205 lines
10 KiB
HTML
205 lines
10 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Complete the planning work sheets" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhscencross.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_ensurekerberosiseriesbstarted.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzakhcrossscenario_completeplanningworksheets" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Complete the planning work sheets</title>
|
||
|
</head>
|
||
|
<body id="rzakhcrossscenario_completeplanningworksheets"><a name="rzakhcrossscenario_completeplanningworksheets"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Complete the planning work sheets</h1>
|
||
|
<div><p>The following planning work sheet contains information that you need to
|
||
|
complete before completing these scenario tasks. The following planning work
|
||
|
sheet illustrates the type of information you need before you begin setting
|
||
|
up cross realm trust. </p>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Prerequisite planning work sheet</caption><thead align="left"><tr><th valign="top" width="75%" id="d0e20">Questions</th>
|
||
|
<th valign="top" width="25%" id="d0e22">Answers </th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td align="left" valign="top" width="75%" headers="d0e20 ">Is your i5/OS™ V5R3 or later (5722-SS1)?</td>
|
||
|
<td align="left" valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="75%" headers="d0e20 ">Are the following options and licensed products installed
|
||
|
on iSeries™ A: <ul><li>i5/OS Host
|
||
|
Servers (5722-SS1 Option 12)</li>
|
||
|
<li>iSeries Access
|
||
|
for Windows<sup>®</sup> (5722-XE1)</li>
|
||
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
|
||
|
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
|
||
|
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td align="left" valign="top" width="75%" headers="d0e20 ">Are the following licensed products installed
|
||
|
on iSeries B:<ul><li>iSeries Access
|
||
|
for Windows (5722-XE1)</li>
|
||
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
|
||
|
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
|
||
|
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
<li>i5/OS PASE
|
||
|
(5722-SS1 Option 33)</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="75%" headers="d0e20 ">Have you installed Windows 2000 on all of your PCs?</td>
|
||
|
<td valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td align="left" valign="top" width="75%" headers="d0e20 ">Is iSeries Access for Windows (5722-XE1)
|
||
|
installed on the PC used to administer network authentication service?</td>
|
||
|
<td align="left" valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="75%" headers="d0e20 ">Have you installed iSeries Navigator and the following subcomponents
|
||
|
on the PC used to administer network authentication service?<ul><li>Security</li>
|
||
|
<li>Network</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="75%" headers="d0e20 ">Have you installed the latest iSeries Access for Windows service
|
||
|
pack? See <a href="http://www-1.ibm.com/servers/eserver/iseries/access/casp.htm" target="_blank">iSeries Access</a><img src="www.gif" alt="link outside the Information Center" /> for the
|
||
|
latest service pack.</td>
|
||
|
<td valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td align="left" valign="top" width="75%" headers="d0e20 ">Do you have *ALLOBJ special authority on
|
||
|
the iSeries servers? </td>
|
||
|
<td align="left" valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="75%" headers="d0e20 ">Do you have administrative authorities on the Windows 2000
|
||
|
server?</td>
|
||
|
<td valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="75%" headers="d0e20 ">Do you have your DNS configured and the correct host
|
||
|
names for your iSeries and
|
||
|
Kerberos server?</td>
|
||
|
<td valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td align="left" valign="top" width="75%" headers="d0e20 ">On which operating system do you want to
|
||
|
configure the Kerberos server?<ol><li>Windows <sup>(R)</sup> 2000
|
||
|
Server</li>
|
||
|
<li>Windows Server
|
||
|
2003</li>
|
||
|
<li>AIX<sup>®</sup> Server</li>
|
||
|
<li>i5/OS PASE
|
||
|
(V5R3 or later)</li>
|
||
|
<li>zSeries<sup>®</sup></li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="25%" headers="d0e22 ">i5/OS PASE</td>
|
||
|
</tr>
|
||
|
<tr><td align="left" valign="top" width="75%" headers="d0e20 ">Have you applied the latest program temporary
|
||
|
fixes (PTFs)?</td>
|
||
|
<td align="left" valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td align="left" valign="top" width="75%" headers="d0e20 ">Is the iSeries system time within five minutes
|
||
|
of the Kerberos server's system time? If not see <a href="rzakhsync.htm">Synchronize
|
||
|
system times</a>.</td>
|
||
|
<td align="left" valign="top" width="25%" headers="d0e22 ">Yes</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>The following planning work sheet illustrates the type of information you
|
||
|
need before you begin setting up cross realm trust.</p>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Planning work sheet for cross realm
|
||
|
trust</caption><thead align="left"><tr class="tablemainheaderbar"><th valign="top" width="48.717948717948715%" id="d0e210">Planning work sheet for cross realm trust</th>
|
||
|
<th align="left" valign="top" width="51.28205128205128%" id="d0e212">Answers </th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td valign="top" width="48.717948717948715%" headers="d0e210 ">What are the names of the realms for which you want
|
||
|
to establish a trusted relationship?<ul><li>The Kerberos realm using the Windows 2000 server as its Kerberos
|
||
|
server</li>
|
||
|
<li>The Kerberos realm using iSeries B as its Kerberos server (configured in i5/OS PASE)</li>
|
||
|
</ul>
|
||
|
<p></p>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="51.28205128205128%" headers="d0e212 "><p>ORDEPT.MYCO.COM<br />
|
||
|
SHIPDEPT.MYCO.COM</p>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="48.717948717948715%" headers="d0e210 ">Have all i5/OS service principals and user principals
|
||
|
been added to their respective Kerberos servers?</td>
|
||
|
<td align="left" valign="top" width="51.28205128205128%" headers="d0e212 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="48.717948717948715%" headers="d0e210 ">What is the default user name for the i5/OS PASE administrator?<p>What
|
||
|
is the password you want to specify for the i5/OS PASE administrator?</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> This
|
||
|
must be the same password you used when you created the Kerberos server in i5/OS PASE.
|
||
|
Any and all passwords specified in this scenario are for example purposes
|
||
|
only. To prevent a compromise to your system or network security, you should
|
||
|
never use these passwords as part of your own configuration.</div>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="51.28205128205128%" headers="d0e212 "><p>User name: admin/admin<br />
|
||
|
Password: secret</p>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="48.717948717948715%" headers="d0e210 ">What are the names of the principals that will be used
|
||
|
to set up cross realm trust? <p>What is the password for each of these principals?</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Any
|
||
|
and all passwords specified in this scenario are for example purposes only.
|
||
|
To prevent a compromise to your system or network security, you should never
|
||
|
use these passwords as part of your own configuration.</div>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="51.28205128205128%" headers="d0e212 "><p>Principal: <br />
|
||
|
krbtgt/SHIPDEPT.MYCO.COM@ORDEPT.MYCO.COM<br />
|
||
|
<br />
|
||
|
Password: shipord1<br />
|
||
|
</p>
|
||
|
<p>Principal: <br />
|
||
|
krbtgt/ORDEPT.MYCO.COM@SHIPDEPT.MYCO<br />
|
||
|
.COM<br />
|
||
|
<br />
|
||
|
Password: shipord2</p>
|
||
|
<p></p>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="48.717948717948715%" headers="d0e210 ">What are the fully qualified host names for each of
|
||
|
the Kerberos servers for these realms?<ul><li>ORDEPT.MYCO.COM</li>
|
||
|
<li>SHIPDEPT.MYCO.COM</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="51.28205128205128%" headers="d0e212 "><p>kdc1.ordept.myco.com <br />
|
||
|
iseriesb.shipdept.myco.com</p>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="48.717948717948715%" headers="d0e210 ">Are the system times for all systems within five minutes
|
||
|
of one another? If not see <a href="rzakhsync.htm">Synchronize system
|
||
|
times</a>.</td>
|
||
|
<td align="left" valign="top" width="51.28205128205128%" headers="d0e212 ">Yes</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscencross.htm" title="Use the following scenario to become familiar with the prerequisites and objectives of setting up cross realm trust on your network.">Scenario: Set up cross realm trust</a></div>
|
||
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhcrossscenario_ensurekerberosiseriesbstarted.htm">Ensure that the Kerberos server in i5/OS PASE on iSeries B has started</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|