Handling Server Encryption Key Emergencies

A second type of server encryption key emergency can result from the current key becoming corrupted. In this case, server processes using the key cannot decrypt the information used in client/server communications, bringing all activity involving those processes to a halt. You must remove the corrupted key from the keytab file, but you do not need to reboot the server machine. From a security perspective, this type of emergency is less severe than one resulting from a compromised key, but it requires immediate attention nonetheless.

To resolve encryption key emergencies, you must add a new server key to both the keytab file on the machine and the Registry Database. You must turn off DFS authorization checking when handling key emergencies. Because disabling DFS authorization checking is a severe security risk, disable authorization checking for a minimal amount of time.

The emergency procedure requires you to be logged into the affected server machine as root to create the NoAuth file and to reboot the machine. Many of the steps in the procedure were detailed in previous sections of this topic. (See Monitoring and Controlling Server Processes for a description of the bos shutdown command.)

Note: Rebooting is not necessary when replacing a corrupted key. It may not always be necessary when dealing with a compromised key; for example, it may be sufficient simply to restart any processes associated with the compromised key. However, rebooting the machine is the safest way to terminate all unauthorized communications.

1. Log in as root on the affected machine.

2. Disable DFS authorization checking by creating the dcelocal/var/dfs/NoAuth file. It is usually recommended that you use the bos setauth command to create the NoAuth file. However, because the server encryption key emergency can make it impossible to issue bos commands, create the file with the touch command (or its equivalent).

3. Use the bos lskeys command to check the key version numbers currently in use, using the -noauth option to employ an unprivileged identity as the identity of the issuer of the command:

# bos lskeys -server machine [-principal name] -noauth

The -principal name option is the principal name for which associated keys are to be listed. The default is the DFS principal name of the machine specified with -server.

The -noauth option directs the bos program to use the unprivileged identity nobody as the identity of the issuer.

4. Create the new key with the bos genkey command, specifying a new key version number for the key with the -kvno option and again using the -noauth option:

# bos genkey -server machine -kvno +_or_version_number [-principal name] -noauth

The -kvno +_or_version_number option is the key version number of the new key. Valid arguments for this option are

· An integer in the range 1 to 255. The command uses the specified integer as the version number of the new key. The integer must be unique for the indicated principal in the keytab file on the specified machine.

· + or 0 (zero). The command chooses an integer to serve as the version number of the new key. The integer it chooses is unique for the indicated principal in the Registry Database, but it may not be unique for the indicated principal in the keytab file on the specified machine.

The -principal name option is the principal name with which the key is to be associated. The default is the DFS principal name of the machine specified with -server.

The -noauth option directs the bos program to use the unprivileged identity nobody as the identity of the issuer.

5. Use the bos rmkey command to remove any old keys that are compromised. Specify the version number of each key to be removed with the -kvno option, and again use the -noauth option.

# bos rmkey -server machine -kvno version_number... [-principal name] -noauth

The -kvno version_number option is the key version number of each key to be removed for the indicated principal. Valid arguments for this option are integers in the range 1 to 255.

The -principal name option is the principal name associated with the keys to be removed from the keytab file. The default is the DFS principal name of the machine specified with -server.

The -noauth option directs the bos program to use the unprivileged identity nobody as the identity of the issuer.

6. If the emergency resulted from a compromised key, issue the bos shutdown command to prepare to reboot the machine. You must reboot the machine to terminate all existing communications that are based on the compromised encryption key. The bos shutdown command directs the BOS Server to shut down the other DFS server processes running on the machine. Include the -wait option with the command to be sure that all processes have stopped before continuing.

# bos shutdown -server machine -wait -noauth

The -wait option delays the command shell prompt's return until the processes are stopped. If the option is omitted, the prompt returns immediately, even if the processes are not yet stopped.

The -noauth option directs the bos program to use the unprivileged identity nobody as the identity of the issuer.

7. Enable DFS authorization checking by entering the bos setauth command. Specify the value on with the -authchecking option, and include the -noauth option.

# bos setauth -server machine -authchecking {on | off} -noauth

The -authchecking on option enables DFS authorization checking by removing the NoAuth file from the machine specified with -server; -authchecking off disables authorization checking by creating the NoAuth file on the machine specified with -server.

The -noauth option directs the bos program to use the unprivileged identity nobody as the identity of the issuer.

8. If the emergency resulted from a compromised key, issue the appropriate reboot command (/etc/reboot or its equivalent) for the machine to be rebooted. For example:

# /etc/reboot