Stop worrying anymore for 000-190 test.

000-190 practice questions | 000-190 free pdf download | 000-190 bootcamp | 000-190 exam questions | 000-190 free practice tests - partillerocken.com



000-190 - AIX Basic Operations V5 - Dump Information

Vendor : IBM
Exam Code : 000-190
Exam Name : AIX Basic Operations V5
Questions and Answers : 134 Q & A
Updated On : April 17, 2019
PDF Download Mirror : Pass4sure 000-190 Dump
Get Full Version : Pass4sure 000-190 Full Version


Nice to hear that Latest dumps of 000-190 exam are available.

The answers are defined briefly in easy language and nevertheless make quite an impact thats clean to understand and comply with. I took the help of partillerocken Q&A and passed my 000-190 exam with a healthful score of 69. thanks topartillerocken Q&A. I would love to suggest in desire of partillerocken Q&A for the practise of 000-190 exam

Need updated brain dumps for 000-190 exam? Here it is.

I am Aggarwal and i work for clever Corp. I had accomplished to appear for the 000-190 exam and changed into very nervous approximately it as it contained difficult case research and many others. I then applied to your questions and answers. My many doubts got cleared due to the explainations supplied for the answers. I moreover got the case research in my electronic mail which had been rightly solved. I regarded for the exam and am happy to mention that I got 73.75% and that i come up with the whole credit. Further I congratulate you and appearance similarly to clear more test with the help of your website online.

Dont forget about to strive those real exam questions questions for 000-190 examination.

I cracked my 000-190 exam on my first try with seventy two.Five% in just 2 days of training. Thank you partillerocken to your treasured questions. I did the exam without any fear. Looking ahead to easy the 000-190 exam in conjunction with your assist.

Passing the 000-190 exam with sufficient expertise.

I prepared the 000-190 exam with the help of partillerocken 000-190 test preparation material. it was complicated but overall very helpful in passing my 000-190 exam.

WTF! questions have been precisely the equal in exam that I prepared!

It changed into very encourging revel in with partillerocken crew. They told me to try their 000-190 exam questions as soon asand overlook failing the 000-190 exam. First I hesitated to apply the dump because I afraid of failing the 000-190 exam. however once I informed by means of my pals that they used the exam simulator for thier 000-190 certification exam, i bought the guidance percent. It become very reasonably-priced. That changed into the primary time that I convinced to apply partillerocken education material when I got a hundred% marks in my 000-190 exam. I in reality recognize you partillerocken team.

No waste of time on searhching internet! determined precise source of 000-190 Q&A.

I used partillerocken Q&a dump which affords enough expertise to attain my purpose. I constantly usually memorize the things before going for any exam, but that is the handiest one exam, which I took without without a doubt memorizing the wanted things. I thanks without a doubt from the bottom of my coronary heart. i will come to you for my subsequent exam.

Dont forget about to strive those real exam questions questions for 000-190 examination.

I am running into an IT company and therefore I hardly ever find any time to put together for 000-190 Exam. Therefore, I arise to an clean end of partillerocken Q&A dumps. To my surprise it labored like wonders for me. I should resolve all of the questions in least viable time than supplied. The questions appear to be pretty clean with excellent reference manual. I secured 939 marks which became without a doubt a high-quality surprise for me. Great thanks to partillerocken!

Forget everything! Just forcus on these 000-190 Questions and Answers if you want to pass.

When I had taken the selection for going to the exam then I got an first rate support for my education from the partillerocken which gave me the realness and dependable practice 000-190 prep classes for the same. Right here, I additionally got the possibility to get myself checked before feeling assured of appearing well within the manner of the getting ready for 000-190 and that changed into a pleasing issue which made me best geared up for the exam which I scored rightly. Way to such matters from the partillerocken.

simply use these actual question bank and fulfillment is yours.

Its miles approximately new 000-190 exam. I bought this 000-190 braindump before I heard of replace so I concept I had spent money on a few aspect i might no longer be capable of use. I contacted partillerocken assist team of workers to double test, and they told me the 000-190 exam were updated lately. As I checked it in competition to the current-day 000-190 exam objectives it truely looks up to date. Severa questions had been added compared to older braindumps and all areas protected. I am inspired with their performance and customer support. Searching ahead to taking my 000-190 exam in 2 weeks.

much less effort, tremendous information, guaranteed achievement.

partillerocken questions and answers helped me to know what exactly is expected in the exam 000-190. I prepared well within 10 days of preparation and completed all the questions of exam in 80 minutes. It contain the topics similar to exam point of view and makes you memorize all the topics easily and accurately. It also helped me to know how to manage the time to finish the exam before time. It is best method.

See more IBM dumps

000-M233 | 000-551 | 000-M237 | 000-002 | P8060-001 | 00M-222 | 000-833 | C2030-284 | 000-N14 | 000-415 | 000-744 | 000-152 | LOT-922 | 000-341 | A2010-571 | 000-782 | 000-857 | 000-376 | 000-288 | 000-237 | A2040-403 | 000-172 | 000-979 | 000-552 | 000-052 | C8010-241 | COG-615 | 000-057 | C2060-350 | M6040-419 | 000-713 | A2040-408 | 000-180 | P2090-050 | 000-219 | 000-915 | LOT-738 | BAS-012 | 00M-604 | 000-009 | A2040-440 | A4120-784 | 000-R14 | LOT-840 | C2090-310 | C9520-427 | C2020-701 | M2150-753 | 00M-233 | 000-221 |

Latest Exams added on partillerocken

156-727-77 | 1Z0-936 | 1Z0-980 | 1Z0-992 | 250-441 | 3312 | 3313 | 3314 | 3V00290A | 7497X | AZ-302 | C1000-031 | CAU301 | CCSP | DEA-41T1 | DEA-64T1 | HPE0-J55 | HPE6-A07 | JN0-1301 | PCAP-31-02 | 1Y0-340 | 1Z0-324 | 1Z0-344 | 1Z0-346 | 1Z0-813 | 1Z0-900 | 1Z0-935 | 1Z0-950 | 1Z0-967 | 1Z0-973 | 1Z0-987 | A2040-404 | A2040-918 | AZ-101 | AZ-102 | AZ-200 | AZ-300 | AZ-301 | FortiSandbox | HP2-H65 | HP2-H67 | HPE0-J57 | HPE6-A47 | JN0-662 | MB6-898 | ML0-320 | NS0-159 | NS0-181 | NS0-513 | PEGACPBA73V1 | 1Z0-628 | 1Z0-934 | 1Z0-974 | 1Z0-986 | 202-450 | 500-325 | 70-537 | 70-703 | 98-383 | 9A0-411 | AZ-100 | C2010-530 | C2210-422 | C5050-380 | C9550-413 | C9560-517 | CV0-002 | DES-1721 | MB2-719 | PT0-001 | CPA-REG | CPA-AUD | AACN-CMC | AAMA-CMA | ABEM-EMC | ACF-CCP | ACNP | ACSM-GEI | AEMT | AHIMA-CCS | ANCC-CVNC | ANCC-MSN | ANP-BC | APMLE | AXELOS-MSP | BCNS-CNS | BMAT | CCI | CCN | CCP | CDCA-ADEX | CDM | CFSW | CGRN | CNSC | COMLEX-USA | CPCE | CPM | CRNE | CVPM | DAT | DHORT | CBCP | DSST-HRM | DTR | ESPA-EST | FNS | FSMC | GPTS | IBCLC | IFSEA-CFM | LCAC | LCDC | MHAP | MSNCB | NAPLEX | NBCC-NCC | NBDE-I | NBDE-II | NCCT-ICS | NCCT-TSC | NCEES-FE | NCEES-PE | NCIDQ-CID | NCMA-CMA | NCPT | NE-BC | NNAAP-NA | NRA-FPM | NREMT-NRP | NREMT-PTE | NSCA-CPT | OCS | PACE | PANRE | PCCE | PCCN | PET | RDN | TEAS-N | VACC | WHNP | WPT-R | 156-215-80 | 1D0-621 | 1Y0-402 | 1Z0-545 | 1Z0-581 | 1Z0-853 | 250-430 | 2V0-761 | 700-551 | 700-901 | 7765X | A2040-910 | A2040-921 | C2010-825 | C2070-582 | C5050-384 | CDCS-001 | CFR-210 | NBSTSA-CST | E20-575 | HCE-5420 | HP2-H62 | HPE6-A42 | HQT-4210 | IAHCSMM-CRCST | LEED-GA | MB2-877 | MBLEX | NCIDQ | VCS-316 | 156-915-80 | 1Z0-414 | 1Z0-439 | 1Z0-447 | 1Z0-968 | 300-100 | 3V0-624 | 500-301 | 500-551 | 70-745 | 70-779 | 700-020 | 700-265 | 810-440 | 98-381 | 98-382 | 9A0-410 | CAS-003 | E20-585 | HCE-5710 | HPE2-K42 | HPE2-K43 | HPE2-K44 | HPE2-T34 | MB6-896 | VCS-256 | 1V0-701 | 1Z0-932 | 201-450 | 2VB-602 | 500-651 | 500-701 | 70-705 | 7391X | 7491X | BCB-Analyst | C2090-320 | C2150-609 | IIAP-CAP | CAT-340 | CCC | CPAT | CPFA | APA-CPP | CPT | CSWIP | Firefighter | FTCE | HPE0-J78 | HPE0-S52 | HPE2-E55 | HPE2-E69 | ITEC-Massage | JN0-210 | MB6-897 | N10-007 | PCNSE | VCS-274 | VCS-275 | VCS-413 |

See more dumps on partillerocken

000-637 | 920-196 | 700-505 | 000-078 | HP0-255 | 000-120 | CTFL-001 | JN0-522 | JN0-310 | 1Z0-507 | 9L0-047 | 1Y0-A20 | 1Z0-432 | 70-559-CSharp | 310-035 | HP2-K30 | 70-695 | 70-516-VB | PEGACSA | MSC-431 | 920-534 | IAAP-CAP | 156-915 | HP0-J23 | 642-731 | 000-587 | HP2-896 | C9510-317 | 000-619 | 98-365 | E20-080 | 700-037 | GB0-180 | 250-406 | 210-260 | 500-801 | 9A0-314 | E20-575 | 156-315-71 | 1Z0-540 | HP3-X06 | NS0-320 | 642-272 | 1Z0-475 | C2180-401 | CNA | 70-122 | C2180-274 | 000-964 | HP2-K31 |

000-190 Questions and Answers

Pass4sure 000-190 dumps | Killexams.com 000-190 real questions | [HOSTED-SITE]

000-190 AIX Basic Operations V5

Study Guide Prepared by Killexams.com IBM Dumps Experts

Exam Questions Updated On :


Killexams.com 000-190 Dumps and Real Questions

100% Real Questions - Exam Pass Guarantee with High Marks - Just Memorize the Answers



000-190 exam Dumps Source : AIX Basic Operations V5

Test Code : 000-190
Test Name : AIX Basic Operations V5
Vendor Name : IBM
Q&A : 134 Real Questions

it's far right source to locate 000-190 actual examination questions paper.
top class..I cleared the 000-190 exam. The killexams.com questions and answers helped loads. Very useful certainly. Cleared the 000-190 with 95%.im certain all of us can pass the exam after finishing your exams. the explanations were very useful. thanks. It turned into a amazing enjoy with killexams.com in phrases of collection of questions, their interpretation and sample in which you have set the papers. i am thankful to you and deliver full credit score to you guys for my achievement.


Passing the 000-190 exam is not enough, having that knowledge is required.
I cleared 000-190 exam with high marks. Every time I had registered with killexams.com which helped me to score more marks. Its great to have help of killexams.com question bank for such type of exams. Thanks to all.


Take a smart circulate to pass 000-190
I searched for the dumps which satisfy my specific desires at the 000-190 exam prep. The killexams.com dumps definitely knocked out all my doubts in a short time. First time in my career, I in reality attend the 000-190 exam with only one instruction material and prevail with a fantastic score. I am truly satisfied, however the purpose i am here to congratulate you on the outstanding assist you provided inside the shape of test material.


Worked hard on 000-190 books, but everything was in the Q&A.
killexams.com materials cover everything of 000-190 , round which the 000-190 exam is built. So if you are new to it, that is a have to. I needed to step up my information of 000-190 qa has helped me plenty. I passed the 000-190 exam thanks to killexams.com and had been recommending it to my buddies and co-workers.


Got no problem! 3 days preparation of 000-190 actual test questions is required.
Can you odor the sweet perfume of victory I understand I can and its far definitely a completely stunning smell. You can scent it too in case you go online to this killexams.com a good way to put together to your 000-190 test. I did the identical component right before my test and changed into very glad with the carrier supplied to me. The centers here are impeccable and once you are in it you wouldnt be involved approximately failing at all. I didnt fail and did pretty nicely and so can you. Try it!


It is great ideal to prepare 000-190 exam with Latest dumps.
I subscribed on killexams.com by the suggession of my friend, in order to get some extra aid for my 000-190 tests. As soon as I logged on to this killexams.com I felt relaxed and relieved since I knew this will help me get through my 000-190 test and that it did.


Can I find real Q&A of 000-190 exam?
As i am into the IT field, the 000-190 exam changed into critical for me to expose up, yet time barriers made it overwhelming for me to work well. I alluded to the killexams.com Dumps with 2 weeks to strive for the exam. I discovered how to complete all the questions well below due time. The easy to retain solutions make it well less complicated to get geared up. It labored like a whole reference aide and i used to be flabbergasted with the result.


Try out these real 000-190 dumps.
I got this p.C. And passed the 000-190 exam with 97% marks after 10 days. I am extraordinarily fulfilled by using the end result. There can be brilliant stuff for companion level confirmations, yet concerning the expert level, I think that is the principle strong course of action for first-class stuff, mainly with the exam simulator that gives you a danger to exercise with the appearance and experience of a real exam. This is a completely substantial brain dump, authentic examine guide. This is elusive for reducing side test.


What a great source of 000-190 questions that work in real test.
The killexams.com Questions & solutions made me efficient enough to split this exam. I endeavored ninety/95 questions in due time and passed correctly. I by no means taken into consideration passing. a great deal obliged killexams.com for help me in passing the 000-190. With a complete time work and an reliable diploma preparation facet with the aid ofside made me substantially occupied to equip myself for the 000-190 exam. by means of one way or another I got here to consider killexams.


Passing the 000-190 examination isn't always sufficient, having that know-how is wanted.
The fine element about your question bank is the explanations provided with the solutions. It helps to recognize the subject conceptually. I had subscribed for the 000-190 questions bank and had long past via it three-4 times. inside the exam, I attempted all the questions under 40 minutes and scored ninety marks. thanks for making it easy for us. Hearty way tokillexams.com team, with the help of your model questions.


IBM AIX Basic Operations V5

middle of the night Commander comes to IBM i | killexams.com Real Questions and Pass4sure dumps

March 20, 2019 Alex Woodie

IBM i authorities who work considerably with data in the IFS could be happy to listen to a brand new utility utility has been ported to the IBM i PASE ambiance that may save them a bunch of time. The open supply application, known as middle of the night Commander, offers developers and administrators a effortless command line journey that can support velocity up tasks, above all when giving commands to big number of files stored on far off machines.

middle of the night Commander become firstly developed in 1994 as a file utility for UNIX, which changed into beginning to emerge from utility labs to challenge minicomputer systems of the day, such as the AS/four hundred, in addition to early windows operating systems. Miguel de Icaza, who’s widespread for founding the Mono assignment (among others), is credited with developing hour of darkness Commander, but through the years construction of the product has develop into a gaggle effort.

The utility, which is disbursed by means of a GNU license from www.midnightcommander.org, became largely modeled off Norton Commander, an MS-DOS utility developed in the Nineteen Eighties by means of Norton. however dead night Commander has developed into its own aspect through the years, and the resemblance to that historical Norton product nowadays largely is simply in the identify.

nighttime Commander presents users with a two-panel, text-based interface that permits them to view the directories and info for the machines they’re related to. clients can also pull up menus of accessible instructions and a background of recreation. What truly units hour of darkness Commander apart, besides the fact that children, is its command extension and subshell execution environments, that are extremely customizable.

clients are capable of provoke a slew of simple directory services with middle of the night Commander, including creating, viewing, renaming, moving, and deleting directories. clients can’t create data in midnight Commander (that’s the job for purposes), but they could replica, circulate, and delete particular person data — or even more suitable, corporations of data. built-in FTP and SFTP performance enables users to work with info throughout plenty of techniques.

middle of the night Commander offers users a handful of special commands for coping with files or directories in bulk. they could use commands like “%s” or “%t” to point out which files to execute a given command upon (during this case “the files below the cursor and all highlighted data within the active panel” and ” all highlighted files within the active panel,” respectively).

middle of the night Commander displayed on Ubuntu Linux.

The utility lets users set default programs to make use of for opening definite file forms, which is achieved the usage of the “enter” button. text data are opened in a default editor, and clients can configure the software to immediately open up different kinds of information, comparable to HTML info, in a web browser.

middle of the night Commander makes extensive use of characteristic keys, and these come in handy when the use of the command extensions. Command extensions enable the consumer to selected definite styles of instructions be applied to individual information or organizations of files.

as an instance, a user may configure dead night Commander to instantly archive files with one command, or to initiate file transfer with an extra. pressing the F2 button pulls up a easy reference of obtainable instructions, while F1 calls the aid displays.

The richness of the command extension ambiance, together with the speed of the command line, are expected to provide middle of the night Commander an audience among developers and administrators who consider drag-and-drop GUIs are too cumbersome for some file operations. And while dead night Commander will appeal to people who like to hold their arms on the keyboard, the application is also mouse-aware, giving shoppers the choice of navigating and issuing commands with the mouse.

midnight Commander will seemingly appeal to developers and administrators who find themselves elbows deep in IFS folders, when a GUI method is just too cumbersome.

middle of the night Commander supports Unix, Linux, MacOS, and other working programs. Jack Woehr, the lead IBM i help tech for Absolute performance, and the IBM open supply team, headed by using open source architect Jesse Gorzinski, are credited with finishing the port of dead night Commander to IBM i’s PASE AIX runtime ambiance in the middle of 2018.

“i'm a longtime (20+ years) user of MC on Linux, OpenBSD, Mac and windows and am thrilled to ultimately have succeeded in constructing it on IBM i PASE environment!” writes the person “jax” on the midnight Commander website.

Woehr also become worried in porting Ublu to IBM i, as well as porting Lynx, a textual content-best internet browser, to IBM i. “Jack additionally helped with fine assurance and worked with assignment owners to upstream all code alterations,” Gorzinski wrote in his November 2018 column in IBM methods magazine. “in fact, the leading code movement for middle of the night Commander can now be developed for IBM i without a changes.”

hour of darkness Commander helps IBM i 7.3. The software is RPM aware and is attainable for down load on the IBM i server the use of the new Yum distribution system that debuted lately.

connected studies

RPM And Yum Are a big Deal For IBM i. right here’s Why

Open source Is the long run, So where Does IBM i fit in?


The bits and bobs Of IBM’s Power9 ZZ programs | killexams.com Real Questions and Pass4sure dumps

It has taken just about 4 years for the low end, workhorse machines in IBM’s energy methods line to be updated, and the long awaited Power9 processors and the vivid new “ZZ” techniques had been unveiled. we now have learned rather somewhat about these machines, lots of which don't seem to be basically supposed for the styles of IT organizations that The next Platform is concentrated on. but a couple of of the machines are aimed toward tremendous corporations, service providers, and even cloud builders who need something with a bit more oomph on a lot of fronts than an X86 server can convey in the identical form element.

You must pay for every thing during this world, and the ZZ methods, code-named after the rock band ZZ true if you had been questioning, pay for it with the quantity of heat they expire when they are working. but IBM’s power chips have at all times run a bit hotter than the Xeon and Opteron competitors, and that they did so as a result of they have been full of a lot more points and, frequently speakme, delivered a lot more reminiscence and i/O bandwidth and hence did more work for the warmth generated and the greater charge.

With the Power9 machines, IBM wants to tackle Intel’s hegemony within the datacenter, and that skill attacking the midrange and excessive conclusion of the “Skylake” Xeon SP lineup and additionally taking over the new “Naples” Epyc processors from AMD for certain jobs. we are able to see how neatly or poorly IBM does at this when some performance benchmarks beginning popping out across the end of February and on into March, when IBM is hosting its believe 2018 adventure in Las Vegas and is making its new energy systems iron the star of the demonstrate. IBM has done an awful lot to make vigour systems more mainstream, together with decreasing fees for reminiscence, disk, flash, and that i/O adapters and, importantly, relocating to unbuffered, trade usual DDR4 leading memory. IBM is also extending the vigour architecture with facets no longer considered on Xeon, Epyc, or ARM architectures, including the primary PCI-specific four.0 peripheral controllers, which interface with PCI-categorical switches to present legacy PCI-express 3.0 guide in one of the crucial ZZ systems. IBM is additionally offering its “Bluelink” 25 Gb/sec ports (which are rejiggered to deliver NVLinks out to GPUs in certain machines, such because the “Newell” energy AC922 that became introduced in December) for extremely quickly hyperlinks to peripherals and assisting its OpenCAPI protocol. The prior generations of coherence protocol, CAPI 1.0 and CAPI 2.0, run atop PCI-express networking. All of them present a way of featuring reminiscence coherence between the Power9 chip’s caches and main memory and the memory or storage-category memory on exterior instruments, corresponding to GPUs and, when networked appropriately, NVM-specific flash.

We don't seem to be going to evaluate all the elements of the Power9 chip, which we went into terrific aspect about back in August 2016 when large Blue revealed them. We talked frequently in regards to the Power9 ZZ machines past this week, and gave a way of the rest of the rollout with the intention to take place this year to complete the Power9 line. We already distinct the energy AC922 and its preliminary benchmarks on HPC and AI workloads. in this story we're going to center of attention on the feeds and speeds of the vigour methods ZZ iron, looking at the guts of the systems and what IBM is charging for them. finally, when extra tips is obtainable, we can be capable of do what we now have been eager to do for a long time: see how they stack as much as the Xeon and Epyc iron for clusters working contemporary software for a number of kinds of statistics processing and storage.

while IBM has launched six distinctive flavors of the ZZ programs, truly there are most effective two actual machines, with some variations in packaging and pricing to distinguish them.

The entry computing device in the ZZ line, which is basically aimed toward small and midrange IBM i and AIX shops that use it to run their core databases and functions and that, frankly, wouldn't have massive efficiency necessities for his or her transaction processing and analytical workloads. now not as a minimum through evaluation to huge companies or hyperscalers or HPC facilities. here is the block diagram of this single-socket power S914 computer:

As that you could see, the vigour S914 has one Power9 processor and sixteen DDR4 reminiscence slots placing off of the processor. The chip has 4 PCI-express 4.0 controllers, two of which are used to enforce PCI-express four.0 slots with two x16 connections and two others that are used to hyperlink to PCI-categorical 3.0 switches on the board that in flip enforce a slew of legacy PCI-categorical three.0 legacy slots. There are also two PCI-categorical three.0 x8 storage controller slots that grasp off these pair of switches, and that they can have RAID controllers or two M.2 kind component NVM-specific flash boot drives plugged into them. The I/O backplane may also be break up for redundancy and extra RAID 10 insurance plan throughout the cut up (a pair of RAID 5 arrays mirrored, basically). ultimately, most likely with the Power9+ and maybe with the Power10 chips, it is going to no longer be vital to have this legacy PCI-categorical 3.0 guide and the switches gained’t be essential. we will see. PCI-categorical 5.0 is due sometime in 2019, so by means of then, PCI-specific 4.0 may be the legacy.

The power S914 laptop is available in a 4U form element, because the name means that’s S for scale out, 9 for Power9, 1 for one socket, and four for 4U chassis. That chassis can be established in a rack or tipped up on its facet and put into a tower case, like this:

As that you could see, there's a space on the right hand front of the system board the place there are two inner storage slots, and here's the place on the energy S924 and its related vigour H924 variant designed to run SAP HANA in-memory databases and their applications puts a 2nd processor. That additional house in the returned is used for the extra peripherals that cling off of the second Power9 processor it really is added to them. Take a look and spot:

And this is what the vigour S924 truly looks like applied in steel with its covers off:

For the sake of entirety, here is the block diagram of the system board in the energy S924:

On both-socket vigor S924, and within the vigor S922 and its H922 and L922 variations we are able to focus on in a 2nd, the two sockets are linked to each different in a glueless style using NUMA interconnects, in this case based on a pair of X Bus hyperlinks that are operating at sixteen Gb/sec. yes, you see it. The buses for many of the external interconnects used for OpenCAPI and NVLink are running sooner than the NUMA interconnects between the processors.

The leaves the more dense 2U edition of the Power9 ZZ equipment, which is applied as the vigor S922 for AIX, Linux, and IBM i; the power L922 for Linux-handiest machines; and the power H922 for SAP HANA nodes that can, if mandatory, help some IBM i and AIX workloads so long as they don't soak up more than 25 percent of the combination computing skill.

right here is the mechanical drawing of the energy S922 laptop and its derivatives:

And right here is the gadget board block diagram for these machines:

in case you compare the vigor S924 and vigour S922 machines, you are going to see that the large change is kind element is that through squeezing down from 4U to 2U, IBM had to reduce again on the local storage and additionally on the PCI-categorical slots. chiefly, two of the legacy PCI-categorical 3.0 x8 slots are sacrificed. That isn't much to surrender for a form factor that takes up a whole lot much less area. The smaller laptop has simplest eight 2.5-inch (Small form aspect, or SFF) peripheral bays, in comparison to a maximum of 18 for the bigger computer. These are the main variations.

For these of you now not customary with IBM’s product naming conventions, a desktop has a mannequin designation (like vigor S924) and a product number (like 9009-41A) as well as function codes for every and every viable aspect that will also be part of that system, together with reminiscence sticks, disk and flash drives, I/O adapters of every type, cables, and anything else. The desk under shows the fashions, product numbers, and processor function playing cards with the salient characteristics of the Power9 chips in each and every feature card. IBM is providing three different Power9 processor characteristic cards for every of the six machines. we've reveal their base and right clock frequencies, as proven by way of IBM to be the general stages of their operations the use of dynamic clock frequency scaling. we have taken our surest wager at matching the thermal design points IBM has for various Power9 processors to the core counts and clock speeds attainable. (they are good guesses, intellect you.)

The next desk indicates the memory, peripheral expansion, and in-chassis storage alternate options for each machine; IBM enables for storage bays to be added to the processor complicated over the PCI-categorical buses for extra expansion beyond this.

One factor that is not obtrusive from the table. whereas IBM is providing DDR4 reminiscence speeds of two.13 GHz, 2.four GHz, and a couple of.sixty seven GHz, and in capacities of 16 GB, 32 GB, 64 GB, and 128 GB, on these machines, you cannot simply choose any skill and any speed and put them in these machines. On any machine that has memory slots 10 via 16 populated, the most effective issue that you could do is run 2.13 GHz reminiscence, despite the ability of the stick chosen. by doing this, you get the highest one hundred seventy GB/sec of peak reminiscence bandwidth. in case you need to run quicker reminiscence, then it may well best be used in machines with eight or fewer memory slots populated. And the fastest 2.67 GHz memory is just purchasable for sixteen GB sticks. yes, this is a little weird. And it looks like IBM is gearing down the reminiscence speeds, no longer shipping distinctive reminiscence speeds, considering that there are most effective 4 diverse reminiscence playing cards but eight different pace/capacity combinations. It looks to us like IBM is gearing down 2.sixty seven GHz or 2.four GHz reminiscence sticks to 2.13 GHz speeds when the reminiscence slots are greater totally populated.

That’s the simple feeds and speeds of these machines. That leaves the closing, and perhaps most important component ultimately, and that is pricing. the style IBM’s pricing works, there is a cost for the bottom system, and then the processor characteristic cards. in the past, the processor function card and reminiscence capability on it had two distinct expenditures, after which you had to set off cores and 1 GB memory chunks separately for an further fee. With the Power9 machines, you purchase the processor card and the memory and it is activated absolutely. As for reminiscence pricing, IBM is charging $619 for the 16 GB sticks; $1,179 for the 32 GB sticks; $2,699 for the sixty four GB sticks; and $9,880 for the 128 GB sticks.

within the desk under, the bottom chassis expense is shown, and next to it's shown the can charge of every processor card. The device configuration pricing indicates the cost of including 32 GB per core to the equipment plus four 600 GB SAS disk drives. a number of vital features, corresponding to cables and backplane options, aren't covered during this primary system configuration fee; we are trying to give a sense of what the core compute, memory, and storage expenses for these machines. working programs don't seem to be blanketed.

arising next, we will do our greatest to make comparisons to the Xeon and Epyc server lines to see how these Power9 machines stack up, and reflect on what the future “Boston” two-socket and “Zeppelin” 4-socket Power9 machines may hold in terms of competitors.


building Code | killexams.com Real Questions and Pass4sure dumps

We, humans, have at all times been looking for someone to do our heavy and undesirable lifting. First it turned into elementary machines, then steam powered beasts, and on the conclusion a bunch of semiconductors and a quartz.

however how do you get an easy stone to do what you desire? How do you explain to an electrical circuit what you need from it? through a programming language, of path.

where did these programming languages come from and who made them up? every thing starts with a conception, and programming was no exception.

let us beginning our story with the Analytical Engine. It changed into a form of mechanical computing device designed by using Charles Babbage, one that worked with gears and is derived in its place of wires and chips. And in 1843, Babbage’s work turned into being translated via a definite Ada Lovelace.

Ada didn’t cease at translation. on the end of the publication she brought her own notes on the way to use the proposed engine to calculate Bernoulli numbers. besides the fact that children removed from a proper programming language, it became the first step in the right path.

The next step turned into Turing machines — once again now not a computer but a mathematical mannequin for one. A actual mannequin of a Turing machine may well be programmed to do some restrained computations, like solving mathematical functions, however become way too basic and much faraway from anything we may name a programming language.

A language should be readable and expressive. what is use for it if we will simplest say “ga-ga” and “go-go”? So this field become shelved unless the magical time of 1940, when an past version of modern computers, big and whole of electricity, got here to lifestyles and kicked off a whole wave of theories and practices.

the first programming language with a bunch of positive instructions become meeting Language. it is confusing, crazy searching and someday reasonably horrifying, but it enables programmers to speak with the hardware of a given desktop in a fairly easy manner.

It’s kind of like building a apartment however with none tools at all. You need to collect it brick by means of brick, and make measurements on the palm of your hand. not very easy to make, nevertheless it does produce a very fast and light executable software — so mild that it’s nevertheless used nowadays for terribly gentle operations, besides the fact that children the paintings of meeting Language best familiar via the gray bearded wizards and sorcerers.

meeting Language turned into constructive, but people desired more. They wanted something extra “excessive-stage”, greater understandable and friendly.

They desired whatever thing they could talk.

It took some idea and energy, however in 1952 Autocode programming language changed into developed, for a humongous desktop on the school of Manchester.

Autocode became the first programming language that used a compiler, a distinct piece of application that took your application and translated it directly into machine code for a fast execution. this way no person needed to write in computer code ever again, thanks almighty. however Autocode did have a extremely restricted use, because it changed into in particular designed for a particular computing device. Now you are building a condominium with some primary palms tools, like a hammer and a crooked saw.

Programming languages are used to jot down application. but do you know that they're additionally utility themselves?

every programming language has a compiler, which is constantly written the usage of a different programming language. The compiler is what reads your software, and interprets it into machine code that your computer can keep in mind.

for instance, Autocode compiler became written using assembly languages, but the next generation of its compiler changed into written using Autocode and then compiled with the primary compiler. puzzling, isn’t it?

smartly, a compiler is a application, it's written after which compiled into a computer code, dropping its affiliation to a language. so you can use a compiler to write down a stronger compiler, as a result of after it's compiled it is simply a computing device code. it is like making a more robust equipment with a set of less demanding equipment, except you bought your own power saw.

The next large element became FORTRAN (formula Translation). Engineered at IBM returned in 1954, it turned into the first excessive-stage programming language for frequent aim and ordinary use. It got round and right now grew to become the crowd’s commonplace, and in some circle still is, exceptionally the place you need a lightning quick efficiency but you are terrified of ancient meeting Language. FORTRAN gave you some fundamental, English-like commands equivalent to IF, ELSE and read — nevertheless unpowered, however now you bought a hand drill and a few nails.

The year 1959 was somewhat fruitful for programming languages. First got here COBOL (standard business Oriented Languages), created and sponsored with the aid of u.s.a.department of Defence. From floor up it become designed for use by way of large corporations, and so it ended up in programs like ATM, telephones, credit score cards features, hospitals and other enormous infrastructures.

Then got here LISP, masterminded for use for synthetic intelligence analysis, however then skewed for a extra well-known use. It become one of the most first useful programming languages, which in simple terms means that you use just functions to construct a software, there isn't any everlasting state whatsoever.

Now these languages in reality gave you some power equipment to construct your house, no longer many, but you do get a chainsaw.

The 60s and early 70s brought a wind of alternate. computer systems were fitting cheaper and more purchasable. Their metallic husks unfold throughout the realm, finding places in lots of universities and even some homes.

extra people desired to make use of computer systems, but no longer many might overcome the complexities of the earlier programming languages. That became except engineers from the Dartmouth college came up with primary — the beginner’s All-aim Symbolic instruction Code — to help their students to get into ever growing to be box of programming and computation.

The primary syntax simplified the movement of many loops, IF acquired THEN, FOR obtained TO and subsequent, DO bought until. Now you did not ought to deal with atypical commas and dots, so long as you knew some primary English you could have in mind what changed into occurring.

basic became a great success and have become the first language for many students, and if you're established with Microsoft, you're going to observe that a forked edition of it became their flagship product. This was more corresponding to constructing an Ikea furnishings, you obtained your pre-made components, clear guidance and a few tools, you just ought to work out a way to put it all collectively.

With the upward thrust of those bigger stage programming languages, a greater structured and elegant code could be written, and in many circumstances americans took it to heart, making an attempt to add a splash of beauty to their work. And it could suggest the rest, some take pride in writing the shortest code possible, other probably the most difficult code feasible, and some savor adding their personal flavour to the structure of their software.

one other language that opened the doors to programming for a lot of turned into Pascal, particularly designed to train students about mystical paintings of computers. It changed into made to be handy to opt for up, but challenging to grasp. And it is still around, used in many businesses with just a little out of date infrastructures. Pascal performed a large function for Apple computer systems and turned into their leading go-to language lower back in eighties.

in the 70’s, whatever took place that always changed the realm we comprehend. The granddaddy of it all, the all awesome and all potent c program language changed into developed at Bell Labs through noted Dennis Ritchie. it is short, it is elegant, it is essential, it is potent, it is multi-platform and it obtained the top-rated syntax of them all.

sure, I talked about it — combat me in case you need.

along side Unix it spread like a wildfire, trumping every thing before and every little thing after it. It remains employed to today and for a lot of it's their most loved and cherished associate.

C additionally influenced and become used to code half of the present heavy hitters, like Ruby, C#, Java, Hypertext Preprocessor and many, many others. there's likely a little bit of C on many of the gadgets around us today. It offers you the entire choicest hand equipment, powered and unpowered, however you still ought to get your palms dirty in case you need to construct a 3 stories excessive mansion.

The 80’s adopted up with greater C-flavoured languages. First goal-C changed into created as an extension of C to aid, you might guessed it already, object-oriented programming, a concept the place a code is broken down into objects with statistics and functions to control pointed out records. even though it never reached the mainstream, it did find its way into Apple’s macOS and iOS operating device.

Then there become C++ by way of noted and loved Bjarne Stroustrup. And it's a tremendous language, taking power of C and expanding it in all directions, making it one of the most standard languages in the entire large world. And these days it's in all places, from game engines, to operation programs and excessive-performance application. Now you have got cranes and excavators, heavy machinery and best tools, that you can build a hut or a skyscraper, C++ allows you to do all of it.

When the 90s rolled in issues all started to speed up. computers went far and beyond, becoming gaming console, internet servers, enjoyment units and anything that you would be able to feel of.

and every solution needed a selected programming language, and so languages started to pop up left and right. Influenced by means of their predecessors, however designed to serve narrower applications. Haskell popped in 1990 as a merely purposeful programming language, designed to deal with a big volume of complicated calculations and numbers crunching. Python in 1991 took a niche of a light and quick code. visible fundamental added a drag-and-drop vogue of programming with a help of graphical user interface.

within the wild 1995 Java hit the scene, developed via solar Microsystems for smaller, hand held contraptions and later sweeping all internationally huge web. Then got here personal home page, grasp of web constructing. JavaScript enhance our searching experience. C# made C++ friendlier (or even too friendly) and made hacking together cool apps and then cool anything else a breeze.

Scala merged useful with object-oriented programming, making a sizzling but very handy mess. And the list continues, and it will develop and grow as every year new languages pop up, bringing new solutions and solving new problems. These, let’s call them smaller languages, are greater like certain equipment for window making, ground laying, wall portray, it is hard to construct a house using one, but that you could lay some fine tiles with them.

this present day it is complicated to predict where programming language will go. There are greater computer systems, mode instruments and greater machines. long gone are the times when a programmer knew a single language, today you enhanced recognize ten in case you want to get a lowly position in some high firm. Languages gained specializations and the box of desktop programming grew into an immense engineering endeavour.

We don't know where we are able to end up, however there may be computers and there may be programming languages. They can be written or oral, telepathic or self-generating. but they will be there, bending the computing device to our wants and our needs.

wish to write with us? To diversify our content material, we’re looking for brand new authors to put in writing at Snipette. That means you! Aspiring writers: we’ll help you shape your piece. established writers: click on right here to get all started.

Curious for more? Sources and references for this article will also be found here.


Unquestionably it is hard assignment to pick dependable certification questions/answers assets regarding review, reputation and validity since individuals get sham because of picking incorrectly benefit. Killexams.com ensure to serve its customers best to its assets concerning exam dumps update and validity. The vast majority of other's sham report dissension customers come to us for the brain dumps and pass their exams joyfully and effortlessly. We never trade off on our review, reputation and quality on the grounds that killexams review, killexams reputation and killexams customer certainty is imperative to us. Uniquely we deal with killexams.com review, killexams.com reputation, killexams.com sham report objection, killexams.com trust, killexams.com validity, killexams.com report and killexams.com scam. On the off chance that you see any false report posted by our rivals with the name killexams sham report grievance web, killexams.com sham report, killexams.com scam, killexams.com protest or something like this, simply remember there are constantly awful individuals harming reputation of good administrations because of their advantages. There are a huge number of fulfilled clients that pass their exams utilizing killexams.com brain dumps, killexams PDF questions, killexams hone questions, killexams exam simulator. Visit Killexams.com, our specimen questions and test brain dumps, our exam simulator and you will realize that killexams.com is the best brain dumps site.

[OPTIONAL-CONTENTS-2]


HP2-E23 brain dumps | 000-M43 test prep | E20-507 bootcamp | 1Y0-A06 free pdf | HP3-R95 questions and answers | 00M-155 cram | BAS-011 test prep | JN0-411 braindumps | H12-211 real questions | 400-201 dumps | DCAPE-100 test questions | HP3-F18 exam prep | Series-7 practice questions | 650-059 Practice test | I40-420 practice questions | HP0-D08 brain dumps | 1V0-621 braindumps | 000-N04 practice test | C2020-700 Practice Test | 920-246 study guide |


000-190 Dumps and Practice programming with Real Question
We are particularly cognizant that a fundamental issue inside the IT business is that there is inaccessibility of gigantic well worth braindumps. Our exam braindumps offers every one of you that you have to take a confirmation exam. Our IBM 000-190 Exam will furnish you with exam question with affirmed answers that imitate the real exam. We at killexams.com are made arrangements to enable you to pass your 000-190 exam with over the top appraisals.

We have Tested and Approved 000-190 Exams. killexams.com gives the most unique and latest IT exam materials which practically comprise all braindumps. With the guide of our 000-190 exam materials, you should not squander your possibility on perusing greater part of reference books and virtually need to burn through 10-20 hours to ace our 000-190 real questions and answers. Whats greater, we supply you with PDF Version and Software Version exam questions and answers. For Software Version materials, Its presented to give the applicants mimic the IBM 000-190 exam in a real exam environment. killexams.com Huge Discount Coupons and Promo Codes are as under;
WC2017 : 60% Discount Coupon for all assessments on website
PROF17 : 10% Discount Coupon for Orders extra than $69
DEAL17 : 15% Discount Coupon for Orders extra than $ninety nine
DECSPECIAL : 10% Special Discount Coupon for All Orders
Click http://killexams.com/pass4sure/exam-detail/000-190

Quality and Value for the 000-190 Exam : killexams.com Practice Exams for IBM 000-190 are composed to the most accelerated norms of specialized precision, making use of just certified specialists and disbursed creators for improvement.

a hundred% Guarantee to Pass Your 000-190 Exam : If you dont pass the IBM 000-190 exam utilizing our killexams.com exam simulator software and PDF, we will give you a FULL REFUND of your buying charge.

Downloadable, Interactive 000-190 Testing Software : Our IBM 000-190 Preparation Material offers you all which you should take IBM 000-190 exam. Subtle elements are seemed into and created through IBM Certification Experts who are usually utilising industry revel in to supply specific, and legitimate.

- Comprehensive questions and answers of 000-190 exam - 000-190 exam questions joined by way of displays - Verified Answers by Experts and very almost 100% proper - 000-190 exam questions up to date on regular basis - 000-190 exam planning is in multiple choice questions (MCQs). - Tested with the aid of different instances formerly dispensing - Try free 000-190 exam demo before you pick out to get it in killexams.com

killexams.com Huge Discount Coupons and Promo Codes are as below;
WC2017 : 60% Discount Coupon for all tests on internet site
PROF17 : 10% Discount Coupon for Orders greater than $69
DEAL17 : 15% Discount Coupon for Orders more than $ninety nine
DECSPECIAL : 10% Special Discount Coupon for All Orders


[OPTIONAL-CONTENTS-4]


Killexams 1T6-530 practice questions | Killexams EX0-118 test prep | Killexams 920-458 practice test | Killexams HP0-Y39 exam prep | Killexams 1Z0-053 exam prep | Killexams IIA-CIA-Part1 brain dumps | Killexams HP2-H22 test questions | Killexams 000-025 braindumps | Killexams 000-N09 study guide | Killexams C4090-461 free pdf | Killexams C2090-136 Practice test | Killexams HP2-K18 mock exam | Killexams CTFA dumps | Killexams HP0-620 study guide | Killexams 050-691 dump | Killexams P2010-022 brain dumps | Killexams LOT-982 questions answers | Killexams 650-379 free pdf | Killexams 648-238 braindumps | Killexams 190-833 questions and answers |


[OPTIONAL-CONTENTS-5]

View Complete list of Killexams.com Brain dumps


Killexams HP2-H35 free pdf download | Killexams E20-385 questions and answers | Killexams HP0-J59 questions answers | Killexams 650-179 real questions | Killexams 1Y0-A03 braindumps | Killexams VCS-274 practice questions | Killexams A2180-181 study guide | Killexams EX0-003 real questions | Killexams NS0-510 real questions | Killexams 000-M220 exam questions | Killexams 117-301 dumps questions | Killexams A2040-412 brain dumps | Killexams COG-612 pdf download | Killexams HP0-729 questions and answers | Killexams M2010-719 test prep | Killexams 000-611 cheat sheets | Killexams HP0-J41 cram | Killexams HP0-K02 practice test | Killexams A00-250 braindumps | Killexams 70-735 sample test |


AIX Basic Operations V5

Pass 4 sure 000-190 dumps | Killexams.com 000-190 real questions | [HOSTED-SITE]

GSSAPI Authentication and Kerberos v5 | killexams.com real questions and Pass4sure dumps

This chapter is from the book 

This section discusses the GSSAPI mechanism, in particular, Kerberos v5 and how this works in conjunction with the Sun ONE Directory Server 5.2 software and what is involved in implementing such a solution. Please be aware that this is not a trivial task.

It’s worth taking a brief look at the relationship between the Generic Security Services Application Program Interface (GSSAPI) and Kerberos v5.

The GSSAPI does not actually provide security services itself. Rather, it is a framework that provides security services to callers in a generic fashion, with a range of underlying mechanisms and technologies such as Kerberos v5. The current implementation of the GSSAPI only works with the Kerberos v5 security mechanism. The best way to think about the relationship between GSSAPI and Kerberos is in the following manner: GSSAPI is a network authentication protocol abstraction that allows Kerberos credentials to be used in an authentication exchange. Kerberos v5 must be installed and running on any system on which GSSAPI-aware programs are running.

The support for the GSSAPI is made possible in the directory server through the introduction of a new SASL library, which is based on the Cyrus CMU implementation. Through this SASL framework, DIGEST-MD5 is supported as explained previously, and GSSAPI which implements Kerberos v5. Additional GSSAPI mechanisms do exist. For example, GSSAPI with SPNEGO support would be GSS-SPNEGO. Other GSS mechanism names are based on the GSS mechanisms OID.

The Sun ONE Directory Server 5.2 software only supports the use of GSSAPI on Solaris OE. There are implementations of GSSAPI for other operating systems (for example, Linux), but the Sun ONE Directory Server 5.2 software does not use them on platforms other than the Solaris OE.

Understanding GSSAPI

The Generic Security Services Application Program Interface (GSSAPI) is a standard interface, defined by RFC 2743, that provides a generic authentication and secure messaging interface, whereby these security mechanisms can be plugged in. The most commonly referred to GSSAPI mechanism is the Kerberos mechanism that is based on secret key cryptography.

One of the main aspects of GSSAPI is that it allows developers to add secure authentication and privacy (encryption and or integrity checking) protection to data being passed over the wire by writing to a single programming interface. This is shown in FIGURE 3-2.

03fig02.gifFigure 3-2. GSSAPI Layers

The underlying security mechanisms are loaded at the time the programs are executed, as opposed to when they are compiled and built. In practice, the most commonly used GSSAPI mechanism is Kerberos v5. The Solaris OE provides a few different flavors of Diffie-Hellman GSSAPI mechanisms, which are only useful to NIS+ applications.

What can be confusing is that developers might write applications that write directly to the Kerberos API, or they might write GSSAPI applications that request the Kerberos mechanism. There is a big difference, and applications that talk Kerberos directly cannot communicate with those that talk GSSAPI. The wire protocols are not compatible, even though the underlying Kerberos protocol is in use. An example is telnet with Kerberos is a secure telnet program that authenticates a telnet user and encrypts data, including passwords exchanged over the network during the telnet session. The authentication and message protection features are provided using Kerberos. The telnet application with Kerberos only uses Kerberos, which is based on secret-key technology. However, a telnet program written to the GSSAPI interface can use Kerberos as well as other security mechanisms supported by GSSAPI.

The Solaris OE does not deliver any libraries that provide support for third-party companies to program directly to the Kerberos API. The goal is to encourage developers to use the GSSAPI. Many open-source Kerberos implementations (MIT, Heimdal) allow users to write Kerberos applications directly.

On the wire, the GSSAPI is compatible with Microsoft’s SSPI and thus GSSAPI applications can communicate with Microsoft applications that use SSPI and Kerberos.

The GSSAPI is preferred because it is a standardized API, whereas Kerberos is not. This means that the MIT Kerberos development team might change the programming interface anytime, and any applications that exist today might not work in the future without some code modifications. Using GSSAPI avoids this problem.

Another benefit of GSSAPI is its pluggable feature, which is a big benefit, especially if a developer later decides that there is a better authentication method than Kerberos, because it can easily be plugged into the system and the existing GSSAPI applications should be able to use it without being recompiled or patched in any way.

Understanding Kerberos v5

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Originally developed at the Massachusetts Institute of Technology, it is included in the Solaris OE to provide strong authentication for Solaris OE network applications.

In addition to providing a secure authentication protocol, Kerberos also offers the ability to add privacy support (encrypted data streams) for remote applications such as telnet, ftp, rsh, rlogin, and other common UNIX network applications. In the Solaris OE, Kerberos can also be used to provide strong authentication and privacy support for Network File Systems (NFS), allowing secure and private file sharing across the network.

Because of its widespread acceptance and implementation in other operating systems, including Windows 2000, HP-UX, and Linux, the Kerberos authentication protocol can interoperate in a heterogeneous environment, allowing users on machines running one OS to securely authenticate themselves on hosts of a different OS.

The Kerberos software is available for Solaris OE versions 2.6, 7, 8, and 9 in a separate package called the Sun Enterprise Authentication Mechanism (SEAM) software. For Solaris 2.6 and Solaris 7 OE, Sun Enterprise Authentication Mechanism software is included as part of the Solaris Easy Access Server 3.0 (Solaris SEAS) package. For Solaris 8 OE, the Sun Enterprise Authentication Mechanism software package is available with the Solaris 8 OE Admin Pack.

For Solaris 2.6 and Solaris 7 OE, the Sun Enterprise Authentication Mechanism software is freely available as part of the Solaris Easy Access Server 3.0 package available for download from:

http://www.sun.com/software/solaris/7/ds/ds-seas.

For Solaris 8 OE systems, Sun Enterprise Authentication Mechanism software is available in the Solaris 8 OE Admin Pack, available for download from:

http://www.sun.com/bigadmin/content/adminPack/index.html.

For Solaris 9 OE systems, Sun Enterprise Authentication Mechanism software is already installed by default and contains the following packages listed in TABLE 3-1.

Table 3-1. Solaris 9 OE Kerberos v5 Packages

Package Name

Description

SUNWkdcr

Kerberos v5 KDC (root)

SUNWkdcu

Kerberos v5 Master KDC (user)

SUNWkrbr

Kerberos version 5 support (Root)

SUNWkrbu

Kerberos version 5 support (Usr)

SUNWkrbux

Kerberos version 5 support (Usr) (64-bit)

All of these Sun Enterprise Authentication Mechanism software distributions are based on the MIT KRB5 Release version 1.0. The client programs in these distributions are compatible with later MIT releases (1.1, 1.2) and with other implementations that are compliant with the standard.

How Kerberos Works

The following is an overview of the Kerberos v5 authentication system. From the user’s standpoint, Kerberos v5 is mostly invisible after the Kerberos session has been started. Initializing a Kerberos session often involves no more than logging in and providing a Kerberos password.

The Kerberos system revolves around the concept of a ticket. A ticket is a set of electronic information that serves as identification for a user or a service such as the NFS service. Just as your driver’s license identifies you and indicates what driving permissions you have, so a ticket identifies you and your network access privileges. When you perform a Kerberos-based transaction (for example, if you use rlogin to log in to another machine), your system transparently sends a request for a ticket to a Key Distribution Center, or KDC. The KDC accesses a database to authenticate your identity and returns a ticket that grants you permission to access the other machine. Transparently means that you do not need to explicitly request a ticket.

Tickets have certain attributes associated with them. For example, a ticket can be forwardable (which means that it can be used on another machine without a new authentication process), or postdated (not valid until a specified time). How tickets are used (for example, which users are allowed to obtain which types of tickets) is set by policies that are determined when Kerberos is installed or administered.

You will frequently see the terms credential and ticket. In the Kerberos world, they are often used interchangeably. Technically, however, a credential is a ticket plus the session key for that session.

Initial Authentication

Kerberos authentication has two phases, an initial authentication that allows for all subsequent authentications, and the subsequent authentications themselves.

A client (a user, or a service such as NFS) begins a Kerberos session by requesting a ticket-granting ticket (TGT) from the Key Distribution Center (KDC). This request is often done automatically at login.

A ticket-granting ticket is needed to obtain other tickets for specific services. Think of the ticket-granting ticket as something similar to a passport. Like a passport, the ticket-granting ticket identifies you and allows you to obtain numerous “visas,” where the “visas” (tickets) are not for foreign countries, but for remote machines or network services. Like passports and visas, the ticket-granting ticket and the other various tickets have limited lifetimes. The difference is that Kerberized commands notice that you have a passport and obtain the visas for you. You don’t have to perform the transactions yourself.

The KDC creates a ticket-granting ticket and sends it back, in encrypted form, to the client. The client decrypts the ticket-granting ticket using the client’s password.

Now in possession of a valid ticket-granting ticket, the client can request tickets for all sorts of network operations for as long as the ticket-granting ticket lasts. This ticket usually lasts for a few hours. Each time the client performs a unique network operation, it requests a ticket for that operation from the KDC.

Subsequent Authentications

The client requests a ticket for a particular service from the KDC by sending the KDC its ticket-granting ticket as proof of identity.

  • The KDC sends the ticket for the specific service to the client.

    For example, suppose user lucy wants to access an NFS file system that has been shared with krb5 authentication required. Since she is already authenticated (that is, she already has a ticket-granting ticket), as she attempts to access the files, the NFS client system automatically and transparently obtains a ticket from the KDC for the NFS service.

  • The client sends the ticket to the server.

    When using the NFS service, the NFS client automatically and transparently sends the ticket for the NFS service to the NFS server.

  • The server allows the client access.

    These steps make it appear that the server doesn’t ever communicate with the KDC. The server does, though, as it registers itself with the KDC, just as the first client does.

  • Principals

    A client is identified by its principal. A principal is a unique identity to which the KDC can assign tickets. A principal can be a user, such as joe, or a service, such as NFS.

    By convention, a principal name is divided into three parts: the primary, the instance, and the realm. A typical principal could be, for example, lucy/admin@EXAMPLE.COM, where:

    lucy is the primary. The primary can be a user name, as shown here, or a service, such as NFS. The primary can also be the word host, which signifies that this principal is a service principal that is set up to provide various network services.

    admin is the instance. An instance is optional in the case of user principals, but it is required for service principals. For example, if the user lucy sometimes acts as a system administrator, she can use lucy/admin to distinguish herself from her usual user identity. Likewise, if Lucy has accounts on two different hosts, she can use two principal names with different instances (for example, lucy/california.example.com and lucy/boston.example.com).

    Realms

    A realm is a logical network, similar to a domain, which defines a group of systems under the same master KDC. Some realms are hierarchical (one realm being a superset of the other realm). Otherwise, the realms are non-hierarchical (or direct) and the mapping between the two realms must be defined.

    Realms and KDC Servers

    Each realm must include a server that maintains the master copy of the principal database. This server is called the master KDC server. Additionally, each realm should contain at least one slave KDC server, which contains duplicate copies of the principal database. Both the master KDC server and the slave KDC server create tickets that are used to establish authentication.

    Understanding the Kerberos KDC

    The Kerberos Key Distribution Center (KDC) is a trusted server that issues Kerberos tickets to clients and servers to communicate securely. A Kerberos ticket is a block of data that is presented as the user’s credentials when attempting to access a Kerberized service. A ticket contains information about the user’s identity and a temporary encryption key, all encrypted in the server’s private key. In the Kerberos environment, any entity that is defined to have a Kerberos identity is referred to as a principal.

    A principal may be an entry for a particular user, host, or service (such as NFS or FTP) that is to interact with the KDC. Most commonly, the KDC server system also runs the Kerberos Administration Daemon, which handles administrative commands such as adding, deleting, and modifying principals in the Kerberos database. Typically, the KDC, the admin server, and the database are all on the same machine, but they can be separated if necessary. Some environments may require that multiple realms be configured with master KDCs and slave KDCs for each realm. The principals applied for securing each realm and KDC should be applied to all realms and KDCs in the network to ensure that there isn’t a single weak link in the chain.

    One of the first steps to take when initializing your Kerberos database is to create it using the kdb5_util command, which is located in /usr/sbin. When running this command, the user has the choice of whether to create a stash file or not. The stash file is a local copy of the master key that resides on the KDC’s local disk. The master key contained in the stash file is generated from the master password that the user enters when first creating the KDC database. The stash file is used to authenticate the KDC to itself automatically before starting the kadmind and krb5kdc daemons (for example, as part of the machine’s boot sequence).

    If a stash file is not used when the database is created, the administrator who starts up the krb5kdc process will have to manually enter the master key (password) every time they start the process. This may seem like a typical trade off between convenience and security, but if the rest of the system is sufficiently hardened and protected, very little security is lost by having the master key stored in the protected stash file. It is recommended that at least one slave KDC server be installed for each realm to ensure that a backup is available in the event that the master server becomes unavailable, and that slave KDC be configured with the same level of security as the master.

    Currently, the Sun Kerberos v5 Mechanism utility, kdb5_util, can create three types of keys, DES-CBC-CRC, DES-CBC-MD5, and DES-CBC-RAW. DES-CBC stands for DES encryption with Cipher Block Chaining and the CRC, MD5, and RAW designators refer to the checksum algorithm that is used. By default, the key created will be DES-CBC-CRC, which is the default encryption type for the KDC. The type of key created is specified on the command line with the -k option (see the kdb5_util (1M) man page). Choose the password for your stash file very carefully, because this password can be used in the future to decrypt the master key and modify the database. The password may be up to 1024 characters long and can include any combination of letters, numbers, punctuation, and spaces.

    The following is an example of creating a stash file:

    kdc1 #/usr/sbin/kdb5_util create -r EXAMPLE.COM -s Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM' master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: master_key Re-enter KDC database master key to verify: master_key

    Notice the use of the -s argument to create the stash file. The location of the stash file is in the /var/krb5. The stash file appears with the following mode and ownership settings:

    kdc1 # cd /var/krb5 kdc1 # ls -l -rw------- 1 root other 14 Apr 10 14:28 .k5.EXAMPLE.COM

    The directory used to store the stash file and the database should not be shared or exported.

    Secure Settings in the KDC Configuration File

    The KDC and Administration daemons both read configuration information from /etc/krb5/kdc.conf. This file contains KDC-specific parameters that govern overall behavior for the KDC and for specific realms. The parameters in the kdc.conf file are explained in detail in the kdc.conf(4) man page.

    The kdc.conf parameters describe locations of various files and ports to use for accessing the KDC and the administration daemon. These parameters generally do not need to be changed, and doing so does not result in any added security. However, there are some parameters that may be adjusted to enhance the overall security of the KDC. The following are some examples of adjustable parameters that enhance security.

  • kdc_ports – Defines the ports that the KDC will listen on to receive requests. The standard port for Kerberos v5 is 88. 750 is included and commonly used to support older clients that still use the default port designated for Kerberos v4. Solaris OE still listens on port 750 for backwards compatibility. This is not considered a security risk.

  • max_life – Defines the maximum lifetime of a ticket, and defaults to eight hours. In environments where it is desirable to have users re-authenticate frequently and to reduce the chance of having a principal’s credentials stolen, this value should be lowered. The recommended value is eight hours.

  • max_renewable_life – Defines the period of time from when a ticket is issued that it may be renewed (using kinit -R). The standard value here is 7 days. To disable renewable tickets, this value may be set to 0 days, 0 hrs, 0 min. The recommended value is 7d 0h 0m 0s.

  • default_principal_expiration – A Kerberos principal is any unique identity to which Kerberos can assign a ticket. In the case of users, it is the same as the UNIX system user name. The default lifetime of any principal in the realm may be defined in the kdc.conf file with this option. This should be used only if the realm will contain temporary principals, otherwise the administrator will have to constantly be renewing principals. Usually, this setting is left undefined and principals do not expire. This is not insecure as long as the administrator is vigilant about removing principals for users that no longer need access to the systems.

  • supported_enctypes – The encryption types supported by the KDC may be defined with this option. At this time, Sun Enterprise Authentication Mechanism software only supports des-cbc-crc:normal encryption type, but in the future this may be used to ensure that only strong cryptographic ciphers are used.

  • dict_file – The location of a dictionary file containing strings that are not allowed as passwords. A principal with any password policy (see below) will not be able to use words found in this dictionary file. This is not defined by default. Using a dictionary file is a good way to prevent users from creating trivial passwords to protect their accounts, and thus helps avoid one of the most common weaknesses in a computer network-guessable passwords. The KDC will only check passwords against the dictionary for principals which have a password policy association, so it is good practice to have at least one simple policy associated with all principals in the realm.

  • The Solaris OE has a default system dictionary that is used by the spell program that may also be used by the KDC as a dictionary of common passwords. The location of this file is: /usr/share/lib/dict/words. Other dictionaries may be substituted. The format is one word or phrase per line.

    The following is a Kerberos v5 /etc/krb5/kdc.conf example with suggested settings:

    # Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # #ident "@(#)kdc.conf 1.2 02/02/14 SMI" [kdcdefaults] kdc_ports = 88,750 [realms] ___default_realm___ = { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal admin_keytab = /etc/krb5/kadm5.keytab acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +preauth Needs moving -- dict_file = /usr/share/lib/dict/words } Access Control

    The Kerberos administration server allows for granular control of the administrative commands by use of an access control list (ACL) file (/etc/krb5/kadm5.acl). The syntax for the ACL file allows for wildcarding of principal names so it is not necessary to list every single administrator in the ACL file. This feature should be used with great care. The ACLs used by Kerberos allow privileges to be broken down into very precise functions that each administrator can perform. If a certain administrator only needs to be allowed to have read-access to the database then that person should not be granted full admin privileges. Below is a list of the privileges allowed:

  • a – Allows the addition of principals or policies in the database.

  • A – Prohibits the addition of principals or policies in the database.

  • d – Allows the deletion of principals or policies in the database.

  • D – Prohibits the deletion of principals or policies in the database.

  • m – Allows the modification of principals or policies in the database.

  • M – Prohibits the modification of principals or policies in the database.

  • c – Allows the changing of passwords for principals in the database.

  • C – Prohibits the changing of passwords for principals in the database.

  • i – Allows inquiries to the database.

  • I – Prohibits inquiries to the database.

  • l – Allows the listing of principals or policies in the database.

  • L – Prohibits the listing of principals or policies in the database.

  • * – Short for all privileges (admcil).

  • x – Short for all privileges (admcil). Identical to *.

  • Adding Administrators

    After the ACLs are set up, actual administrator principals should be added to the system. It is strongly recommended that administrative users have separate /admin principals to use only when administering the system. For example, user Lucy would have two principals in the database - lucy@REALM and lucy/admin@REALM. The /admin principal would only be used when administering the system, not for getting ticket-granting-tickets (TGTs) to access remote services. Using the /admin principal only for administrative purposes minimizes the chance of someone walking up to Joe’s unattended terminal and performing unauthorized administrative commands on the KDC.

    Kerberos principals may be differentiated by the instance part of their principal name. In the case of user principals, the most common instance identifier is /admin. It is standard practice in Kerberos to differentiate user principals by defining some to be /admin instances and others to have no specific instance identifier (for example, lucy/admin@REALM versus lucy@REALM). Principals with the /admin instance identifier are assumed to have administrative privileges defined in the ACL file and should only be used for administrative purposes. A principal with an /admin identifier which does not match up with any entries in the ACL file will not be granted any administrative privileges, it will be treated as a non-privileged user principal. Also, user principals with the /admin identifier are given separate passwords and separate permissions from the non-admin principal for the same user.

    The following is a sample /etc/krb5/kadm5.acl file:

    # Copyright (c) 1998-2000 by Sun Microsystems, Inc. # All rights reserved. # #pragma ident "@(#)kadm5.acl 1.1 01/03/19 SMI" # lucy/admin is given full administrative privilege lucy/admin@EXAMPLE.COM * # # tom/admin user is allowed to query the database (d), listing principals # (l), and changing user passwords (c) # tom/admin@EXAMPLE.COM dlc

    It is highly recommended that the kadm5.acl file be tightly controlled and that users be granted only the privileges they need to perform their assigned tasks.

    Creating Host Keys

    Creating host keys for systems in the realm such as slave KDCs is performed the same way that creating user principals is performed. However, the -randkey option should always be used, so no one ever knows the actual key for the hosts. Host principals are almost always stored in the keytab file, to be used by root-owned processes that wish to act as Kerberos services for the local host. It is rarely necessary for anyone to actually know the password for a host principal because the key is stored safely in the keytab and is only accessible by root-owned processes, never by actual users.

    When creating keytab files, the keys should always be extracted from the KDC on the same machine where the keytab is to reside using the ktadd command from a kadmin session. If this is not feasible, take great care in transferring the keytab file from one machine to the next. A malicious attacker who possesses the contents of the keytab file could use these keys from the file in order to gain access to another user or services credentials. Having the keys would then allow the attacker to impersonate whatever principal that the key represented and further compromise the security of that Kerberos realm. Some suggestions for transferring the keytab are to use Kerberized, encrypted ftp transfers, or to use the secure file transfer programs scp or sftp offered with the SSH package (http://www.openssh.org). Another safe method is to place the keytab on a removable disk, and hand-deliver it to the destination.

    Hand delivery does not scale well for large installations, so using the Kerberized ftp daemon is perhaps the most convenient and secure method available.

    Using NTP to Synchronize Clocks

    All servers participating in the Kerberos realm need to have their system clocks synchronized to within a configurable time limit (default 300 seconds). The safest, most secure way to systematically synchronize the clocks on a network of Kerberos servers is by using the Network Time Protocol (NTP) service. The Solaris OE comes with an NTP client and NTP server software (SUNWntpu package). See the ntpdate(1M) and xntpd(1M) man pages for more information on the individual commands. For more information on configuring NTP, refer to the following Sun BluePrints OnLine NTP articles:

    It is critical that the time be synchronized in a secure manner. A simple denial of service attack on either a client or a server would involve just skewing the time on that system to be outside of the configured clock skew value, which would then prevent anyone from acquiring TGTs from that system or accessing Kerberized services on that system. The default clock-skew value of five minutes is the maximum recommended value.

    The NTP infrastructure must also be secured, including the use of server hardening for the NTP server and application of NTP security features. Using the Solaris Security Toolkit software (formerly known as JASS) with the secure.driver script to create a minimal system and then installing just the necessary NTP software is one such method. The Solaris Security Toolkit software is available at:

    http://www.sun.com/security/jass/

    Documentation on the Solaris Security Toolkit software is available at:

    http://www.sun.com/security/blueprints

    Establishing Password Policies

    Kerberos allows the administrator to define password policies that can be applied to some or all of the user principals in the realm. A password policy contains definitions for the following parameters:

  • Minimum Password Length – The number of characters in the password, for which the recommended value is 8.

  • Maximum Password Classes – The number of different character classes that must be used to make up the password. Letters, numbers, and punctuation are the three classes and valid values are 1, 2, and 3. The recommended value is 2.

  • Saved Password History – The number of previous passwords that have been used by the principal that cannot be reused. The recommended value is 3.

  • Minimum Password Lifetime (seconds) – The minimum time that the password must be used before it can be changed. The recommended value is 3600 (1 hour).

  • Maximum Password Lifetime (seconds) – The maximum time that the password can be used before it must be changed. The recommended value is 7776000 (90 days).

  • These values can be set as a group and stored as a single policy. Different policies can be defined for different principals. It is recommended that the minimum password length be set to at least 8 and that at least 2 classes be required. Most people tend to choose easy-to-remember and easy-to-type passwords, so it is a good idea to at least set up policies to encourage slightly more difficult-to-guess passwords through the use of these parameters. Setting the Maximum Password Lifetime value may be helpful in some environments, to force people to change their passwords periodically. The period is up to the local administrator according to the overriding corporate security policy used at that particular site. Setting the Saved Password History value combined with the Minimum Password Lifetime value prevents people from simply switching their password several times until they get back to their original or favorite password.

    The maximum password length supported is 255 characters, unlike the UNIX password database which only supports up to 8 characters. Passwords are stored in the KDC encrypted database using the KDC default encryption method, DES-CBC-CRC. In order to prevent password guessing attacks, it is recommended that users choose long passwords or pass phrases. The 255 character limit allows one to choose a small sentence or easy to remember phrase instead of a simple one-word password.

    It is possible to use a dictionary file that can be used to prevent users from choosing common, easy-to-guess words (see “Secure Settings in the KDC Configuration File” on page 70). The dictionary file is only used when a principal has a policy association, so it is highly recommended that at least one policy be in effect for all principals in the realm.

    The following is an example password policy creation:

    If you specify a kadmin command without specifying any options, kadmin displays the syntax (usage information) for that command. The following code box shows this, followed by an actual add_policy command with options.

    kadmin: add_policy usage: add_policy [options] policy options are: [-maxlife time] [-minlife time] [-minlength length] [-minclasses number] [-history number] kadmin: add_policy -minlife "1 hour" -maxlife "90 days" -minlength 8 -minclasses 2 -history 3 passpolicy kadmin: get_policy passpolicy Policy: passpolicy Maximum password life: 7776000 Minimum password life: 3600 Minimum password length: 8 Minimum number of password character classes: 2 Number of old keys kept: 3 Reference count: 0

    This example creates a password policy called passpolicy which enforces a maximum password lifetime of 90 days, minimum length of 8 characters, a minimum of 2 different character classes (letters, numbers, punctuation), and a password history of 3.

    To apply this policy to an existing user, modify the following:

    kadmin: modprinc -policy passpolicy lucyPrincipal "lucy@EXAMPLE.COM" modified.

    To modify the default policy that is applied to all user principals in a realm, change the following:

    kadmin: modify_policy -maxlife "90 days" -minlife "1 hour" -minlength 8 -minclasses 2 -history 3 default kadmin: get_policy default Policy: default Maximum password life: 7776000 Minimum password life: 3600 Minimum password length: 8 Minimum number of password character classes: 2 Number of old keys kept: 3 Reference count: 1

    The Reference count value indicates how many principals are configured to use the policy.

    The default policy is automatically applied to all new principals that are not given the same password as the principal name when they are created. Any account with a policy assigned to it is uses the dictionary (defined in the dict_file parameter in /etc/krb5/kdc.conf) to check for common passwords.

    Backing Up a KDC

    Backups of a KDC system should be made regularly or according to local policy. However, backups should exclude the /etc/krb5/krb5.keytab file. If the local policy requires that backups be done over a network, then these backups should be secured either through the use of encryption or possibly by using a separate network interface that is only used for backup purposes and is not exposed to the same traffic as the non-backup network traffic. Backup storage media should always be kept in a secure, fireproof location.

    Monitoring the KDC

    Once the KDC is configured and running, it should be continually and vigilantly monitored. The Sun Kerberos v5 software KDC logs information into the /var/krb5/kdc.log file, but this location can be modified in the /etc/krb5/krb5.conf file, in the logging section.

    [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log

    The KDC log file should have read and write permissions for the root user only, as follows:

    -rw------ 1 root other 750 25 May 10 17:55 /var/krb5/kdc.log Kerberos Options

    The /etc/krb5/krb5.conf file contains information that all Kerberos applications use to determine what server to talk to and what realm they are participating in. Configuring the krb5.conf file is covered in the Sun Enterprise Authentication Mechanism Software Installation Guide. Also refer to the krb5.conf(4) man page for a full description of this file.

    The appdefaults section in the krb5.conf file contains parameters that control the behavior of many Kerberos client tools. Each tool may have its own section in the appdefaults section of the krb5.conf file.

    Many of the applications that use the appdefaults section, use the same options; however, they might be set in different ways for each client application.

    Kerberos Client Applications

    The following Kerberos applications can have their behavior modified through the user of options set in the appdefaults section of the /etc/krb5/krb5.conf file or by using various command-line arguments. These clients and their configuration settings are described below.

    kinit

    The kinit client is used by people who want to obtain a TGT from the KDC. The /etc/krb5/krb5.conf file supports the following kinit options: renewable, forwardable, no_addresses, max_life, max_renewable_life and proxiable.

    telnet

    The Kerberos telnet client has many command-line arguments that control its behavior. Refer to the man page for complete information. However, there are several interesting security issues involving the Kerberized telnet client.

    The telnet client uses a session key even after the service ticket which it was derived from has expired. This means that the telnet session remains active even after the ticket originally used to gain access, is no longer valid. This is insecure in a strict environment, however, the trade off between ease of use and strict security tends to lean in favor of ease-of-use in this situation. It is recommended that the telnet connection be re-initialized periodically by disconnecting and reconnecting with a new ticket. The overall lifetime of a ticket is defined by the KDC (/etc/krb5/kdc.conf), normally defined as eight hours.

    The telnet client allows the user to forward a copy of the credentials (TGT) used to authenticate to the remote system using the -f and -F command-line options. The -f option sends a non-forwardable copy of the local TGT to the remote system so that the user can access Kerberized NFS mounts or other local Kerberized services on that system only. The -F option sends a forwardable TGT to the remote system so that the TGT can be used from the remote system to gain further access to other remote Kerberos services beyond that point. The -F option is a superset of -f. If the Forwardable and or forward options are set to false in the krb5.conf file, these command-line arguments can be used to override those settings, thus giving individuals the control over whether and how their credentials are forwarded.

    The -x option should be used to turn on encryption for the data stream. This further protects the session from eavesdroppers. If the telnet server does not support encryption, the session is closed. The /etc/krb5/krb5.conf file supports the following telnet options: forward, forwardable, encrypt, and autologin. The autologin [true/false] parameter tells the client to try and attempt to log in without prompting the user for a user name. The local user name is passed on to the remote system in the telnet negotiations.

    rlogin and rsh

    The Kerberos rlogin and rsh clients behave much the same as their non-Kerberized equivalents. Because of this, it is recommended that if they are required to be included in the network files such as /etc/hosts.equiv and .rhosts that the root users directory be removed. The Kerberized versions have the added benefit of using Kerberos protocol for authentication and can also use Kerberos to protect the privacy of the session using encryption.

    Similar to telnet described previously, the rlogin and rsh clients use a session key after the service ticket which it was derived from has expired. Thus, for maximum security, rlogin and rsh sessions should be re-initialized periodically. rlogin uses the -f, -F, and -x options in the same fashion as the telnet client. The /etc/krb5/krb5.conf file supports the following rlogin options: forward, forwardable, and encrypt.

    Command-line options override configuration file settings. For example, if the rsh section in the krb5.conf file indicates encrypt false, but the -x option is used on the command line, an encrypted session is used.

    rcp

    Kerberized rcp can be used to transfer files securely between systems using Kerberos authentication and encryption (with the -x command-line option). It does not prompt for passwords, the user must already have a valid TGT before using rcp if they wish to use the encryption feature. However, beware if the -x option is not used and no local credentials are available, the rcp session will revert to the standard, non-Kerberized (and insecure) rcp behavior. It is highly recommended that users always use the -x option when using the Kerberized rcp client.The /etc/krb5/krb5.conf file supports the encrypt [true/false] option.

    login

    The Kerberos login program (login.krb5) is forked from a successful authentication by the Kerberized telnet daemon or the Kerberized rlogin daemon. This Kerberos login daemon is separate from the standard Solaris OE login daemon and thus, the standard Solaris OE features such as BSM auditing are not yet supported when using this daemon. The /etc/krb5/krb5.conf file supports the krb5_get_tickets [true/false] option. If this option is set to true, then the login program will generate a new Kerberos ticket (TGT) for the user upon proper authentication.

    ftp

    The Sun Enterprise Authentication Mechanism (SEAM) version of the ftp client uses the GSSAPI (RFC 2743) with Kerberos v5 as the default mechanism. This means that it uses Kerberos authentication and (optionally) encryption through the Kerberos v5 GSS mechanism. The only Kerberos-related command-line options are -f and -m. The -f option is the same as described above for telnet (there is no need for a -F option). -m allows the user to specify an alternative GSS mechanism if so desired, the default is to use the kerberos_v5 mechanism.

    The protection level used for the data transfer can be set using the protect command at the ftp prompt. Sun Enterprise Authentication Mechanism software ftp supports the following protection levels:

  • Clear unprotected, unencrypted transmission

  • Safe data is integrity protected using cryptographic checksums

  • Private data is transmitted with confidentiality and integrity using encryption

  • It is recommended that users set the protection level to private for all data transfers. The ftp client program does not support or reference the krb5.conf file to find any optional parameters. All ftp client options are passed on the command line. See the man page for the Kerberized ftp client, ftp(1).

    In summary, adding Kerberos to a network can increase the overall security available to the users and administrators of that network. Remote sessions can be securely authenticated and encrypted, and shared disks can be secured and encrypted across the network. In addition, Kerberos allows the database of user and service principals to be managed securely from any machine which supports the SEAM software Kerberos protocol. SEAM is interoperable with other RFC 1510 compliant Kerberos implementations such as MIT Krb5 and some MS Windows 2000 Active Directory services. Adopting the practices recommended in this section further secure the SEAM software infrastructure to help ensure a safer network environment.

    Implementing the Sun ONE Directory Server 5.2 Software and the GSSAPI Mechanism

    This section provides a high-level overview, followed by the in-depth procedures that describe the setup necessary to implement the GSSAPI mechanism and the Sun ONE Directory Server 5.2 software. This implementation assumes a realm of EXAMPLE.COM for this purpose. The following list gives an initial high-level overview of the steps required, with the next section providing the detailed information.

  • Setup DNS on the client machine. This is an important step because Kerberos requires DNS.

  • Install and configure the Sun ONE Directory Server version 5.2 software.

  • Check that the directory server and client both have the SASL plug-ins installed.

  • Install and configure Kerberos v5.

  • Edit the /etc/krb5/krb5.conf file.

  • Edit the /etc/krb5/kdc.conf file.

  • Edit the /etc/krb5/kadm5.acl file.

  • Move the kerberos_v5 line so it is the first line in the /etc/gss/mech file.

  • Create new principals using kadmin.local, which is an interactive commandline interface to the Kerberos v5 administration system.

  • Modify the rights for /etc/krb5/krb5.keytab. This access is necessary for the Sun ONE Directory Server 5.2 software.

  • Run /usr/sbin/kinit.

  • Check that you have a ticket with /usr/bin/klist.

  • Perform an ldapsearch, using the ldapsearch command-line tool from the Sun ONE Directory Server 5.2 software to test and verify.

  • The sections that follow fill in the details.

    Configuring a DNS Client

    To be a DNS client, a machine must run the resolver. The resolver is neither a daemon nor a single program. It is a set of dynamic library routines used by applications that need to know machine names. The resolver’s function is to resolve users’ queries. To do that, it queries a name server, which then returns either the requested information or a referral to another server. Once the resolver is configured, a machine can request DNS service from a name server.

    The following example shows you how to configure the resolv.conf(4) file in the server kdc1 in the example.com domain.

    ; ; /etc/resolv.conf file for dnsmaster ; domain example.com nameserver 192.168.0.0 nameserver 192.168.0.1

    The first line of the /etc/resolv.conf file lists the domain name in the form:

    domain domainname

    No spaces or tabs are permitted at the end of the domain name. Make sure that you press return immediately after the last character of the domain name.

    The second line identifies the server itself in the form:

    nameserver IP_address

    Succeeding lines list the IP addresses of one or two slave or cache-only name servers that the resolver should consult to resolve queries. Name server entries have the form:

    nameserver IP_address

    IP_address is the IP address of a slave or cache-only DNS name server. The resolver queries these name servers in the order they are listed until it obtains the information it needs.

    For more detailed information of what the resolv.conf file does, refer to the resolv.conf(4) man page.

    To Configure Kerberos v5 (Master KDC)

    In the this procedure, the following configuration parameters are used:

  • Realm name = EXAMPLE.COM

  • DNS domain name = example.com

  • Master KDC = kdc1.example.com

  • admin principal = lucy/admin

  • Online help URL = http://example:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956

  • This procedure requires that DNS is running.

    Before you begin this configuration process, make a backup of the /etc/krb5 files.

  • Become superuser on the master KDC. (kdc1, in this example)

  • Edit the Kerberos configuration file (krb5.conf).

    You need to change the realm names and the names of the servers. See the krb5.conf(4) man page for a full description of this file.

    kdc1 # more /etc/krb5/krb5.conf [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kdc1.example.com admin server = kdc1.example.com } [domain_realm] .example.com = EXAMPLE.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log [appdefaults] gkadmin = { help_url = http://example:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956 }

    In this example, the lines for domain_realm, kdc, admin_server, and all domain_realm entries were changed. In addition, the line with ___slave_kdcs___ in the [realms] section was deleted and the line that defines the help_url was edited.

  • Edit the KDC configuration file (kdc.conf).

    You must change the realm name. See the kdc.conf( 4) man page for a full description of this file.

    kdc1 # more /etc/krb5/kdc.conf [kdcdefaults] kdc_ports = 88,750 [realms] EXAMPLE.COM= { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal admin_keytab = /etc/krb5/kadm5.keytab acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s Need moving ---------> default_principal_flags = +preauth }

    In this example, only the realm name definition in the [realms] section is changed.

  • Create the KDC database by using the kdb5_util command.

    The kdb5_util command, which is located in /usr/sbin, creates the KDC database. When used with the -s option, this command creates a stash file that is used to authenticate the KDC to itself before the kadmind and krb5kdc daemons are started.

    kdc1 # /usr/sbin/kdb5_util create -r EXAMPLE.COM -s Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM' master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: key Re-enter KDC database master key to verify: key

    The -r option followed by the realm name is not required if the realm name is equivalent to the domain name in the server’s name space.

  • Edit the Kerberos access control list file (kadm5.acl).

    Once populated, the /etc/krb5/kadm5.acl file contains all principal names that are allowed to administer the KDC. The first entry that is added might look similar to the following:

    lucy/admin@EXAMPLE.COM *

    This entry gives the lucy/admin principal in the EXAMPLE.COM realm the ability to modify principals or policies in the KDC. The default installation includes an asterisk (*) to match all admin principals. This default could be a security risk, so it is more secure to include a list of all of the admin principals. See the kadm5.acl(4) man page for more information.

  • Edit the /etc/gss/mech file.

    The /etc/gss/mech file contains the GSSAPI based security mechanism names, its object identifier (OID), and a shared library that implements the services for that mechanism under the GSSAPI. Change the following from:

    # Mechanism Name Object Identifier Shared Library Kernel Module # diffie_hellman_640_0 1.3.6.4.1.42.2.26.2.4 dh640-0.so.1 diffie_hellman_1024_0 1.3.6.4.1.42.2.26.2.5 dh1024-0.so.1 kerberos_v5 1.2.840.113554.1.2.2 gl/mech_krb5.so gl_kmech_krb5

    To the following:

    # Mechanism Name Object Identifier Shared Library Kernel Module # kerberos_v5 1.2.840.113554.1.2.2 gl/mech_krb5.so gl_kmech_krb5 diffie_hellman_640_0 1.3.6.4.1.42.2.26.2.4 dh640-0.so.1 diffie_hellman_1024_0 1.3.6.4.1.42.2.26.2.5 dh1024-0.so.1
  • Run the kadmin.local command to create principals.

    You can add as many admin principals as you need. But you must add at least one admin principal to complete the KDC configuration process. In the following example, lucy/admin is added as the principal.

    kdc1 # /usr/sbin/kadmin.local kadmin.local: addprinc lucy/admin Enter password for principal "lucy/admin@EXAMPLE.COM": Re-enter password for principal "lucy/admin@EXAMPLE.COM": Principal "lucy/admin@EXAMPLE.COM" created. kadmin.local:
  • Create a keytab file for the kadmind service.

    The following command sequence creates a special keytab file with principal entries for lucy and tom. These principals are needed for the kadmind service. In addition, you can optionally add NFS service principals, host principals, LDAP principals, and so on.

    When the principal instance is a host name, the fully qualified domain name (FQDN) must be entered in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file.

    kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/kdc1.example.com Entry for principal changepw/kdc1.example.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. kadmin.local:

    Once you have added all of the required principals, you can exit from kadmin.local as follows:

    kadmin.local: quit
  • Start the Kerberos daemons as shown:

    kdc1 # /etc/init.d/kdc start kdc1 # /etc/init.d/kdc.master start

    Note

    You stop the Kerberos daemons by running the following commands:

    kdc1 # /etc/init.d/kdc stop kdc1 # /etc/init.d/kdc.master stop
  • Add principals by using the SEAM Administration Tool.

    To do this, you must log on with one of the admin principal names that you created earlier in this procedure. However, the following command-line example is shown for simplicity.

    kdc1 # /usr/sbin/kadmin -p lucy/admin Enter password: kws_admin_password kadmin:
  • Create the master KDC host principal which is used by Kerberized applications such as klist and kprop.

    kadmin: addprinc -randkey host/kdc1.example.com Principal "host/kdc1.example.com@EXAMPLE.COM" created. kadmin:
  • (Optional) Create the master KDC root principal which is used for authenticated NFS mounting.

    kadmin: addprinc root/kdc1.example.com Enter password for principal root/kdc1.example.com@EXAMPLE.COM: password Re-enter password for principal root/kdc1.example.com@EXAMPLE.COM: password Principal "root/kdc1.example.com@EXAMPLE.COM" created. kadmin:
  • Add the master KDC’s host principal to the master KDC’s keytab file which allows this principal to be used automatically.

    kadmin: ktadd host/kdc1.example.com kadmin: Entry for principal host/kdc1.example.com with ->kvno 3, encryption type DES-CBC-CRC added to keytab ->WRFILE:/etc/krb5/krb5.keytab kadmin:

    Once you have added all of the required principals, you can exit from kadmin as follows:

    kadmin: quit
  • Run the kinit command to obtain and cache an initial ticket-granting ticket (credential) for the principal.

    This ticket is used for authentication by the Kerberos v5 system. kinit only needs to be run by the client at this time. If the Sun ONE directory server were a Kerberos client also, this step would need to be done for the server. However, you may want to use this to verify that Kerberos is up and running.

    kdclient # /usr/bin/kinit root/kdclient.example.com Password for root/kdclient.example.com@EXAMPLE.COM: passwd
  • Check and verify that you have a ticket with the klist command.

    The klist command reports if there is a keytab file and displays the principals. If the results show that there is no keytab file or that there is no NFS service principal, you need to verify the completion of all of the previous steps.

    # klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- ------------------------------------------------------------------ 3 nfs/host.example.com@EXAMPLE.COM

    The example given here assumes a single domain. The KDC may reside on the same machine as the Sun ONE directory server for testing purposes, but there are security considerations to take into account on where the KDCs reside.

  • With regards to the configuration of Kerberos v5 in conjunction with the Sun ONE Directory Server 5.2 software, you are finished with the Kerberos v5 part. It’s now time to look at what is required to be configured on the Sun ONE directory server side.

    Sun ONE Directory Server 5.2 GSSAPI Configuration

    As previously discussed, the Generic Security Services Application Program Interface (GSSAPI), is standard interface that enables you to use a security mechanism such as Kerberos v5 to authenticate clients. The server uses the GSSAPI to actually validate the identity of a particular user. Once this user is validated, it’s up to the SASL mechanism to apply the GSSAPI mapping rules to obtain a DN that is the bind DN for all operations during the connection.

    The first item discussed is the new identity mapping functionality.

    The identity mapping service is required to map the credentials of another protocol, such as SASL DIGEST-MD5 and GSSAPI to a DN in the directory server. As you will see in the following example, the identity mapping feature uses the entries in the cn=identity mapping, cn=config configuration branch, whereby each protocol is defined and whereby each protocol must perform the identity mapping. For more information on the identity mapping feature, refer to the Sun ONE Directory Server 5.2 Documents.

    To Perform the GSSAPI Configuration for the Sun ONE Directory Server Software
  • Check and verify, by retrieving the rootDSE entry, that the GSSAPI is returned as one of the supported SASL Mechanisms.

    Example of using ldapsearch to retrieve the rootDSE and get the supported SASL mechanisms:

    $./ldapsearch -h directoryserver_hostname -p ldap_port -b "" -s base "(objectclass=*)" supportedSASLMechanisms supportedSASLMechanisms=EXTERNAL supportedSASLMechanisms=GSSAPI supportedSASLMechanisms=DIGEST-MD5
  • Verify that the GSSAPI mechanism is enabled.

    By default, the GSSAPI mechanism is enabled.

    Example of using ldapsearch to verify that the GSSAPI SASL mechanism is enabled:

    $./ldapsearch -h directoryserver_hostname -p ldap_port -D"cn=Directory Manager" -w password -b "cn=SASL, cn=security,cn= config" "(objectclass=*)" # # Should return # cn=SASL, cn=security, cn=config objectClass=top objectClass=nsContainer objectClass=dsSaslConfig cn=SASL dsSaslPluginsPath=/var/Sun/mps/lib/sasl dsSaslPluginsEnable=DIGEST-MD5 dsSaslPluginsEnable=GSSAPI
  • Create and add the GSSAPI identity-mapping.ldif.

    Add the LDIF shown below to the Sun ONE Directory Server so that it contains the correct suffix for your directory server.

    You need to do this because by default, no GSSAPI mappings are defined in the Sun ONE Directory Server 5.2 software.

    Example of a GSSAPI identity mapping LDIF file:

    # dn: cn=GSSAPI,cn=identity mapping,cn=config objectclass: nsContainer objectclass: top cn: GSSAPI dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config objectclass: dsIdentityMapping objectclass: nsContainer objectclass: top cn: default dsMappedDN: uid=${Principal},ou=people,dc=example,dc=com dn: cn=same_realm,cn=GSSAPI,cn=identity mapping,cn=config objectclass: dsIdentityMapping objectclass: dsPatternMatching objectclass: nsContainer objectclass: top cn: same_realm dsMatching-pattern: ${Principal} dsMatching-regexp: (.*)@example.com dsMappedDN: uid=$1,ou=people,dc=example,dc=com

    It is important to make use of the ${Principal} variable, because it is the only input you have from SASL in the case of GSSAPI. Either you need to build a dn using the ${Principal} variable or you need to perform pattern matching to see if you can apply a particular mapping. A principal corresponds to the identity of a user in Kerberos.

    You can find an example GSSAPI LDIF mappings files in ServerRoot/slapdserver/ldif/identityMapping_Examples.ldif.

    The following is an example using ldapmodify to do this:

    $./ldapmodify -a -c -h directoryserver_hostname -p ldap_port -D "cn=Directory Manager" -w password -f identity-mapping.ldif -e /var/tmp/ldif.rejects 2> /var/tmp/ldapmodify.log
  • Perform a test using ldapsearch.

    To perform this test, type the following ldapsearch command as shown below, and answer the prompt with the kinit value you previously defined.

    Example of using ldapsearch to test the GSSAPI mechanism:

    $./ldapsearch -h directoryserver_hostname -p ldap_port -o mech=GSSAPI -o authzid="root/hostname.domainname@EXAMPLE.COM" -b "" -s base "(objectclass=*)"

    The output that is returned should be the same as without the -o option.

    If you do not use the -h hostname option, the GSS code ends up looking for a localhost.domainname Kerberos ticket, and an error occurs.


  • Storage Basics: Securing iSCSI using IPSec | killexams.com real questions and Pass4sure dumps

    In recent years, iSCSI has emerged as a viable, cost-effective alternative to its more expensive counterpart, Fibre Channel, and is now regularly used to connect servers and SANs over a wide area network. One of the attractions of IP-based storage options such as iSCSI is that they allow the existing IP-based infrastructure to be used, obviating the need to upgrade to more costly equipment and complex solutions such as Fibre Channel.

    Since iSCSI uses the IP protocol, it therefore relies on IP security protocols. Unfortunately, basic IP transmissions lack security, allowing anyone with the know how and inclination to intercept or modify IP communications. One of the more popular methods used for securing IP communications is the IP Security Protocol (IPSec). IPSec is an IP layer-based security protocol, which is in contrast to other security protocols like SSL that operate at the application layer of the OSI model.

    To create secure data transmissions, IPSec uses two separate protocols: Authentication Headers (AH) and Encapsulating Security Payloads (ESP). AH is primarily responsible for the authentication and integrity verification of packets. It provides source authentication and integrity for data communication but does not provide any form of encryption.

    AH is capable of ensuring that network communications cannot be modified during transmission; however, it cannot protect transmitted data from being read. AH is often implemented when network communications are restricted to certain computers. In such instances, AH ensures that mutual authentication must take place between participating computers, which, in turn, prohibits network communications from occurring between non-authenticated computers.

    https://o1.qnsr.com/log/p.gif?;n=203;c=204660765;s=10655;x=7936;f=201812281308090;u=j;z=TIMESTAMP;a=20400368;e=i

    ESP is responsible for providing encryption services for the network data; however, it can also be used for authentication and integrity services. The difference between AH authentication and ESP authentication is that ESP includes only the ESP header, trailer, and payload portions of a data packet, whereas AH protects the entire data packet, including the IP header.

    Used together, AH and ESP provide integrity, authentication, and encryption protection for IP-based communications. To make this happen, IPSec uses a variety of security protocols. To better understand the level of protection IPSec can provide, let’s take a look at each of these security protocols individually.

    IPSec Integrity Protocols

    When we refer to integrity verification, we are talking about hash algorithms that are used to verify that the information received is exactly the same as the information sent. A hash algorithm is essentially a cryptographic checksum used by both the sender and receiver to verify that the message has not been changed. If the message has changed in transit, the hash values are different and the packet is rejected.

    When configuring IPSec integrity security, there are two options: Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA1). Of the two, SHA1 is more secure than MD5, but it requires more CPU resources. MD5 offers a 128-bit hashing algorithm, while SHA1 uses an algorithm that generates 160-bit authentication.

    Page 2: IPsec Authentication Protocols

    IPsec Authentication Protocols

    Before two systems can exchange secure data, they have to mutually agree on a security pact. This security agreement is called a security association (SA). For communication to happen, both systems must agree on the same SA.

    The Internet Key Exchange (IKE) manages the SA negotiation process for IPSec connections. IKE is an Internet Engineering Task Force (IETF)-established standard method of security association and key exchange resolution. IKE performs a two-phase operation: the first phase ensures a secure communications channel, while the second operation negotiates the use of SAs.

    To establish IPSec communications, two hosts must authenticate with each other before SA negotiations can take place. Systems can be authenticated in three different ways:

  • Kerberos – Kerberos v5 is commonly implemented and is the default authentication technology used with Windows Server 2003. Kerberos provides the primary security protocol for authentication within a domain; when used, it verifies both the identity of the user and network services. Advantages of Kerberos include the fact that it can provide mutual authentication between the user and the server, as well as its interoperability — Kerberos can provide authentication between Server 2003 domains and systems in a Unix environment that is using Kerberos for authentication.
  • Public Key Certificates (PKIs) – PKIs are used to authenticate clients that are not members of a trusted domain, non-Windows clients, or computers that are not running the Kerberos v5 authentication protocol. The authentication certificates are issued from a system acting as a certification authority (CA).
  • Preshared keys – In preshared key authentication, computer systems must agree on a shared, secret key to be used for authentication in an IPSec policy. Preshared keys are to be used only where certificates and Kerberos cannot be deployed.
  • IPSec Encryption Protocols

    IPSec offers three primary methods of encryption. The one you should choose depends on the security needs of your organization.

  • Data Encryption Standard (40-bit) – This encryption method provides the best performance but at a significant cost: the encryption security is lower. The 40-bit Data Encryption Standard (DES) is commonly known as Secure Sockets Layer (SSL). It can be used in environments where data security needs are a little lower.
  • Data Encryption Standard (56-bit) – Through your IPSec policies you can implement 56-bit DES as the encryption method. The DES algorithm was published in 1977 by the U.S. National Bureau of Standards, and it allows for the ability to frequently regenerate keys during a communication. This ability prevents the entire data set from being compromised if one DES key is broken. However, its use is considered outdated for businesses; it should be used only for legacy application support. Specialized hardware has been able to crack the standard 56-bit key.
  • Triple DES (3DES) – IPSec policies also allow the choice of a strong encryption algorithm, 3DES, which provides stronger encryption than DES for higher security. 3DES uses a 56-bit encryption key as well, but, as the name implies, it uses three of them. As a result, 3DES is considered 168-bit encryption, and it is used in high-security environments like the U.S. government. All computers to which the policy is assigned will receive this policy.
  • IPSec Transport Modes

    IPSec can operate in one of two separate modes: transport mode and tunnel mode. These modes refer to how data is sent and secured throughout the network. In transport mode, IPSec protection is provided all the way from the source to the destination. In this way, transport mode is said to provide end-to-end transmission security.

    Tunnel mode secures data only between tunnel points or gateways. Tunnel mode provides gateway-to-gateway transmission security. When data is in transmission between the client and the server, it remains unprotected until it reaches the gateway. Once at the gateway, it is secured with IPSec until it reaches the destination gateway. At this point, data packets are decrypted and verified. The data is then sent to the receiving host unprotected. Tunnel mode is often employed when data must leave the secure confines of a local LAN or WAN and travel between hosts over a public network such as the Internet.

    While iSCSI has emerged as an alternative to Fibre Channel, securing IP communications is an important consideration. IPSec provides a method to secure IP transmissions in a heterogeneous environment. In the next Storage Basics article, we will look at working with IPSec in a Windows 2003 environment and configuring IPSec with the NETSH command.

    » See All Articles by Columnist Mike Harwood


    Understanding and selecting authentication methods | killexams.com real questions and Pass4sure dumps

    If you are serious about computer/network security, then you must have a solid understanding of authentication methods. Debra Littlejohn Shinder takes a moment to lay out the role authentication plays in a security plan.

    Computer/network security hinges on two very simple goals:
  • Keeping unauthorized persons from gaining access to resources
  • Ensuring that authorized persons can access the resources they need
  • There are a number of components involved in accomplishing these objectives. One way is to assign access permissions to resources that specify which users can or cannot access those resources and under what circumstances. (For example, you may want a specific user or group of users to have access when logged on from a computer that is physically on-site but not from a remote dial-up connection.)

    Access permissions, however, work only if you are able to verify the identity of the user who is attempting to access the resources. That’s where authentication comes in. In this Daily Drill Down, we will look at the role played by authentication in a network security plan, popular types of authentication, how authentication works, and the most commonly used authentication methods and protocols.

    Authentication and securityAuthentication is an absolutely essential element of a typical security model. It is the process of confirming the identification of a user (or in some cases, a machine) that is trying to log on or access resources. There are a number of different authentication mechanisms, but all serve this same purpose.

    Authentication vs. authorizationIt is easy to confuse authentication with another element of the security plan: authorization. While authentication verifies the user’s identity, authorization verifies that the user in question has the correct permissions and rights to access the requested resource. As you can see, the two work together. Authentication occurs first, then authorization.

    For example, when a user who belongs to a Windows domain logs onto the network, his or her identity is verified via one of several authentication types. Then the user is issued an access token, which contains information about the security groups to which the user belongs. When the user tries to access a network resource (open a file, print to a printer, etc.), the access control list (ACL) associated with that resource is checked against the access token. If the ACL shows that members of the Managers group have permission to access the resource, and the user’s access token shows that he or she is a member of the Managers group, that user will be granted access (unless the user’s account, or a group to which the user belongs, has been explicitly denied access to the resource).

    Another example of authorization is the Dialed Number Identification Service (DNIS), which authorizes a dial-in connection based on the number called.

    Logon authenticationMost network operating systems require that a user be authenticated in order to log onto the network. This can be done by entering a password, inserting a smart card and entering the associated PIN, providing a fingerprint, voice pattern sample, or retinal scan, or using some other means to prove to the system that you are who you claim to be.

    Network access authenticationNetwork access authentication verifies the user’s identity to each network service that the user attempts to access. It differs in that this authentication process is, in most cases, transparent to the user once he or she has logged on. Otherwise, the user would have to reenter the password or provide other credentials every time he or she wanted to access another network service or resource.

    IPSec authenticationIP Security (IPSec) provides a means for users to encrypt and/or sign messages that are sent across the network to guarantee confidentiality, integrity, and authenticity. IPSec transmissions can use a variety of authentication methods, including the Kerberos protocol, public key certificates issued by a trusted certificate authority (CA), or a simple pre-shared secret key (a string of characters known to both the sender and the recipient).

    An important consideration is that both the sending and receiving computers must be configured to use a common authentication method or they will not be able to engage in secured communications.

    IPSec configurationIf IPSec policies have been configured to require that communications be secured, the sending and receiving computers will not be able to communicate at all if they do not support a common authentication method. Remote authenticationThere are a number of authentication methods that can be used to confirm the identity of users who connect to the network via a remote connection such as dial-up or VPN. These include:
  • The Password Authentication Protocol (PAP)
  • The Shiva PAP (SPAP)
  • Challenge Handshake Authentication Protocol (CHAP)
  • Microsoft CHAP (MS-CHAP)
  • The Extensible Authentication Protocol (EAP)
  • Remote users can be authenticated via a Remote Authentication Dial-In User Service (RADIUS) or the Internet Authentication Service (IAS). Each of these will be discussed in more detail in the section titled Authentication Methods and Protocols.

    It is especially important that remote users be properly authenticated, as they generally pose a greater security risk than on-site users.

    Single Sign-On (SSO)Single Sign-On (SSO) is a feature that allows a user to use one password (or smart card) to authenticate to multiple servers on a network without reentering credentials. This is an obvious convenience for users, who don’t have to remember multiple passwords or keep going through the authentication process over and over to access different resources.

    There are a number of SSO products on the market that allow for single sign-on in a mixed (hybrid) environment that incorporates, for example, Microsoft Windows servers, Novell NetWare, and UNIX.

    Details on SSOFor a more detailed discussion of SSO, see Single Sign-On Solutions in a Mixed Computing Environment. Authentication typesThere are several physical means by which you can provide your authentication credentials to the system. The most common—but not the most secure—is password authentication. Today’s competitive business environment demands options that offer more protection when network resources include highly sensitive data. Smart cards and biometric authentication types provide this extra protection.

    Password authenticationMost of us are familiar with password authentication. To log onto a computer or network, you enter a user account name and the password assigned to that account. This password is checked against a database that contains all authorized users and their passwords. In a Windows 2000 network, for example, this information is contained in Active Directory.

    To preserve the security of the network, passwords must be “strong,” that is, they should contain a combination of alpha and numeric characters and symbols, they should not be words that are found in a dictionary, and they should be relatively long (eight characters or more). In short, they should not be easily guessed.

    Password authentication is vulnerable to a password “cracker” who uses a brute force attack (trying every possible combination until hitting upon the right one) or who uses a protocol “sniffer” to capture packets if passwords are not encrypted when they are sent over the network.

    Smart card authenticationSmart cards are credit card-sized devices that hold a small computer chip, which is used to store public and private keys and other personal information used to identify a person and authenticate him or her to the system. Logging onto the network with a smart card requires that you physically insert the card into (or slide it through) a reader and then enter a Personal Identification Number (PIN) in much the same way that you use an ATM card to access an automatic teller machine.

    Smart cards use cryptography-based authentication and provide stronger security than a password because in order to gain access, the user must be in physical possession of the card and must know the PIN.

    For more detailed information about how smart cards work, see my TechProGuild Daily Drill Down “Enhancing security with the use of smart cards.”

    Biometric authenticationAn even more secure type of authentication than smart cards, biometric authentication involves the use of biological statistics that show that the probability of two people having identical biological characteristics such as fingerprints is infinitesimally small; thus, these biological traits can be used to positively identify a person.

    In addition to fingerprints, voice, retinal, and iris patterns are virtually unique to each individual and can be used for authentication purposes. This method of proving one’s identity is very difficult to falsify, although it requires expensive equipment to input the fingerprint, voice sample, or eye scan. Another advantage over smart cards is that the user does not have to remember to carry a device; his or her biological credentials are never left at home.

    BiometricsFor more information about biometrics, see this article at Network Computing. How does authentication work?In theory, authentication is relatively simple: A user provides some sort of credentials—a password, smart card, fingerprint, digital certificate—which identifies that user as the person who is authorized to access the system. There are, however, a multiplicity of methods and protocols that can be used to accomplish this. Regardless of the method, the basic authentication process remains the same.

    The authentication processIn most instances, a user must have a valid user account configured by the network administrator that specifies the user’s permissions and rights. User credentials must be associated with this account—a password is assigned, a smart card certificate is issued, or a biometric scan is entered into the database against which future readings will be compared.

    When the user wants to log on, he or she provides the credentials and the system checks the database for the original entry and makes the comparison. If the credentials provided by the user match those in the database, access is granted.

    Advantages of multilayered authenticationIn a high-security environment, multilayered authentication adds extra protection. In other words, you can require that the user provide more than one type of credential, such as both a fingerprint and a logon password. This further decreases the chances of an unauthorized person circumventing the security system.

    Authentication methods and protocolsThere are a large number of authentication methods and protocols that can be used, depending on the application and security requirements. In the following sections, we will discuss:

  • Kerberos
  • SSL
  • Microsoft NTLM
  • PAP and SPAP
  • CHAP and MS-CHAP
  • EAP
  • RADIUS
  • Certificate services
  • These are by no means the only authentication methods in existence, but they are some of the most common.

    KerberosKerberos was developed at MIT to provide secure authentication for UNIX networks. It has become an Internet standard and is supported by Microsoft’s latest network operating system, Windows 2000. Kerberos uses temporary certificates called tickets, which contain the credentials that identify the user to the servers on the network. In the current version of Kerberos, v5, the data contained in the tickets is encrypted, including the user’s password.

    A Key Distribution Center (KDC) is a service that runs on a network server, which issues a ticket called a Ticket Granting Ticket (TGT) to the clients that authenticates to the Ticket Granting Service (TGS). The client uses this TGT to access the TGS (which can run on the same computer as the KDC). The TGS issues a service or session ticket, which is used to access a network service or resource.

    The nameKerberos derives its name from the three-headed dog of Greek mythology (spelled Cerberus in Latin) that guarded the gates to Hades. Kerberos likewise stands guard over the network to ensure that only those who are authorized can enter. Secure Sockets Layer (SSL)The SSL protocol is another Internet standard, often used to provide secure access to Web sites, using a combination of public key technology and secret key technology. Secret key encryption (also called symmetric encryption) is faster, but asymmetric public key encryption provides for better authentication, so SSL is designed to benefit from the advantages of both. It is supported by Microsoft, Netscape, and other major browsers, and by most Web server software, such as IIS and Apache.

    SSL operates at the application layer of the DoD networking model. This means applications must be written to use it, unlike other security protocols (such as IPSec) that operate at lower layers. The Transport Layer Security (TLS) Internet standard is based on SSL.

    SSL authentication is based on digital certificates that allow Web servers and clients to verify each other’s identities before they establish a connection. (This is called mutual authentication.) Thus, two types of certificates are used: client certificates and server certificates.

    SSL overviewAn excellent overview of how SSL works, Introduction to SSL, can be found at Netscape. Microsoft NTLM (NT LAN Manager)NTLM authentication is used by Windows NT servers to authenticate clients to an NT domain. Windows 2000 uses Kerberos authentication by default but retains support for NTLM for authentication of pre-Windows 2000 Microsoft servers and clients on the network. UNIX machines connecting to Microsoft networks via an SMB client also use NTLM to authenticate. Native modeIf you convert your Windows 2000 domain’s status to native mode, NTLM support will be disabled. NTLM uses a method called challenge/response, using the credentials that were provided when the user logged on each time that user tries to access a resource. This means the user’s credentials do not get transferred across the network when resources are accessed, which increases security. The client and server must reside in the same domain or there must be a trust relationship established between their domains in order for authentication to succeed.

    PAPPAP is used for authenticating a user over a remote access control. An important characteristic of PAP is that it sends user passwords across the network to the authenticating server in plain text. This poses a significant security risk, as an unauthorized user could capture the data packets using a protocol analyzer (sniffer) and obtain the password.

    The advantage of PAP is that it is compatible with many server types running different operating systems. PAP should be used only when necessary for compatibility purposes.

    SPAPSPAP is an improvement over PAP in terms of the security level, as it uses an encryption method (used by Shiva remote access servers, thus the name).

    The client sends the user name along with the encrypted password, and the remote server decrypts the password. If the username and password match the information in the server’s database, the remote server sends an Acknowledgment (ACK) message and allows the connection. If not, a Negative Acknowledgment (NAK) is sent, and the connection is refused.

    CHAP and MS-CHAPCHAP is another authentication protocol used for remote access security. It is an Internet standard that uses MD5, a one-way encryption method, which performs a hash operation on the password and transmits the hash result—instead of the password itself—over the network.

    This has obvious security advantages over PAP/SPAP, as the password does not go across the network and cannot be captured.

    CHAP specsThe specifications for CHAP are discussed in RFC 1994. The hash algorithm ensures that the operation cannot be reverse engineered to obtain the original password from the hash results. CHAP is, however, vulnerable to remote server impersonation.

    MS-CHAP is Microsoft’s version of CHAP. MS-CHAPv2 uses two-way authentication so that the identity of the server, as well as the client, is verified. This protects against server impersonation. MS-CHAP also increases security by using separate cryptographic keys for transmitted and received data.

    EAPEAP is a means of authenticating a Point-to-Point Protocol (PPP) connection that allows the communicating computers to negotiate a specific authentication scheme (called an EAP type).

    A key characteristic of EAP is its extensibility, indicated by its name. Plug-in modules can be added at both client and server sides to support new EAP types.

    EAP can be used with TLS (called EAP-TLS) to provide mutual authentication via the exchange of user and machine certificates.

    RFCEAP-TLS is defined in RFC 2716. EAP can also be used with RADIUS (see below).

    RADIUSRADIUS is often used by Internet service providers (ISPs) to authenticate and authorize dial-up or VPN users. The standards for RADIUS are defined in RFCs 2138 and 2139. A RADIUS server receives user credentials and connection information from dial-up clients and authenticates them to the network.

    RADIUS can also perform accounting services, and EAP messages can be passed to a RADIUS server for authentication. EAP only needs to be installed on the RADIUS server; it’s not required on the client machine.

    Windows 2000 Server includes a RADIUS server service called Internet Authentication Services (IAS), which implements the RADIUS standards and allows the use of PAP, CHAP, or MS-CHAP, as well as EAP.

    Certificate servicesDigital certificates consist of data that is used for authentication and securing of communications, especially on unsecured networks (for example, the Internet). Certificates associate a public key to a user or other entity (a computer or service) that has the corresponding private key.

    Certificates are issued by certification authorities (CAs), which are trusted entities that “vouch for” the identity of the user or computer. The CA digitally signs the certificates it issues, using its private key. The certificates are only valid for a specified time period; when a certificate expires, a new one must be issued. The issuing authority can also revoke certificates.

    Certificate services are part of a network’s Public Key Infrastructure (PKI). Standards for the most commonly used certificates are based on the X.509 specifications.

    Information on certificate servicesWindows 2000 includes support for certificate services. For more information, see this page on Microsoft’s support site. ConclusionAuthentication is a vital part of a network’s security scheme, as it is the mechanism for ensuring that the identity of a user, computer, or service is valid. There are a number of ways that authentication can be accomplished, depending on network operating system and connection type. In this Daily Drill Down, I have provided an overview of some of the most common authentication methods, under what circumstances each is used, and how they work.


    Direct Download of over 5500 Certification Exams

    3COM [8 Certification Exam(s) ]
    AccessData [1 Certification Exam(s) ]
    ACFE [1 Certification Exam(s) ]
    ACI [3 Certification Exam(s) ]
    Acme-Packet [1 Certification Exam(s) ]
    ACSM [4 Certification Exam(s) ]
    ACT [1 Certification Exam(s) ]
    Admission-Tests [13 Certification Exam(s) ]
    ADOBE [93 Certification Exam(s) ]
    AFP [1 Certification Exam(s) ]
    AICPA [2 Certification Exam(s) ]
    AIIM [1 Certification Exam(s) ]
    Alcatel-Lucent [13 Certification Exam(s) ]
    Alfresco [1 Certification Exam(s) ]
    Altiris [3 Certification Exam(s) ]
    Amazon [2 Certification Exam(s) ]
    American-College [2 Certification Exam(s) ]
    Android [4 Certification Exam(s) ]
    APA [1 Certification Exam(s) ]
    APC [2 Certification Exam(s) ]
    APICS [2 Certification Exam(s) ]
    Apple [69 Certification Exam(s) ]
    AppSense [1 Certification Exam(s) ]
    APTUSC [1 Certification Exam(s) ]
    Arizona-Education [1 Certification Exam(s) ]
    ARM [1 Certification Exam(s) ]
    Aruba [6 Certification Exam(s) ]
    ASIS [2 Certification Exam(s) ]
    ASQ [3 Certification Exam(s) ]
    ASTQB [8 Certification Exam(s) ]
    Autodesk [2 Certification Exam(s) ]
    Avaya [101 Certification Exam(s) ]
    AXELOS [1 Certification Exam(s) ]
    Axis [1 Certification Exam(s) ]
    Banking [1 Certification Exam(s) ]
    BEA [5 Certification Exam(s) ]
    BICSI [2 Certification Exam(s) ]
    BlackBerry [17 Certification Exam(s) ]
    BlueCoat [2 Certification Exam(s) ]
    Brocade [4 Certification Exam(s) ]
    Business-Objects [11 Certification Exam(s) ]
    Business-Tests [4 Certification Exam(s) ]
    CA-Technologies [21 Certification Exam(s) ]
    Certification-Board [10 Certification Exam(s) ]
    Certiport [3 Certification Exam(s) ]
    CheckPoint [43 Certification Exam(s) ]
    CIDQ [1 Certification Exam(s) ]
    CIPS [4 Certification Exam(s) ]
    Cisco [318 Certification Exam(s) ]
    Citrix [48 Certification Exam(s) ]
    CIW [18 Certification Exam(s) ]
    Cloudera [10 Certification Exam(s) ]
    Cognos [19 Certification Exam(s) ]
    College-Board [2 Certification Exam(s) ]
    CompTIA [76 Certification Exam(s) ]
    ComputerAssociates [6 Certification Exam(s) ]
    Consultant [2 Certification Exam(s) ]
    Counselor [4 Certification Exam(s) ]
    CPP-Institue [2 Certification Exam(s) ]
    CPP-Institute [2 Certification Exam(s) ]
    CSP [1 Certification Exam(s) ]
    CWNA [1 Certification Exam(s) ]
    CWNP [13 Certification Exam(s) ]
    CyberArk [1 Certification Exam(s) ]
    Dassault [2 Certification Exam(s) ]
    DELL [11 Certification Exam(s) ]
    DMI [1 Certification Exam(s) ]
    DRI [1 Certification Exam(s) ]
    ECCouncil [21 Certification Exam(s) ]
    ECDL [1 Certification Exam(s) ]
    EMC [129 Certification Exam(s) ]
    Enterasys [13 Certification Exam(s) ]
    Ericsson [5 Certification Exam(s) ]
    ESPA [1 Certification Exam(s) ]
    Esri [2 Certification Exam(s) ]
    ExamExpress [15 Certification Exam(s) ]
    Exin [40 Certification Exam(s) ]
    ExtremeNetworks [3 Certification Exam(s) ]
    F5-Networks [20 Certification Exam(s) ]
    FCTC [2 Certification Exam(s) ]
    Filemaker [9 Certification Exam(s) ]
    Financial [36 Certification Exam(s) ]
    Food [4 Certification Exam(s) ]
    Fortinet [14 Certification Exam(s) ]
    Foundry [6 Certification Exam(s) ]
    FSMTB [1 Certification Exam(s) ]
    Fujitsu [2 Certification Exam(s) ]
    GAQM [9 Certification Exam(s) ]
    Genesys [4 Certification Exam(s) ]
    GIAC [15 Certification Exam(s) ]
    Google [4 Certification Exam(s) ]
    GuidanceSoftware [2 Certification Exam(s) ]
    H3C [1 Certification Exam(s) ]
    HDI [9 Certification Exam(s) ]
    Healthcare [3 Certification Exam(s) ]
    HIPAA [2 Certification Exam(s) ]
    Hitachi [30 Certification Exam(s) ]
    Hortonworks [4 Certification Exam(s) ]
    Hospitality [2 Certification Exam(s) ]
    HP [752 Certification Exam(s) ]
    HR [4 Certification Exam(s) ]
    HRCI [1 Certification Exam(s) ]
    Huawei [21 Certification Exam(s) ]
    Hyperion [10 Certification Exam(s) ]
    IAAP [1 Certification Exam(s) ]
    IAHCSMM [1 Certification Exam(s) ]
    IBM [1533 Certification Exam(s) ]
    IBQH [1 Certification Exam(s) ]
    ICAI [1 Certification Exam(s) ]
    ICDL [6 Certification Exam(s) ]
    IEEE [1 Certification Exam(s) ]
    IELTS [1 Certification Exam(s) ]
    IFPUG [1 Certification Exam(s) ]
    IIA [3 Certification Exam(s) ]
    IIBA [2 Certification Exam(s) ]
    IISFA [1 Certification Exam(s) ]
    Intel [2 Certification Exam(s) ]
    IQN [1 Certification Exam(s) ]
    IRS [1 Certification Exam(s) ]
    ISA [1 Certification Exam(s) ]
    ISACA [4 Certification Exam(s) ]
    ISC2 [6 Certification Exam(s) ]
    ISEB [24 Certification Exam(s) ]
    Isilon [4 Certification Exam(s) ]
    ISM [6 Certification Exam(s) ]
    iSQI [7 Certification Exam(s) ]
    ITEC [1 Certification Exam(s) ]
    Juniper [65 Certification Exam(s) ]
    LEED [1 Certification Exam(s) ]
    Legato [5 Certification Exam(s) ]
    Liferay [1 Certification Exam(s) ]
    Logical-Operations [1 Certification Exam(s) ]
    Lotus [66 Certification Exam(s) ]
    LPI [24 Certification Exam(s) ]
    LSI [3 Certification Exam(s) ]
    Magento [3 Certification Exam(s) ]
    Maintenance [2 Certification Exam(s) ]
    McAfee [8 Certification Exam(s) ]
    McData [3 Certification Exam(s) ]
    Medical [69 Certification Exam(s) ]
    Microsoft [375 Certification Exam(s) ]
    Mile2 [3 Certification Exam(s) ]
    Military [1 Certification Exam(s) ]
    Misc [1 Certification Exam(s) ]
    Motorola [7 Certification Exam(s) ]
    mySQL [4 Certification Exam(s) ]
    NBSTSA [1 Certification Exam(s) ]
    NCEES [2 Certification Exam(s) ]
    NCIDQ [1 Certification Exam(s) ]
    NCLEX [2 Certification Exam(s) ]
    Network-General [12 Certification Exam(s) ]
    NetworkAppliance [39 Certification Exam(s) ]
    NI [1 Certification Exam(s) ]
    NIELIT [1 Certification Exam(s) ]
    Nokia [6 Certification Exam(s) ]
    Nortel [130 Certification Exam(s) ]
    Novell [37 Certification Exam(s) ]
    OMG [10 Certification Exam(s) ]
    Oracle [282 Certification Exam(s) ]
    P&C [2 Certification Exam(s) ]
    Palo-Alto [4 Certification Exam(s) ]
    PARCC [1 Certification Exam(s) ]
    PayPal [1 Certification Exam(s) ]
    Pegasystems [12 Certification Exam(s) ]
    PEOPLECERT [4 Certification Exam(s) ]
    PMI [15 Certification Exam(s) ]
    Polycom [2 Certification Exam(s) ]
    PostgreSQL-CE [1 Certification Exam(s) ]
    Prince2 [6 Certification Exam(s) ]
    PRMIA [1 Certification Exam(s) ]
    PsychCorp [1 Certification Exam(s) ]
    PTCB [2 Certification Exam(s) ]
    QAI [1 Certification Exam(s) ]
    QlikView [1 Certification Exam(s) ]
    Quality-Assurance [7 Certification Exam(s) ]
    RACC [1 Certification Exam(s) ]
    Real-Estate [1 Certification Exam(s) ]
    RedHat [8 Certification Exam(s) ]
    RES [5 Certification Exam(s) ]
    Riverbed [8 Certification Exam(s) ]
    RSA [15 Certification Exam(s) ]
    Sair [8 Certification Exam(s) ]
    Salesforce [5 Certification Exam(s) ]
    SANS [1 Certification Exam(s) ]
    SAP [98 Certification Exam(s) ]
    SASInstitute [15 Certification Exam(s) ]
    SAT [1 Certification Exam(s) ]
    SCO [10 Certification Exam(s) ]
    SCP [6 Certification Exam(s) ]
    SDI [3 Certification Exam(s) ]
    See-Beyond [1 Certification Exam(s) ]
    Siemens [1 Certification Exam(s) ]
    Snia [7 Certification Exam(s) ]
    SOA [15 Certification Exam(s) ]
    Social-Work-Board [4 Certification Exam(s) ]
    SpringSource [1 Certification Exam(s) ]
    SUN [63 Certification Exam(s) ]
    SUSE [1 Certification Exam(s) ]
    Sybase [17 Certification Exam(s) ]
    Symantec [135 Certification Exam(s) ]
    Teacher-Certification [4 Certification Exam(s) ]
    The-Open-Group [8 Certification Exam(s) ]
    TIA [3 Certification Exam(s) ]
    Tibco [18 Certification Exam(s) ]
    Trainers [3 Certification Exam(s) ]
    Trend [1 Certification Exam(s) ]
    TruSecure [1 Certification Exam(s) ]
    USMLE [1 Certification Exam(s) ]
    VCE [6 Certification Exam(s) ]
    Veeam [2 Certification Exam(s) ]
    Veritas [33 Certification Exam(s) ]
    Vmware [58 Certification Exam(s) ]
    Wonderlic [2 Certification Exam(s) ]
    Worldatwork [2 Certification Exam(s) ]
    XML-Master [3 Certification Exam(s) ]
    Zend [6 Certification Exam(s) ]





    References :


    Dropmark : http://killexams.dropmark.com/367904/11695912
    Wordpress : http://wp.me/p7SJ6L-16L
    Issu : https://issuu.com/trutrainers/docs/000-190
    Dropmark-Text : http://killexams.dropmark.com/367904/12155739
    Blogspot : http://killexamsbraindump.blogspot.com/2017/11/never-miss-these-000-190-questions.html
    RSS Feed : http://feeds.feedburner.com/FreePass4sure000-190QuestionBank
    Box.net : https://app.box.com/s/u2v3xm7w6bpn0wwkynuzk0vrnvcjyzku
    publitas.com : https://view.publitas.com/trutrainers-inc/review-000-190-real-question-and-answers-before-you-take-test
    zoho.com : https://docs.zoho.com/file/5s0qsc9ba693c56364fd6be2a0bd6ad2ccbd3
    Calameo : http://en.calameo.com/books/004923526bc8b6c8783a5






    Back to Main Page

    IBM 000-190 Exam (AIX Basic Operations V5) Detailed Information



    References:


    Pass4sure Certification Exam Study Notes- Killexams.com
    Download Hottest Pass4sure Certification Exams - CSCPK
    Complete Pass4Sure Collection of Exams - BDlisting
    Latest Exam Questions and Answers - Ewerton.me
    Pass your exam at first attempt with Pass4Sure Questions and Answers - bolink.org
    Here you will find Real Exam Questions and Answers of every exam - dinhvihaiphong.net
    Hottest Pass4sure Exam at escueladenegociosbhdleon.com
    Download Hottest Pass4sure Exam at ada.esy
    Pass4sure Exam Download from aia.nu
    Pass4sure Exam Download from airesturismo
    Practice questions and Cheat Sheets for Certification Exams at linuselfberg
    Study Guides, Practice questions and Cheat Sheets for Certification Exams at brondby
    Study Guides, Study Tools and Cheat Sheets for Certification Exams at assilksel.com
    Study Guides, Study Tools and Cheat Sheets for Certification Exams at brainsandgames
    Study notes to cover complete exam syllabus - crazycatladies
    Study notes, boot camp and real exam Q&A to cover complete exam syllabus - brothelowner.com
    Study notes to cover complete exam syllabus - carspecwall
    Study Guides, Practice Exams, Questions and Answers - cederfeldt
    Study Guides, Practice Exams, Questions and Answers - chewtoysforpets
    Study Guides, Practice Exams, Questions and Answers - Cogo
    Study Guides, Practice Exams, Questions and Answers - cozashop
    Study Guides, Study Notes, Practice Test, Questions and Answers - cscentral
    Study Notes, Practice Test, Questions and Answers - diamondlabeling
    Syllabus, Study Notes, Practice Test, Questions and Answers - diamondfp
    Updated Syllabus, Study Notes, Practice Test, Questions and Answers - freshfilter.cl
    New Syllabus, Study Notes, Practice Test, Questions and Answers - ganeshdelvescovo.eu
    Syllabus, Study Notes, Practice Test, Questions and Answers - ganowebdesign.com
    Study Guides, Practice Exams, Questions and Answers - Gimlab
    Latest Study Guides, Practice Exams, Real Questions and Answers - GisPakistan
    Latest Study Guides, Practice Exams, Real Questions and Answers - Health.medicbob
    Killexams Certification Training, Q&A, Dumps - kamerainstallation.se
    Killexams Syllabus, Killexams Study Notes, Killexams Practice Test, Questions and Answers - komsilanbeagle.info
    Pass4sure Study Notes, Pass4sure Practice Test, Killexams Questions and Answers - kyrax.com
    Pass4sure Brain Dump, Study Notes, Pass4sure Practice Test, Killexams Questions and Answers - levantoupoeira
    Pass4sure Braindumps, Study Notes, Pass4sure Practice Test, Killexams Questions and Answers - mad-exploits.net
    Pass4sure Braindumps, Study Notes, Pass4sure Practice Test, Killexams Questions and Answers - manderije.nl
    Pass4sure study guides, Braindumps, Study Notes, Pass4sure Practice Test, Killexams Questions and Answers - manderije.nl


    killcerts.com (c) 2017