HTTP Proxy Credential Local Storage

This section describes how the HTTP proxy credentials are stored locally on the Unix/Linux system that’s running the agent.

The HTTP proxy credentials are be stored only in the local kset file: /var/centrifydc/httpproxy.cred

This httpproxy.cred file is only readable and write-able by root.

For security, remove httpproxy.cred. from the system when you remove the system from the domain.

For security, the proxy user's password is encrypted before being stored in httpproxy.cred.

Password Encryption

The proxy user's password is encrypted using the system's principal key, which is normally stored in /etc/krb5.keytab.

It should use the latest key to do encrypt the password. By default, it uses AES256-CTS-HMAC-SHA1-96 encryption.

If the key for a particular encryption type is not available, the Agent uses the next preferred and available encryption type that has a key in the system’s keytab file.

When the system password changes, the agent uses it to re-encrypts the proxy server password. The system keytab file keeps the two latest versions of key.

If the Centrify Agent on the Unix/Linux system has FIPS Mode enabled, only a FIPS-compliant encryption type is allowed to encrypt the proxy credential password.

If a password is encrypted with non-FIPS-compliant encryption type, even if the machine keytab contains a valid key, the agent will not be able to decrypt it. If that happens, set the proxy password again so that it is encrypted using a FIPS-compliant encryption type.

Encrypted Password Storage

The encrypted password and relevant information is represented in ASN.1 as shown below and is encoded using ASN.1 Basic Encoding Rule (BER) as defined in Section 5.1 of the RFC 4511 LDAP Protocol (https://www.ietf.org/rfc/rfc4511.txt): 

PROXY_USER_CRED ::= SEQUENCE {
username      STRING,
kvno          UInt32, 
etype         Int32,
cipher        OCTET_STRING
}
Int32       	::= INTEGER (-2147483648..2147483647) -- signed values re-presentable in 32 bits
UInt32      	::= INTEGER (0..4294967295)           -- unsigned 32 bit values

Where:

  • username: The proxy user's name.
  • kvno: The version number of the key under which the data is encrypted
  • etype: The encryption type used to encrypt the cipher. The encryption type number MUST be a type that is supported by the Kerberos protocol.
  • cipher: The encrypted password

Local Machine Account Support

In some cases, the current system account’s Kerberos credentials should be configured, the username be S-1-5-18, and the cipher part must contain an octet string with 0 length.