HTTP Proxy Credential Local Storage
This section describes how the HTTP proxy credentials are stored locally on the Unix/Linux system that’s running the agent.
The HTTP proxy credentials are be stored only in the local kset file: /var/centrifydc/httpproxy.cred
This httpproxy.cred file is only readable and write-able by root.
For security, remove httpproxy.cred. from the system when you remove the system from the domain.
For security, the proxy user's password is encrypted before being stored in httpproxy.cred.
Password Encryption
The proxy user's password is encrypted using the system's principal key, which is normally stored in /etc/krb5.keytab.
It should use the latest key to do encrypt the password. By default, it uses AES256-CTS-HMAC-SHA1-96 encryption.
If the key for a particular encryption type is not available, the Agent uses the next preferred and available encryption type that has a key in the system’s keytab file.
When the system password changes, the agent uses it to re-encrypts the proxy server password. The system keytab file keeps the two latest versions of key.
If the Centrify Agent on the Unix/Linux system has FIPS Mode enabled, only a FIPS-compliant encryption type is allowed to encrypt the proxy credential password.
If a password is encrypted with non-FIPS-compliant encryption type, even if the machine keytab contains a valid key, the agent will not be able to decrypt it. If that happens, set the proxy password again so that it is encrypted using a FIPS-compliant encryption type.
Encrypted Password Storage
The encrypted password and relevant information is represented in ASN.1 as shown below and is encoded using ASN.1 Basic Encoding Rule (BER) as defined in Section 5.1 of the RFC 4511 LDAP Protocol (https://www.ietf.org/rfc/rfc4511.txt):
PROXY_USER_CRED ::= SEQUENCE { username STRING, kvno UInt32, etype Int32, cipher OCTET_STRING } Int32 ::= INTEGER (-2147483648..2147483647) -- signed values re-presentable in 32 bits UInt32 ::= INTEGER (0..4294967295) -- unsigned 32 bit values
Where:
- username: The proxy user's name.
- kvno: The version number of the key under which the data is encrypted
- etype: The encryption type used to encrypt the cipher. The encryption type number MUST be a type that is supported by the Kerberos protocol.
- cipher: The encrypted password
Local Machine Account Support
In some cases, the current system account’s Kerberos credentials should be configured, the username be S-1-5-18, and the cipher part must contain an octet string with 0 length.