Document Actions
Safeword and Kerberos Technical Resources
Downloads and technical information for the Safeword and Kerberos Authentication Services.
Sections
Overview
The university Safeword (formerly enigma) and Kerberos systems will be undergoing some much needed upgrades and maintenance in the coming weeks. Three new machines have been deployed which will be supporting both of these services in their entireity. Kerberos software will be upgraded as a result. Safeword software will also be upgraded and migrated to modern software and platforms. This also necessitates some infrastructure change with these services. The new systems will be:
chephren.rutgers.edu 165.230.139.234 College AvenueCurrent enigmad.conf files can be used as is, simply replace the IP addresses inside of them.
cheops.rutgers.edu 128.6.224.115 Busch
mykerinos.rutgers.edu 165.230.100.69 Camden
Changes to Kerberos
Other than a minor version upgrade and a change in IPs, Kerberos will
not be changing much. The same realms and functionality will be provided,
with principles bound to Rutgers IIDs. The IP Change is regrettable, but
necessary in order to ensure that the IP space will not change for at
least 5 years.
Changes to Safeword
However, Safeword will be going through some major changes:
- NetIDs will be mapped to IIDs; either identifier may be used for authentication to the same card. This will resolve issues some operating systems, applications, and platforms have had with IID <-> username translation.
- Multiple cards per user account will now be supported.
- True synchronization will be implemented between all three safeword servers; any one of the three can be used as a primary host or to provide highly robust failover.
The APIs available to authenticate via Safeword are also changing. The service will be moving to industry-standard methods and implementations for authentication. This includes many new platforms into the supported list for the service.
However, this means that RVAL will be deprecated. RVAL is the "home-grown" authentication mechanism that RUPam uses to interface with Safeword on a few UNIX machines at the university.
In order to ease the transition, the old RVAL serverside software has been "retrofitted" to work with the new implementation. However, we intend to shut down that functionality in a few months' time. During those months, the new systems will be speaking both RVAL and the new APIs.
The timetable begins with the initial release of the new servers. They are fully-capable Kerberos slaves and will be running all production software in their production environment.
Although a final test migration was performed with all Safeword tokens, testing is not an automated process and must be done manually. Please email us at safeword_support@email.rutgers.edu if you would like to have a test account setup for testing purposes.
We'd like to keep the process in this state for about a month before migrating production responsibility to the new machines and IP addresses for the Safeword service. Kerberos service changes would follow after that. Finally, approximately 6 months down the road, the legacy RVAL services will be turned off.
Should you have any questions or comments about these upgrades, please
contact us
at safeword_support@email.rutgers.edu.
Information about Safeword tokens, licensing, troubleshooting,
etc. can be
found here.
Timetable
| Initial announcement and release of servers | September 25, 2006 |
| Switchover of Safeword to new servers | October
30, 2006 7:30am EST |
| Switchover of Kerberos to new servers | November 13, 2006 |
| Deactivation of rval | Spring 2007 |
Downloads
These agents are used to enable applications or operating systems to authenticate using Safeword.
Unix Agents
Agent for PAM protects PAM (Pluggable Authentication Module) enabled
Solaris and Linux hosts.
-
Download Agent for PAM v1.3.2 for Solaris 9/10 (tar/gzip)
Download Agent for PAM v1.3.2 for Linux Redhat Enterprise 3.0 (tar/gzip)
Documentation: Agent for PAM Administration Guide v1.3.0 (pdf)
Windows Agents & Plug-Ins
For Microsoft Windows Server 2000/2003.
-
Download SafeWord Internet Authentication Service (IAS) Agent v2.0.0
(docs)
Download MetaFrame Secure Access Manager (MSAM) Agent v2.0.0 (docs)
Download Agent for Windows Domains 2.4.1 (docs)
Download Agent for Windows Terminal Services 2.1.1 (docs)
Download Agent for Microsoft Remote Access Servers 2.4.0 (docs)
SafeWord PremierAccess Software Development Kit (SDK)
This SDK may be used in the development of custom applications to
integrate Safeword functionality into your Windows, Solaris, or
Java systems.
Notes for RADIUS Users
Administrators running systems other than Solaris, Windows, and Java interact with the RADIUS implementation on the Safeword servers.
The RADIUS protocol, as published by Livingston, is a method of managing the exchange of authentication, authorization, and accounting information on the network. RADIUS draft was submitted to the Internet Engineering Task Force (IETF) as a draft standard in June, 1996. RADIUS is a fully open protocol.
The Safeword PremierAccess RADIUS Server is an authentication protocol server daemon that has been interfaced with Safeword PremierAccess through Secure Computing's own proprietary protocol EASSP. It supports all of the RADIUS functionality documented in Internet RFC 2138, and all functionality as documented in the Safeword PremierAccess publications, with minor restrictions on multiple simultaneous dynamic password authenticators.
If you are interested in utilizing the Safeword PremierAccess RADIUS Server with your systems, please email us at safeword_support@email.rutgers.edu.