ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahycreatecreds.htm

141 lines
8.8 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Create credentials</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahycreatecreds"></a>
<h4 id="rzahycreatecreds">Create credentials</h4>
<p>Expand the Replication management category in the navigation area of the
Web administration tool and click <span class="bold">Manage credentials</span></p>
<ol type="1">
<li>Select the location that you want to use to store the credentials from
the list of subtrees. The Web administration tool allows you to define credentials
in these locations:
<ul>
<li><span class="bold">cn=replication,cn=localhost</span>, which keeps the credentials
only on the current server.
<a name="wq218"></a>
<div class="notetitle" id="wq218">Note:</div>
<div class="notebody">In most replication cases, locating
credentials in cn=replication,cn=localhost is preferred because it provides
greater security than replicated credentials located on the subtree. However,
there are certain situations in which credentials located on cn=replication,cn=localhost
are not available.
<p>If you are trying to add a replica under a server, for
example serverA and you are connected to a different server with the Web administration
tool, serverB, the <span class="bold">Select credentials</span> field
does not display the option <span class="bold">cn=replication,cn=localhost</span>. This is because you cannot read the information or update any information
under <span class="bold">cn=localhost</span> of the serverA when you are connected
to serverB.</p>
<p>The cn=replication,cn=localhost option is only available
when the server under which you are trying to add a replica is the same server
that you are connected to with the Web administration tool.</p></div></li>
<li> Within the replicated subtree, in which case the credentials are replicated
with the rest of the subtree. Credentials placed in the replicated subtree
are created beneath the <span class="bold">ibm-replicagroup=default</span> entry for that subtree.
<a name="wq219"></a>
<div class="notetitle" id="wq219">Note:</div>
<div class="notebody">If no subtrees
are displayed, go to <a href="rzahycreatems.htm#rzahycreatems">Create a master server (replicated subtree)</a> for instructions about creating
the subtree that you want to replicate.</div></li></ul></li>
<li>Click <span class="bold">Add</span>.</li>
<li>Enter the name for the credentials you are creating, for example, <span class="bold">mycreds</span>, cn= is prefilled in the field for you.</li>
<li>Select the type of authentication method you want to use and click <span class="bold">Next</span>.
<ul>
<li>If you selected simple bind authentication:
<ol type="a">
<li>Enter the DN that the server uses to bind to the replica, for example,
cn=any</li>
<li>Enter the password the server uses when it binds to the replica, for example, <tt class="xph">secret</tt>.</li>
<li>Enter the password again to confirm that there are no typographical errors.</li>
<li>If you want, enter a brief description of the credentials.</li>
<li>Click <span class="bold">Finish</span>.</li></ol>
<a name="wq221"></a>
<div class="notetitle" id="wq221">Note:</div>
<div class="notebody">You might want to record the credential's bind DN and
password for future reference. You will need this password when you create
the replica agreement.</div></li>
<li>If you selected Kerberos authentication:
<ol type="a">
<li>Enter your Kerberos bind DN.</li>
<li>Enter the key tab file name.</li>
<li>If you want, enter a brief description of the credentials. No other information
is necessary. See <a href="rzahyekbpi.htm#rzahyekbpi">Enable Kerberos authentication on the Directory Server</a> for additional information.</li>
<li>Click <span class="bold">Finish</span>.</li></ol>The <span class="bold">Add Kerberos Credentials</span> panel takes
an optional bind DN of the form <tt class="xph"><img src="delta.gif" alt="Start of change" />ibm-kn=user@realm<img src="deltaend.gif" alt="End of change" /></tt> and
an optional keytab file name (referred to as a key file). If a bind DN is
specified, the server uses the specified principal name to authenticate to
the consumer server. Otherwise the server's Kerberos service name (ldap/host-name@realm)
is used. If a keytab file is used, the server uses it to obtain the credentials
for the specified principal name. If no keytab file is specified, the server
uses the keytab file specified in the server's Kerberos configuration. If
there is more than one supplier, you must specify the principal name and keytab
file to be used by all of the suppliers.
<dl>
<dt class="bold">On the server where you created the credentials:</dt>
<dd>
<ol type="a">
<li>Expand <span class="bold">Directory management</span> and click <span class="bold">Manage entries</span>.</li>
<li>Select the subtree where you stored the credentials, for example <span class="bold">cn=localhost</span> and click <span class="bold">Expand</span>.</li>
<li>Select <span class="bold">cn=replication</span> and click <span class="bold">Expand</span>.</li>
<li>Select the kerberos credentials (ibm-replicationCredentialsKerberos) and
click <span class="bold">Edit attributes</span>.</li>
<li>Click the <span class="bold">Other attributes</span> tab.</li>
<li>Enter the <span class="bold">replicaBindDN</span>, for example, <span class="bold">ibm-kn=myprincipal@SOME.REALM</span>.</li>
<li>Enter the <span class="bold">replicaCredentials</span>. This is the key tab
file name used for <span class="bold">myprincipal</span>.
<a name="wq224"></a>
<div class="notetitle" id="wq224">Note:</div>
<div class="notebody">This
principal and password should be the same as the ones you use to run <span class="bold">kinit</span> from the command line.</div></li></ol>
</dd>
<dt class="bold">On the replica</dt>
<dd>
<ol type="a">
<li>Click <span class="bold">Manage replication properties</span> in the navigation
area.</li>
<li>Select a supplier from the <span class="bold">Supplier information</span> drop-down menu or enter the name of the replicated subtree for which
you want to configure supplier credentials.</li>
<li>Click <span class="bold">Edit</span>.</li>
<li>Enter the replication bindDN. In this example, <span class="bold">ibm-kn=myprincipal@SOME.REALM</span>.</li>
<li>Enter and confirm the <span class="bold">Replication bind password</span>. This is the KDC password used for <span class="bold">myprincipal</span>.</li></ol>
</dd>
</dl></li>
<li>If you selected SSL with certificate authentication you do not need to
provide any additional information, if you are using the server's certificate.
If you choose to use a certificate other than the server's:
<ol type="a">
<li>Enter the key file name.</li>
<li>Enter the key file password.</li>
<li>Reenter the key file password to confirm it.</li>
<li>Enter the key label.</li>
<li>If you want, enter a brief description.</li>
<li>Click <span class="bold">Finish</span>.</li></ol>See <a href="rzahyess-pi.htm#rzahyess-pi">Enable SSL and Transport Layer Security on the Directory Server</a> for additional information.</li></ul></li>
<li>On the server where you created the credentials, set the <a href="../rzakz/rzakzqretsvrsec.htm">Allow server security information to be retained (QRETSVRSEC)</a> system value
to 1 (retain data). Since the replication credentials are stored in a validation
list, this allows the server to retrieve the credentials from the validation
list when it connects to the replica.</li></ol>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>