Versions Compared

Old Version 3

changes.mady.by.user Aliaksei Shautsou

Saved on

compared with

New Version 4

changes.mady.by.user Aliaksei Shautsou

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NIOS displays a warning message in Grid Manager and in the syslog if you upload a key that does not belong to the GSS-TSIG encryption types. For more information, see Logging Messages.

Anchor
Limitations when Using Multiple GSS-TSIG
Limitations when Using Multiple GSS-TSIG
Anchor
bookmark1982
bookmark1982
Limitations when Using Multiple GSS-TSIG keys

...

A scheduled upgrade with one or more keys in the keytab files that you have uploaded will operate the same as prior to upgrade. NIOS will parse and extract keys from the uploaded keytab file. NIOS automatically assigns these keys to the DNS member, DHCP member, Grid DHCP or Grid DNS to which the keytab file was uploaded before the upgrade. You can assign these keys to Grid members after the upgrade is complete.
NIOS does not display an error message if the keys do not have an SPN with the DNS prefix, but it will record a warning message in the syslog. Image Removed
NIOS 8.1NIOS Administrator Guide (Rev. A)985
Configuring DDNS Updates

Anchor
Admin Permissions for Configuring GSS-TS
Admin Permissions for Configuring GSS-TS
Anchor
bookmark1984
bookmark1984
Anchor
bookmark1985
bookmark1985
Admin Permissions for Configuring GSS-TSIG keys

You can assign a key to a Grid member only if you have read permission for the kerberos key and read/write permission for the member. You can upload keys only if you have read/write permissions for kerberos keys. To remove a key that is assigned to a member, you must have read/write permission for the respective member.
Note that in the Administration -> Administrators -> Permissions tab, NIOS displays All Kerberos Keys and Kerberos Key in the Resource and Resource Type columns respectively for DHCP Admin and DNS Admin roles with default read/write permissions.

Anchor
Enabling GSS-TSIG Authentication for DHC
Enabling GSS-TSIG Authentication for DHC
Anchor
bookmark1986
bookmark1986
Enabling GSS-TSIG Authentication for DHCP

You can enable GSS-TSIG authentication at the Grid or member level and associate it with one or more keys of the same SPN or realm. When you enable GSS-TSIG authentication, make sure that you upload the keytab file from the Kerberos account for the Infoblox DHCP server. You can import keytab files with multiple keys to the Grid or to individual members. You can assign the uploaded keys to member DHCP or Grid DHCP. The appliance displays a warning message if you assign a GSS-TSIG key with service class "DNS" in its SPN to a DHCP member. For more information about GSS-TSIG keys, see Configuring GSS-TSIG keys.
The appliance displays an error message in the following cases:

...

  1. Grid: From the Data Management tab, select the DHCP tab, expand the Toolbar and click Grid DHCP Properties. 
    Member: From the Data Management tab, select the DHCP tab and click the Members tab -> member check box -> Edit icon. To override an inherited property, click Override next to it and complete the appropriate fields.
    Standalone DHCP: From the Data Management tab, select the DHCP tab, expand the Toolbar and click System DHCP Properties.
  2. In the IPv4 DDNS -> Basic tab or the IPv6 DDNS -> Basic tab of the editor, complete the following:
    • DDNS Updates: Select Enable DDNS Updates to enable the DHCP servers in the Grid to send DDNS updates.
    • DDNS Domain Name: Specify the domain name of the network that the appliance uses to update DNS. For IPv4 clients, you can specify this at the network, network template, range, and range template levels. For IPv6 clients, you can specify this at the Grid, member, network, shared network, and network template levels.
    • DDNS Update TTL: You can set the TTL used for A record and PTR records updated by the DHCP server. The default is shown as zero. If you do not enter a value here, the appliance by default sets the TTL to half of the DHCP lease time with a maximum of 3600 seconds. For example, a lease time of 1800 seconds results in a TTL of 900 seconds, and a lease time of 86400 seconds results in a TTL of 3600 seconds.
    • DDNS Update Method: Select the method used by the DHCP server to send DDNS updates. You can select either Interim or Standard from the drop-down list. The default is Interim. When you select Interim, TXT record will be created for DDNS updates and when you select Standard, DHCID record will be created for DDNS updates. But in the IPv4 DDNS -> Advanced tab or the IPv6 DDNS -> Advanced tab, if you have selected No TXT Record mode for the DHCP server to use when handling DNS updates, then TXT record or DHCID record is not created for DDNS updates.
      If you change the DDNS update method from Interim to Standard or vice versa, then the DHCP server changes the DHCID type used from TXT record to DHCID record or vice versa as the leases are renewed.
      This is supported for clients that acquire both IPv4 and IPv6 leases. Infoblox recommends you to configure different DDNS update method for IPV4 leases and IPv6 leases, Interim for IPv4 lease and Standard for IPv6 lease.
    • GSS-TSIG: Complete the following:

...

      • Enable GSS-TSIG Updates: Select this to enable the DHCP server to send GSS-TSIG authenticated DDNS updates.
      • Manage Keytab Files: To upload a keytab file, click Manage GSS-TSIG keys. In the Manage GSS-TSIG Keys dialog box, click the Add icon. In the Upload dialog box, click Select, navigate to the keytab file, select it, and then click Upload. You can also delete individual keys. For more information about managing GSS-TSIG keys, see Managing GSS-TSIG keys 9.
      • Domain Controller: Enter the resolvable host name or IP address of the AD domain controller that hosts the KDC for the domain.
      • Principal: The principal member of the key. For GSS-TSIG based DDNS updates, the SPN of the key used to carry out the update does not require the server class 'DHCP.' You can either specify an FQDN or an IP address for the <host> of an SPN.
      • GSS-TSIGKey: Select the name of the GSS-TSIG key from the drop-down list that you want the Grid to use. This is only available if you have uploaded a keytab file. Click the arrow beside the Add icon to either assign keys or upload and assign keys. You can either select AssignKeys or Upload&AssignKeys from the drop-down list.
        • Assign Keys: Select Assign Keys to select a GSS-TSIG key from the GSS-TSIG Key Selector. Click Principal, which is displayed as a hyperlink, to select it. For more information about the GSS_TSIG Key Selector, see Selecting Keys in the GSS-TSIG Key Selector .
        • Upload&Assign Keys: Select Upload&Assign Keys to upload and assign keys. In the Upload dialog box, select the file and navigate to the file you want to upload. Click Upload. The appliance assigns the keys contained in the selected keytab file.
      • The following are displayed in the table:
        • Version: The version of the key.
        • Encryption type: The encryption type of the key.
        • Last update: The timestamp when the key was uploaded.
    • Zones this member can update securely: Click Display to list the external zones to which the Grid member can send secured DDNS updates.
    • Lease Renewal Update: Select Update DNS on DHCP Lease Renewal to enable the DHCP server to update DNS when a DHCP lease is renewed.

     3. Save the configuration and click Restart if it appears at the top of the screen.

Anchor
Deleting GSS-TSIG keys associated with D
Deleting GSS-TSIG keys associated with D
Anchor
bookmark1987
bookmark1987
Deleting GSS-TSIG keys associated with DHCP Objects

...

  1. Grid: From the Data Management tab, select the DHCP tab, expand the Toolbar and click Grid DHCP Properties. 
    Member: From the Data Management tab, select the DHCP tab and click the Members tab -> member check box -> Edit icon.
    Standalone DHCP: From the Data Management tab, select the DHCP tab, expand the Toolbar and click System DHCP Properties.
  2. In the IPv4 DDNS tab or the IPv6 DDNS -> Basic tab of the editor, select keys from the list under GSS-TSIG Keys and click the Delete icon to delete keys.

...

For GSS-TSIG based DDNS updates, the SPN of the key used to carry out the update must have 'DNS' in its service class. You can upload a keytab file to the Grid with multiple keys in which each key has an SPN in this format: DNS/<host>@<realm>

. You can associate a DNS member or a Grid DNS with one or more keys of the same SPN or realm or of different SPN or realms. You can assign the uploaded keys to member DNS or Grid DNS, but NIOS displays an error when you try to enable GSS-TSIG without a valid key if the assigned key does not have the service class 'DNS' in its SPN.
Image Removed
NIOS 8.1NIOS Administrator Guide (Rev. A)987
Configuring DDNS Updates
To enable GSS-TSIG authentication To enable GSS-TSIG authentication for DNS and import keytab files:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon. To override an inherited property, click Override next to it and complete the appropriate fields.
    Standalone DNS: From the Data Management tab, select the DNS tab, expand the Toolbar and click System DNS Properties.
  2. In the GSS-TSIG -> Basic tab of the editor, complete the following:
    • GSS-TSIG: Select Enable GSS-TSIG authentication of clients to accept GSS-TSIG signed DDNS updates from clients that belong to different AD domains in which each domain has an unique GSS-TSIG key.
    • Manage Keytab Files: To upload a keytab file, click Manage GSS-TSIG keys. In the Manage GSS-TSIG Keys dialog box, click the Add icon. In the Upload dialog box, click Select, navigate to the keytab file, select it, and then click Upload. You can also delete individual keys. For more information, see Managing GSS-TSIG keys.
    • GSS-TSIG Keys: Click the arrow beside the Add icon to either assign keys or upload and assign keys. You can either select Assign Keys or Upload&Assign Keys from the drop-down list.
      • Assign Keys: Select Assign Keys to select a GSS-TSIG key from the GSS-TSIG Key Selector. Click Principal, which is displayed as a hyperlink, to select it. For more information about the GSS_TSIG Key Selector, see Selecting Keys in the GSS-TSIG Key Selector9.
      • Upload&Assign Keys: Select Upload&Assign Keys to upload and assign keys. In the Upload dialog box, select the file and navigate to the file you want to upload. Click Upload. The appliance assigns keys in the uploaded file.
        The following are displayed:
      • Principal: The principal member of the key. For GSS-TSIG based DDNS updates, the SPN of the key used to carry out the update must have DNS in its service class. It is of the following form:

...


You can either specify an FQDN or an IP address for the <host> of an SPN.

      • Domain: The domain name assigned to the DNS member.
      • Version: The version of the key.
      • Encryptiontype: The encryption type of the key.
      • Lastupdate: The timestamp when the key was uploaded.

     3. Save the configuration.

NIOS sorts the data in the table based on the last updated timestamp, by default. Note that sometimes GSS-TSIG updates might stop working after you restart the DNS service because the appliance discards the GSS-TSIG keys, when you restart the DNS service. If this happens, wait several minutes until the Microsoft server performs another handshake using the new key.

Anchor
Deleting GSS-TSIG keys associated with t
Deleting GSS-TSIG keys associated with t
Anchor
bookmark1989
bookmark1989
Deleting GSS-TSIG keys associated with the DNS Objects

...

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
    Standalone DNS: From the Data Management tab, select the DNS tab, expand the Toolbar and click System DNS Properties.
  2. In the GSS-TSIG -> Basic tab of the editor, select keys from the list under GSS-TSIG Keys.
  3. Click the Delete icon to delete.

...

  1. .

...

Anchor
Logging Messages
Logging Messages
Anchor
bookmark1990
bookmark1990
Logging Messages

...

The appliance saves the audit log entries for insert and delete operations. If you upload keys with encryption types other than the ones that NIOS supports, the appliance displays a warning message in Grid Manager and in the syslog and also it displays the encryption type as *other* in Grid Manager and in the syslog. For more information about the syslog, see [<span style="color: #0000ff"><em>Using</em></span> <span style="color: #0000ff"><em>a</em></span> <span style="color: #0000ff"><em>Syslog</em></span> <span style="color: #0000ff"><em>Server</em></span> |Using a Syslog Server]. The appliance generates an audit log when you upload a key, assign the key to a member, remove the key associated with a member or delete a key. The audit log entries are based on each key that you have uploaded. For example, NIOS saves the following in the audit log when you upload a key: 2014-02-14 18:17:30.531Z \[admin\]: imported DNS Kerberos key for principal='DNS/infoblox.localdomain@abc.com', version=5, enctype=des-cbc-crc For more information about audit logs, see [<span style="color: #0000ff"><em>Using</em></span> <span style="color: #0000ff"><em>the</em></span> <span style="color: #0000ff"><em>Audit</em></span> <span style="color: #0000ff"><em>Log</em></span> |Monitoring Tools#bookmark2812]. You can search Kerberos keys using the realm (domain), principal name or an encryption type. The appliance generates a comment in the option section of the DNS configuration file for each Kerberos principal that is associated with the Grid member. These comments are for information only and it indicates the principals, their versions and encryption types that are used by the appliance. \\see Using a Syslog Server.

The appliance generates an audit log when you upload a key, assign the key to a member, remove the key associated with a member or delete a key. The audit log entries are based on each key that you have uploaded. For example, NIOS saves the following in the audit log when you upload a key:

For more information about audit logs, see Using the Audit Log. You can search Kerberos keys using the realm (domain), principal name or an encryption type.

The appliance generates a comment in the option section of the DNS configuration file for each Kerberos principal that is associated with the Grid member. These comments are for information only and it indicates the principals, their versions and encryption types that are used by the appliance.

Anchor
Managing GSS-TSIG keys
Managing GSS-TSIG keys
Anchor
bookmark1991
bookmark1991
Managing GSS-TSIG keys

...

To delete a GSS-TSIG key, select the appropriate key and click the Delete icon.

Anchor
Selecting Keys in the GSS-TSIG Key Selec
Selecting Keys in the GSS-TSIG Key Selec
Anchor
bookmark1992
bookmark1992
Selecting Keys in the GSS-TSIG Key Selector

NIOS displays the keys that you have uploaded using the keytab files. You can choose a filter and an operator to view specific keys that you have uploaded. The GSS-TSIG Key Selector wizard is displayed only when you select Assign Keys in the Properties editor. For more information about how to assign keys to DNS and DHCP objects, see Enabling GSS-TSIG Authentication for DNS and Enabling GSS-TSIG Authentication for DHCP respectively.
To select a key from the GSS-TSIG Key Selector, complete the following:

  1. Click Show Filter to filter the values:
    • Select a value from the drop-down list to filter your values: Domain, Encryption type, In use, Last update, Principal, and Version.
    • Select one of these operators from the drop-down list: equals, does not equal, begins with, and does not begin with.
    • Enter the value that you want to search in the text box.

...

    • .

...


    • Click Hide Filter to hide the filter. Alternatively, you can enter a value in the text box for Find and click Go to search specific keys from the keytab files.

     2. The following details are displayed in the table:

    • Principal: The principal name that is mapped to the keytab file. Click Principal to assign the key to the DNS or DHCP object.
    • Domain: The name of the domain that is mapped to the keytab file.
    • Version: The version of the keytab file.
    • Inuse: Indicates whether the keytab file is in use or not.
    • Members: The members associated with the keytab file.
    • Encryptiontype: The encryption type of the key.
    • Lastupdate: The timestamp when the key was last uploaded.