ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhconfigpase.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure a Kerberos server in i5/OS PASE" />
<meta name="abstract" content="Configure and manage a Kerberos server from your iSeries system to provide an integrated runtime environment for AIX applications." />
<meta name="description" content="Configure and manage a Kerberos server from your iSeries system to provide an integrated runtime environment for AIX applications." />
<meta name="DC.Relation" scheme="URI" content="rzakhconfigparent.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhchangencrypt.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhkerberos.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhcreatehostprin.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhconfigwkstation.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhconfigbackupkdc.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhconfigpase" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure a Kerberos server in i5/OS PASE</title>
</head>
<body id="rzakhconfigpase"><a name="rzakhconfigpase"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure a Kerberos server in i5/OS PASE</h1>
<div><p>Configure and manage a Kerberos server from your iSeries™ system
to provide an integrated runtime environment for AIX<sup>®</sup> applications. </p>
<div class="section">i5/OS™ supports
a Kerberos server in i5/OS Portable Application Solutions Environment (PASE). i5/OS PASE
provides an integrated runtime environment for AIX applications. You can configure and
manage a Kerberos server from your iSeries system. To configure a Kerberos
server in i5/OS PASE,
complete the following tasks:</div>
<ol><li class="stepexpand"><span>In a character-based interface, type <tt>call QP2TERM</tt> at the
command prompt. </span> This command opens an interactive shell environment
that allows you to work with i5/OS PASE applications.</li>
<li class="stepexpand"><span>At the command line, enter <tt>export PATH=$PATH:/usr/krb5/sbin</tt>. </span> This command points to the Kerberos scripts that are necessary to run
the executable files.</li>
<li class="stepexpand"><span><span>At the command line, enter <tt>config.krb5 -S -d iseriesa.myco.com
-r MYCO.COM</tt>, where <tt>-d</tt> is the DNS of your network and <tt>-r</tt> is
the realm name. (In this example, myco.com is the DNS name and MYCO.COM is
the realm name.)</span> </span> This command updates the krb5.config file
with the domain name and realm for the Kerberos server, creates the Kerberos
database within the integrated file system, and configures the Kerberos server
in i5/OS PASE.  You will be prompted to add a database Master Password and a password
for the admin/admin principal which is used to administer the Kerberos server.<div class="p"><div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />For V5R3 and V5R4, only the existing database is supported for
storing Kerberos principals. The LDAP directory plug-in is not currently supported.<img src="./deltaend.gif" alt="End of change" /></div>
</div>
</li>
<li class="stepexpand"><strong>Optional: </strong><span>If you want the Kerberos server and the administration
server to automatically start during an IPL, you need to perform two additional
steps. You must create a job description and add an autostart job entry. </span> To configure i5/OS to automatically start the Kerberos server and
administration server during an IPL, follow these steps:<ol type="a"><li class="substepexpand"><span>Create a job description.</span> <p>At an i5/OS command
line, type the following where <em>xxxxxx</em> is the i5/OS user profile with *ALLOBJ user authority: </p>
<p><kbd class="userinput">CRTJOBD
JOBD(QGPL/KRB5PASE) JOBQ(QSYS/QSYSNOMAX) TEXT('Start KDC and admin server
in PASE') USER(<var class="varname">xxxxxx</var>) RQSDTA('QSYS/CALL PGM(QSYS/QP2SHELL)
PARM(''/usr/krb5/sbin/start.krb5'')') SYNTAX(*NOCHK) INLLIBL(*SYSVAL) ENDSEV(
30)</kbd></p>
</li>
<li class="substepexpand"><span>Add an autostart job entry. At the command line, type: </span> <p><tt>ADDAJE SBSD(QSYS/QSYSWRK) JOB(KRB5PASE) JOBD(QGPL/KRB5PASE)</tt>.</p>
</li>
</ol>
 <div class="note"><span class="notetitle">Note:</span> As an alternative to starting the servers during an IPL, you can
manually start the servers after the IPL by following these steps:<ol type="a"><li>In a character-based interface, type <tt>call QP2TERM</tt> to open the i5/OS PASE
interactive shell environment.</li>
<li>At the command line, enter <tt>/usr/krb5/sbin/start.krb5</tt> to start
the servers.</li>
</ol>
</div>
</li>
</ol>
<div class="section"><p><strong>What do I do next?</strong></p>
<p>If you are using Windows<sup>®</sup> 2000
or Windows XP
workstations with a Kerberos server that is not configured through Windows 2000
Active Directory, (such as a Kerberos server in i5/OS PASE), you must perform several configuration
steps on both the Kerberos server and the workstation to ensure that Kerberos
authentication works properly. </p>
</div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzakhchangencrypt.htm">Change encryption values on Kerberos server</a><br />
To operate with Windows workstations, the Kerberos server
default encryption settings need to be changed so that clients can be authenticated
to the i5/OS PASE
Kerberos server.</li>
<li class="olchildlink"><a href="rzakhkerberos.htm">Stop and restart the Kerberos server</a><br />
You must stop and restart the Kerberos server in i5/OS PASE to
update the encryption values that you just changed. </li>
<li class="olchildlink"><a href="rzakhcreatehostprin.htm">Create host, user, and service principals</a><br />
Create host principals for your Windows 2000 and Windows XP
workstations. Create user and service principals on your Kerberos server.</li>
<li class="olchildlink"><a href="rzakhconfigwkstation.htm">Configure Windows 2000 and Windows XP workstations</a><br />
Configure your client workstations by setting the Kerberos realm and the Kerberos server.</li>
<li class="olchildlink"><a href="rzakhconfigbackupkdc.htm">Configure secondary Kerberos server</a><br />
Configure a secondary Kerberos server to use as a backup server.</li>
</ol>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhconfigparent.htm" title="Network authentication service allows the iSeries server to participate in an existing Kerberos network. As such, network authentication service assumes you have a Kerberos server configured on a secure system in your network.">Configure network authentication service</a></div>
</div>
</div>
</body>
</html>