, but NIOS displays an error when you try to enable GSS-TSIG without a valid key if the assigned key does not have the service class 'DNS' in its SPN.
To enable GSS-TSIG authentication for DNS and import keytab files:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon. To override an inherited property, click Override next to it and complete the appropriate fields.
    Standalone DNS: From the Data Management tab, select the DNS tab, expand the Toolbar and click System DNS Properties.
  2. In the GSS-TSIG -> Basic tab of the editor, complete the following:
    • GSS-TSIG: Select Enable GSS-TSIG authentication of clients to accept GSS-TSIG signed DDNS updates from clients that belong to different AD domains in which each domain has an unique GSS-TSIG key.
    • Manage Keytab Files: To upload a keytab file, click Manage GSS-TSIG keys. In the Manage GSS-TSIG Keys dialog box, click the Add icon. In the Upload dialog box, click Select, navigate to the keytab file, select it, and then click Upload. You can also delete individual keys. For more information, see Managing GSS-TSIG keys.
    • GSS-TSIG Keys: Click the arrow beside the Add icon to either assign keys or upload and assign keys. You can either select Assign Keys or Upload&Assign Keys from the drop-down list.
      • Assign Keys: Select Assign Keys to select a GSS-TSIG key from the GSS-TSIG Key Selector. Click Principal, which is displayed as a hyperlink, to select it. For more information about the GSS_TSIG Key Selector, see Selecting Keys in the GSS-TSIG Key Selector.
      • Upload&Assign Keys: Select Upload&Assign Keys to upload and assign keys. In the Upload dialog box, select the file and navigate to the file you want to upload. Click Upload. The appliance assigns keys in the uploaded file.
        The following are displayed:
      • Principal: The principal member of the key. For GSS-TSIG based DDNS updates, the SPN of the key used to carry out the update must have DNS in its service class. It is of the following form:
               DNS/<host>@<realm>

You can either specify an FQDN or an IP address for the <host> of an SPN.

      • Domain: The domain name assigned to the DNS member.
      • Version: The version of the key.
      • Encryptiontype: The encryption type of the key.
      • Lastupdate: The timestamp when the key was uploaded.

     3. Save the configuration.

NIOS sorts the data in the table based on the last updated timestamp, by default. Note that sometimes GSS-TSIG updates might stop working after you restart the DNS service because the appliance discards the GSS-TSIG keys, when you restart the DNS service. If this happens, wait several minutes until the Microsoft server performs another handshake using the new key.

Deleting GSS-TSIG keys associated with the DNS Objects

You can delete individual keys if it is not in use by the Grid or any member. To delete a key that is assigned to a member, you must have Read/Write permission for the member. To delete individual keys:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
    Standalone DNS: From the Data Management tab, select the DNS tab, expand the Toolbar and click System DNS Properties.
  2. In the GSS-TSIG -> Basic tab of the editor, select keys from the list under GSS-TSIG Keys.
  3. Click the Delete icon to delete.

Logging Messages

The appliance saves the audit log entries for insert and delete operations. If you upload keys with encryption types other than the ones that NIOS supports, the appliance displays a warning message in Grid Manager and in the syslog and also it displays the encryption type as *other* in Grid Manager and in the syslog. For more information about the syslog, see Using a Syslog Server.

The appliance generates an audit log when you upload a key, assign the key to a member, remove the key associated with a member or delete a key. The audit log entries are based on each key that you have uploaded. For example, NIOS saves the following in the audit log when you upload a key:

2014-02-14 18:17:30.531Z \[admin\]: imported DNS Kerberos key for

principal='DNS/infoblox.localdomain@abc.com', version=5, enctype=des-cbc-crc

For more information about audit logs, see Using the Audit Log. You can search Kerberos keys using the realm (domain), principal name or an encryption type.

The appliance generates a comment in the option section of the DNS configuration file for each Kerberos principal that is associated with the Grid member. These comments are for information only and it indicates the principals, their versions and encryption types that are used by the appliance.

Managing GSS-TSIG keys

You can upload a keytab file that contains one or multiple GSS-TSIG keys and delete multiple keys through the
Manage GSS-TSIG Keys wizard. To manage multiple GSS-TSIG keys, complete the following:

  1. From the Grid tab, select the Grid Manager tab -> Members tab, expand the Toolbar and click Manage GSS-TSIG Keys.
  2. In the Manage GSS-TSIG Keys wizard, the following are displayed:
    • Principal: The principal name that is mapped to the keytab file.
    • Domain: The name of the domain that is mapped to the keytab file.
    • Version: The version of the keytab file.
    • In use: Indicates whether the keytab file is in use or not.
    • Members: The members associated with the keytab file. Click the hyperlink and the Members dialog box is displayed. It displays the list of members that are associated with the keytab file.
    • Encryption type: The encryption type of the key.
    • Last update: The timestamp when the key was last uploaded.
  3. Click the Upload Keytab File icon to upload a new keytab file. In the Upload dialog box, click Select and navigate to the keytab file. Click Upload to upload the file.

To delete a GSS-TSIG key, select the appropriate key and click the Delete icon.

Selecting Keys in the GSS-TSIG Key Selector

NIOS displays the keys that you have uploaded using the keytab files. You can choose a filter and an operator to view specific keys that you have uploaded. The GSS-TSIG Key Selector wizard is displayed only when you select Assign Keys in the Properties editor. For more information about how to assign keys to DNS and DHCP objects, see Enabling GSS-TSIG Authentication for DNS and Enabling GSS-TSIG Authentication for DHCP respectively.
To select a key from the GSS-TSIG Key Selector, complete the following:

  1. Click Show Filter to filter the values:
    • Select a value from the drop-down list to filter your values: Domain, Encryption type, In use, Last update, Principal, and Version.
    • Select one of these operators from the drop-down list: equals, does not equal, begins with, and does not begin with.
    • Enter the value that you want to search in the text box.
      Click Hide Filter to hide the filter. Alternatively, you can enter a value in the text box for Find and click Go to search specific keys from the keytab files.

     2. The following details are displayed in the table:

    • Principal: The principal name that is mapped to the keytab file. Click Principal to assign the key to the DNS or DHCP object.
    • Domain: The name of the domain that is mapped to the keytab file.
    • Version: The version of the keytab file.
    • Inuse: Indicates whether the keytab file is in use or not.
    • Members: The members associated with the keytab file.
    • Encryptiontype: The encryption type of the key.
    • Lastupdate: The timestamp when the key was last uploaded.


  • No labels

This page has no comments.