Configuring the Security Adapter without Logging in as Administrator
(396GR 11-May-2000)

NOTE: This note applies to installations that use PC-DCE as the security infrastructure for NetCrusader/Web.

Background

To install and configure NetCrusader/Web, you must normally log in as a user with cell administration privileges (for example, cell_admin) because some of the accounts and registry entries that are created in the cell during installation and configuration require cell administration privileges.

If you distribute security management in your enterprise, you may want some individuals to be able to configure the Security Adapter, but you may not want these individuals to have full cell administration privileges. For example, you might want a webmaster to have control over how the Security Adapter is configured, but you do not want the webmaster to have full control over the security for the cell.

Using the following procedure, you can configure the Security Adapter into a cell so that authorized individuals do not need a username or password to configure that instance of the Security Adapter.

Procedure

Note: At least one NetCrusader Security Adapter must already be configured into the cell.

1. Log into the cell as user cell_admin.
    
2. Enter the following commands. Though the following example shows commands for a .bat file, you may also either enter these commands manually or use a tcl script. Regardless of the method you use, substitute the name of the machine on which the Security Adapter resides for machine_name.
    
   Note that the machine name must be in all capital letters when it follows wcsecad, but must be in lowercase when it follows netcacl-.
    
   dcecp -c principal create wcsecad/MACHINE_NAME
   dcecp -c group add wcsecad-admin -m wcsecad/MACHINE_NAME
   dcecp -c group add wccs-admin -m wcsecad/MACHINE_NAME
   dcecp -c group add wc-delegates -m wcsecad/MACHINE_NAME
   dcecp -c group add wc-filters -m wcsecad/MACHINE_NAME
   dcecp -c org add none -m wcsecad/MACHINE_NAME
    
   dcecp -c obj create /.:/subsys/WWW/netcacl-machine_name
   dcecp -c rpcgroup add /.:/subsys/WWW/wc-servers -member /.:/subsys/WWW/netcacl-machine_name
   dcecp -c acl modify /.:/subsys/WWW -add {user wcsecad/MACHINE_NAME rwdtcia}
   dcecp -c acl modify -e /.:/subsys/WWW/netcacl-machine_name -add {user wcsecad/MACHINE_NAME rwdtc}
    
3. Enter the following command in dcecp. (Note: Do not run this command within a script; it will not work.)
    
   dcecp> account create wcsecad/machine_name -group wcsecad-admin -org none -pa -wcazadmin- -my cell_admin_password
    
4. If NetCrusader/Web is not already installed on the target machine (the machine on which you want the person to be able to configure the Security Adapter), install it now.
    
5. On the target machine, perform a dce_login with the username wcsecad/machine_name and the password you used in the account create command (in this example, we used -wcazadmin- for the password).
    
6. On the target machine, create the directory where the keytab file will be kept. Substitute the name of the directory in which you installed NetCrusader/Web for NetCWeb_installation_dir.
    
   c:\ mkdir "NetCWeb_installation_dir/lib/keytabs"
    
7. Create the keytab file, using the following dcecp command. (This command may be run from a batch file.) Substitute the name of the directory in which you installed NetCrusader/Web for NetCWeb_installation_dir.
    
   dcecp> keytab create /.:/hosts/machine_name/config/keytab/netcacl- machine_name -storage {NetCWeb_installation_dir/lib/keytabs/wcsecad.kt} -data {wcsecad/machine_name plain 1 -wcazadmin-}
    
8. The webmaster (or other authorized individual) can now configure the Security Adapter on the target machine using the Security Adapter Configuration Wizard.