HP 11I V2, 11I V1 User Manual

HP-UX AAA Server A.06.01

Getting Started Guide

HP-UX 11.0, 11i v1, 11i v2

Manufacturing Part Number : T1428-90058

E1004

U.S.A.

Legal Notices

The information in this document is subject to change without notice.Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and ﬁtness for a particular purpose. Hewlett-Packard shall not

be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Warranty. A copy of the speciﬁc warranty terms applicable to your Hewlett- Packard product and replacement parts can be obtained from your local Sales and Service Ofﬁce.

Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR

52.227-19 for other agencies.

HEWLETT-PACKARD COMPANY 3000 Hanover Street Palo Alto, California 94304 U.S.A.

Use of this manual and ﬂexible disk(s) or tape cartridge(s) supplied for this pack is restricted to this product only.

Trademark Notices. UNIX is a registered trademark of The Open Group. Internet Explorer  is a registered trademark of Microsoft Corporation. Netscape Navigator is a registered trademark of Time Warner, Inc. MC/ServiceGuard® is a registered trademark of Hewlett-Packard Company. ProLDAP™ is a trademark of Interlink Networks, Inc. OpenLDAP is a registered trademark of the OpenLDAP Foundation

Copyright Notices. ©copyright 2001-2004 Hewlett-Packard Development Company L.P., all rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws. Parts of this document originally published by Interlink Networks.

2004 Interlink Networks, Inc. All Rights Reserved. This document is copyrighted by Interlink Networks Incorporated (Interlink Networks). The information contained within this document is subject to change without notice. Interlink Networks does not guarantee the accuracy of the information.

Interlink Networks, Inc. 5405 Data Court, Suite 300 Ann Arbor, MI 48108 www.interlinknetworks.com

Contents

About This Document

1. Introduction to AAA Server

RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

RADIUS Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Establishing a RADIUS Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Supported Authentication Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

RADIUS Data Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Product Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

AAA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

AAA Server Manager Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

The 802.1x Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Accessing the Server Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

AAA Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Conﬁguration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

AATV Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

The Software Engine: Finite State Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

HP-UX AAA Server Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Authorization Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Accounting Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Admin and Debug Tools/Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2. Installing and Starting the HP-UX AAA Server

Getting the HP-UX AAA Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Installing the HP-UX AAA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Starting the HP-UX AAA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Starting and Stopping the RMI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Starting and Stopping Tomcat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Testing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Installation Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Commands, Utilities, & Daemons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

UnInstalling the HP-UX AAA Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3. Basic Conﬁguration Tasks

Storing User Proﬁles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

iii

Contents

Storing User Proﬁles in the Default Users File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Grouping Users by Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Adding and Modifying Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Session Logging and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Viewing User Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Viewing Server Logﬁles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Viewing Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Securing WLANs with the HP-UX AAA Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4. Glossary of Terms

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

About This Document

This document provides an overview of the HP-UX AAA Server and explains how to install and start the product. The document also provides steps to basic conﬁguration tasks for beginning users. Refer to the HP-UX AAA Server Administrator’s Guide for complete HP-UX AAA Server documentation.

The document printing date and part number indicate the document’s current edition. The printing date and part number will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.

Document updates may be issued between editions to correct errors or document product changes. To ensure that you receive the updated or new editions, you should subscribe to the appropriate product support service. See your HP sales representative for details.

The latest version of this document can be found at http://docs.hp.com on the Internet and Security Solutions page.

Intended Audience

This Getting Started Guide is designed for ﬁrst-time and beginning users of the HP-UX AAA Server. The objective of this guide is to allow you to quickly familiarize yourself with the basic functions of the product. Users should be familiar with the HP-UX operating system before using this guide.

New and Changed Documentation in This Edition

• Removed the various requirements, including installing and operating requirements, for each speciﬁc 6.1.x version of the HP-UX AAA Server. Refer to the HP-UX AAA Server Release Notes for the requirements of each version of the product.

Publishing History

The following table shows the printing history of this document. The ﬁrst entry in the table corresponds to this document, while previous releases are listed in descending order.

Table 1 Getting Started Guide Printing History

Document

Part

Number

T1428-90058 10/04 A.06.01.x HP-UX 11i v1, 11i v2

T1428-90049 01/04 A.06.01.x HP-UX 11.00, 11i v1, 11i v2

T1428-90043 10/03 A.06.01.x HP-UX 11.00, 11i v1

T1428-90026 04/03 A.06.00.08 HP-UX 11.00, 11i v1

T1428-90015 02/03 A.06.00.07 HP-UX 11.00, 11i v1

T1428-90002 06/02 A.05.01.01 HP-UX 11.00, 11i v1

Document Release Date (month/year)

Supports Software

Version

Supported OS

What’s in This Document

• Chapter 1, Introduction to AAA Server, contains an overview of product features and basic information about using the server.

• Chapter 2, Installing and Starting the HP-UX AAA Server, leads you through server installation, testing the installation, and starting the Server Manager GUI.

• Chapter 3, Basic Conﬁguration Tasks, contains procedures that lead you through basic conﬁguration and testing tasks.

Typographical Conventions

monospace Identiﬁes ﬁles, daemons, or any other item that may appear on screen

italics Identiﬁes titles of books, chapters, or sections

Document Advisories Different types of notes appear in the text to call your attention to information of special importance. They are enclosed in ruling lines with a header that indicates the type of note and its urgency.

NOTE Emphasizes or supplements parts of the text. You can disregard the

information in a note and still complete a task.

IMPORTANT Notes that provide information that are essential to completing a task.

CAUTION Describes an action that must be avoided or followed to prevent a loss of data.

RADIUS Overview

The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It deﬁnes a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user proﬁles for authentication (verifying user name and password), conﬁguration information that speciﬁes the type of service to deliver, and policies to enforce that may restrict user access.

RADIUS Topology

The RADIUS protocol follows client-server architecture. The client sends user information to the RADIUS AAA server (in an Access-Request message) and after receiving a reply from the server acts according to the returned information. The RADIUS AAA server receives user requests for access from the client, attempts to authenticate the user, and returns the conﬁguration information and polices to the client. The RADIUS AAA server may be conﬁgured to authenticate an Access-Request locally or to act as a proxy client and forward a request to another AAA server. After forwarding a request, it handles the message exchanges between the NAS and the remote server. A single server can be conﬁgured to handle some requests locally and to forward proxy requests to remote servers.

In Figure 1-1 on page 3 an example ISP uses four AAA servers to handle user requests. Each user organization represents a logical grouping of users (deﬁned as a realm). Each user organization dials in to one of the ISP’s servers through an assigned NAS, some of which are shared by the same groups or realm. To provide appropriate service to a customer, the server accesses user and policy information from a repository, which may be integrated with the server, may be an external application, or a database that interfaces with the server. For the HP-UX AAA RADIUS and policy server the repository information may be stored in ﬂat text ﬁles or in an external database, such as an Oracle® database or LDAP directory server.

Chapter 12

Figure 1-1 Generic AAA Network Topology

A forwarding server sends proxied Access-Requests to a remote server

AAA servers and NASs Users dial-in exchange requests/replies to a NAS

AAA1.ISP.net location: Ann Arbor

NAS1

Introduction to AAA Server

RADIUS Overview

A User

Organization

B User

Organization

C User

Organization

D User

Organization

E User

Organization

F User

Organization

Repository

AAA4.ISP.net location: Detroit

Repository

AAA2.ISP.net location: Flint

AAA3.ISP.net location: Kalamazoo

NAS2

NAS3

NAS4

Establishing a RADIUS Session

The handling of a user request is series of message exchanges that attempts to provide the user with a network service by establishing a session for the user. This transaction can be described as a series of actions that exchange data packets containing information related to the request. Figure 1-2, Client-Server RADIUS Transaction, illustrates the details of the

Chapter 1 3

Introduction to AAA Server

RADIUS Overview

transaction between a RADIUS AAA server and a client (a NAS in this example). When the user’s workstation connects to the client, the client sends an Access-Request RADIUS data packet to the AAA server.

Figure 1-2 Client-Server RADIUS Transaction

User

User Connects

Client

(NAS)

Access-Request

AAA Server

Access-Reject

User Disconnects

Or Access-Accept

Accounting-Request (Start)

Session Starts

Accounting-Response

Accounting-Request (Stop)

Session Ends

Accounting-Response

User Disconnected

When the server receives the request, it validates the sending client. If the client is permitted to send requests to the server, the server will then take information from the Access-Request and attempt to match the request to a user proﬁle. The proﬁle will contain a list of requirements that must be met to successfully authenticate the user. Authentication usually includes veriﬁcation of a password, but can also specify other information, such as the port number of the client or the service type that has been requested, that must be veriﬁed.

If all conditions are met, the server will send an Access-Accept packet to the client; otherwise, the server will send an Access-Reject. An Access-Accept data packet often includes authorization information that speciﬁes what services the user can access and other session information, such as a timeout value that will indicate when the user should be disconnected from the system.

When the client receives an Access-Accept packet, it will generate an Accounting-Request to start the session and send the request to the server. The Accounting-Request data packet describes the type of service being delivered and the user that will use the service. The server will respond with an Accounting-Response to acknowledge that the request was successfully received and recorded. The user’s session will end when the client generates an

Chapter 14

Introduction to AAA Server

RADIUS Overview

Accounting-Request—triggered by the user, by the client, or an interruption in service—to stop the session. Again, the server will acknowledge the Accounting-Request with an Accounting-Response.

Supported Authentication Methods

The following list describes the authentication methods the HP-UX AAA Server supports:

Password Authentication Protocol (PAP)

Not a strong authentication method to establish a connection; passwords are sent in clear text between the user and client. When used with RADIUS for authentication, the messages exchanged between the client and server to establish a PPP connection corresponds to Figure 1-2. This authentication method is most appropriately used where a plaintext password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.

Challenge Handshake Authentication Protocol (CHAP)

A stronger authentication protocol to establish a connection. When used with RADIUS for authentication, the messages exchanged between the client and server to establish a PPP connection is similar to Figure 1-2. One difference, however, is that a challenge occurs between the user and NAS before the NAS sends an Access-Request. The user must respond by encrypting the challenge (usually a random number) and returning the result. Authorized users are equipped with special devices, like smart cards or software, which can calculate the correct response. The NAS will then forward the challenge and the response in the Access-Request, which the AAA server will use to authenticate the user.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

An implementation of the CHAP protocol that Microsoft created to authenticate remote Windows workstations. In most respects, MS-CHAP is identical to CHAP, but there are some differences. MS-CHAP is based on the encryption and hashing algorithms used by Windows networks, and the MS-CHAP response to a challenge is in a format optimized for compatibility with Windows operating systems.

Extensible Authentication Protocol (EAP)

Like CHAP, EAP is a more secure authentication protocol to establish a PPP connection than PAP and offers more ﬂexibility to handle authentication requests with different encryption algorithms. It allows authentication by encapsulating various types of authentication exchanges, such as MD5. These EAP messages can be encapsulated in the packets of other protocols, such as RADIUS, for compatibility with a wide range of authentication

Chapter 1 5

Introduction to AAA Server

RADIUS Overview

mechanisms. This ﬂexibility also allows EAP to be implemented in a way (LEAP, for example) that is more suitable for wireless and mobile environments than other authentication protocols. EAP allows authentication to take place directly between the user and server without the intervention by the access device that occurs with CHAP.

The following is a list of the EAP supported authentication methods you can use with the HP-UX AAA Server A.06.01:

• Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the client using its digital certiﬁcate. Note: some wireless supplicants require speciﬁc extensions to support certiﬁcates for EAP. TLS features include: Dynamic Key Exchange; Mutual Authentication; Digital Certiﬁcate/Token Card-based Authentication; and, Encrypted Tunnelling.

• Tunneled TLS (TTLS): Can carry additional EAP or legacy authentication methods like PAP, MS-CHAP, and CHAP. Integrates with the widest variety of password storage formats and existing password-based authentication systems. Wireless supplicants available for a large number of clients. TTLS features include: Dynamic Key Exchange; Mutual Authentication; Password-based Authentication; and, Encrypted Tunnelling.

• Protected EAP (PEAP): Functionally very similar to TTLS, but does not encapsulate legacy authentication methods. PEAP features include: Dynamic Key Exchange; Mutual Authentication; and, Encrypted Tunnelling.

• Message Digest 5 (MD5): Passwords are hashed using the MD5 algorithm. Can be deployed for protecting access to LAN switches where the authentication trafﬁc will not be transmitted over airwaves. Can also be safely deployed for wireless authentication inside EAP tunnel methods. The main feature in MD5 is Password-based Authentication.

• Lightweight EAP (LEAP): For Legacy Cisco equipment only. LEAP features include: Dynamic Key Exchange; Mutual Authentication; and, Password-based Authentication.

• Generic Token Card (GTC): Carries user speciﬁc token cards for authentication. The main feature in GTC is Digital Certiﬁcate/Token Card-based Authentication.

• EAP MS-CHAP: Passwords are hashed using a Microsoft algorithm. Can be deployed for protecting access to LAN switches where the authentication trafﬁc will not be transmitted over airwaves. Can also be safely deployed for wireless authentication inside EAP tunnel methods. EAP-MSCHAP features include Mutual Authentication and Password-based Authentication.

RADIUS Data Packets

The Access-Request and other RADIUS data packets contain a header and a set of attribute-value (A-V) pairs, which are used by the server during the AAA transaction. The RADIUS RFC 2865 deﬁnes how vendors can extend the protocol. Encapsulation is the RFC

Chapter 16

Introduction to AAA Server

RADIUS Overview

deﬁned way of extending RADIUS. Conﬂicts can occur when the RFC is not followed. In those cases, the server can map the attributes to unique internal values for processing. For a full description of RADIUS attribute-value pairs, see the Administrator’s Guide.

Shared Secret

Encrypting the transmission of the User-Password in a request is accomplished by a shared secret. The shared secret is used to sign RADIUS data packets to ensure they are coming from a trusted source. The shared secret is also used to encrypt user passwords with certain authentication methods such as PAP. The HP-UX AAA Server uses the clients conﬁguration ﬁle to associate a secret to each client (or server) that is authorized to make use of its services.

Chapter 1 7

Introduction to AAA Server

Product Structure

The HP-UX AAA Server, based on a client/server architecture, consists of the following components which may be installed independently:

• HP-UX AAA Server daemon, libraries, and utilities

• The AAA Server Manager is the user interface that performs administration and conﬁguration tasks from a client’s browser for one or more AAA servers.

• AAA Server module for Oracle authentication

• Documentation

The exchange of conﬁguration information between a remote AAA server and the AAA Server Manager program is validated by a shared secret. This secret is unique to the Server Manager and a remote AAA server. It should not be the same secret used by a AAA server and the peers that it communicates with. The exchange of information between a browser and the client program is not validated or encrypted by default, although you can conﬁgure HTTPS to secure this communication. Refer to the HP-UX AAA Server Administrator’s Guide for more information about conﬁguring Server Manager to run over HTTPS.

NOTE To secure the communication between the Server Manager and the HP-UX

AAA Server, install the Server Manager and the HP-UX AAA Server software inside a secure network.

AAA Servers

AAA server installations include the AAA server, which performs the authentication, authorization, and accounting functions to process requests, and RMI objects. The RMI objects establish a connection and facilitate communication between the AAA server and the HP-UX Tomcat-based Serverlet Engine.

AAA Server Manager Program

The AAA Server Manager utilizes the HP-UX Tomcat-based Serverlet Engine to provide a conﬁguration interface between a web browser and one or more AAA servers. Server Manager is used for starting, stopping, conﬁguring, and modifying the servers. In addition, the program can retrieve logged server sessions and accounting information for an administrator.

Chapter 18

Introduction to AAA Server

Product Structure

The 802.1x Advisor

The 802.1x Advisor is an HTML tutorial/help system in the Server Manager GUI that walks you through the tasks and Server Manager screens for securing WLANs with the HP-UX AAA Server. The 802.1x Advisor provides information only—it does not edit conﬁguration ﬁles. Follow the 802.1x Advisor and use Server Manager to create and deploy basic AAA conﬁgurations for securing WLANs. Refer to the HP-UX AAA Server Administrator’s Guide for complete HP-UX AAA Server documentation. The following ﬁgure shows the 802.1x Advisor.

Figure 1-3 The 802.1x Advisor For Securing WLANs

Chapter 1 9

Introduction to AAA Server

Product Structure

Accessing the Server Manager

The Server Manager provides access to the AAA server management functions and conﬁguration ﬁles. From a remote client workstation, administrators can access the AAA Server Manager interface through a Web browser. An administrator can create a AAA conﬁguration for authenticating users and implementing authorization policies. In addition to creating, modifying, and deleting entries in many of the server’s conﬁguration ﬁles, an administrator may start and stop the AAA server, access the server’s status and system time, retrieve information from accounting and session logs, and terminate sessions. You can access the functions that perform these operations by selecting an item from the Navigation Tree located in the left frame of the HTML page.

Figure 1-4 The Server Manager User Interface

Chapter 110

Introduction to AAA Server

Product Structure

Some advanced features of the HP-UX AAA Server cannot be conﬁgured through the Server Manager interface. For example, if you want to deﬁne session management parameters, policies, or vendor-speciﬁc attributes, you must manually edit the conﬁguration ﬁles. Refer to the HP-UX AAA Server Administrator’s Guide for more information.

IMPORTANT Refer to the HP-UX AAA Server Release Notes for the supported browsers for

each version of the product.

NOTE The browser preferences or Internet options should be set to always compare

loaded pages to cached pages.

Chapter 1 11

Introduction to AAA Server

AAA Server Architecture

The HP-UX AAA Server Architecture consists of three primary components:

• Conﬁguration ﬁles. By editing these ﬂat text ﬁles, with either the Server Manager user interface or with a text editor, you can provide the information necessary for the server to perform authentication, authorization, and accounting requests for conﬁgured users.

• AATV plug-ins perform discrete actions; such as initiating an authentication request, replying to an authentication request, or logging an accounting record.

• The software engine, which includes the Finite State Machine (FSM) and some associated routines. At server startup, the ﬁnite state machine reads instructions from a state table—by default the /etc/opt/aaa/radius.fsm text ﬁle. The state table outlines what AATV actions to call and what order to call them in.

When the server is initialized, it performs a few distinct operations. It loads and initializes the AATV plug-ins, so that actions can be executed when called by the ﬁnite state machine. It also reads the conﬁguration ﬁles to initialize the data required for the actions to execute according to the application’s requirements.

Conﬁguration Files

The HP-UX AAA Server reads data from the following conﬁguration ﬁles installed at /etc/opt/aaa/ by default:

Table 1-1 HP-UX AAA Server Conﬁguration Files

File Description

clients Information about all RADIUS clients—name,

address, shared secret, type, etc.—that allows the server to recognize and communicate with the clients.

authfile Authentication typeparameters for deﬁned realms.

users Information about user IDs, passwords, and

check/deny/reply items.

Chapter 112

+ 44 hidden pages