521 lines
32 KiB
HTML
521 lines
32 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="task" />
|
|||
|
<meta name="DC.Title" content="Complete the planning work sheets" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamzenablessoos400.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa2.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveservercncpts.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconcept.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="rzamzcompletetheplanningworksheets2" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Complete the planning work sheets</title>
|
|||
|
</head>
|
|||
|
<body id="rzamzcompletetheplanningworksheets2"><a name="rzamzcompletetheplanningworksheets2"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Complete the planning work sheets</h1>
|
|||
|
<div><div class="section"><div class="p">The following planning work sheets are tailored to fit this scenario
|
|||
|
based on the general single signon <a href="rzamzssoplanworksheet.htm">planning
|
|||
|
worksheets</a>. These planning work sheets demonstrate the information
|
|||
|
that you need to gather and the decisions you need to make as you prepare
|
|||
|
to configure the single signon implementation described by this scenario.
|
|||
|
To ensure a successful implementation, you must be able to answer Yes to all
|
|||
|
prerequisite items in the work sheet and you should gather all the information
|
|||
|
necessary to complete the work sheets before you perform any configuration
|
|||
|
tasks.<div class="note"><span class="notetitle">Note:</span> You need to thoroughly understand the concepts related to single
|
|||
|
signon, which include network authentication service and Enterprise Identity
|
|||
|
Mapping (EIM) concepts, before you implement this scenario. </div>
|
|||
|
</div>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Single signon prerequisite work sheet</caption><thead align="left"><tr><th valign="top" width="60%" id="d0e29">Prerequisite work sheet</th>
|
|||
|
<th valign="top" width="40%" id="d0e31">Answers </th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td align="left" valign="top" width="60%" headers="d0e29 ">Is your <span class="keyword">i5/OS™</span> V5R4
|
|||
|
(5722-SS1)?</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e29 ">Are the following options and licensed products
|
|||
|
installed on iSeries™ A
|
|||
|
and iSeries B?<ul><li><span class="keyword">i5/OS</span> Host Servers
|
|||
|
(5722-SS1 Option 12)</li>
|
|||
|
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
|
|||
|
<li><span class="keyword">iSeries Access for Windows<sup>®</sup></span> (5722-XE1)</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e29 ">Have you installed an application that is
|
|||
|
enabled for single signon on each of the PCs that will participate in the
|
|||
|
single signon environment? <div class="note"><span class="notetitle">Note:</span> For this scenario, all of the participating
|
|||
|
PCs have <span class="keyword">iSeries Access for Windows</span> (5722-XE1)
|
|||
|
installed.</div>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e29 ">Is <span class="keyword">iSeries Navigator</span> installed
|
|||
|
on the administrator's PC?<ul><li>Is the Network subcomponent of <span class="keyword">iSeries Navigator</span> installed
|
|||
|
on the PC used to administer single signon?</li>
|
|||
|
<li>Is the Security subcomponent of <span class="keyword">iSeries Navigator</span> installed
|
|||
|
on the PC used to administer single signon?</li>
|
|||
|
<li>Is the Users and Groups subcomponent of <span class="keyword">iSeries Navigator</span> installed
|
|||
|
on the PC used to administer single signon?</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="60%" headers="d0e29 ">Have you installed the latest IBM<img src="eserver.gif" alt="e(logo) server" /> <span class="keyword">iSeries Access for Windows</span> service
|
|||
|
pack? For the latest service pack see <a href="http://www-1.ibm.com/servers/eserver/iseries/access/casp.htm" target="_blank">iSeries Access
|
|||
|
web page</a><img src="www.gif" alt="link outside the Information Center" />.</td>
|
|||
|
<td valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e29 ">Does the single signon administrator have
|
|||
|
*SECADM, *ALLOBJ, and *IOSYSCFG special authorities?</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e29 ">Do you have one of the following systems
|
|||
|
acting as the Kerberos server (also known as the KDC)? If yes, specify which
|
|||
|
system.<ol><li>Microsoft<sup>®</sup> <span class="keyword">Windows 2000</span> Server<div class="note"><span class="notetitle">Note:</span> Microsoft <span class="keyword">Windows 2000</span> Server uses Kerberos authentication
|
|||
|
as its default security mechanism. </div>
|
|||
|
</li>
|
|||
|
<li>Windows <sup>(R)</sup> Server
|
|||
|
2003</li>
|
|||
|
<li><span class="keyword">i5/OS</span> PASE (V5R3 or
|
|||
|
later)</li>
|
|||
|
<li>AIX<sup>®</sup> server</li>
|
|||
|
<li>zSeries<sup>®</sup></li>
|
|||
|
</ol>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes, <span class="keyword">Windows 2000</span> Server</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e29 ">Are all your PCs in your network configured
|
|||
|
in a <span class="keyword">Windows 2000</span> domain?</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e29 ">Have you applied the latest program temporary
|
|||
|
fixes (PTFs)?</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e29 ">Is the <span class="keyword">iSeries</span> system
|
|||
|
time within 5 minutes of the system time on the Kerberos server? If not see <a href="../rzakh/rzakhsync.htm">Synchronize system
|
|||
|
times</a>.</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e31 ">Yes</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
<p>You need this information to configure EIM and network authentication
|
|||
|
service on <span class="keyword">iSeries</span> A</p>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Single signon configuration planning work
|
|||
|
sheet for <span class="keyword">iSeries</span> A</caption><thead align="left"><tr><th align="left" valign="top" width="58.58585858585859%" id="d0e235">Configuration planning work sheet for <span class="keyword">iSeries</span> A</th>
|
|||
|
<th align="left" valign="top" width="41.41414141414141%" id="d0e241">Answers</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td colspan="2" valign="top" headers="d0e235 d0e241 ">Use the following information to complete
|
|||
|
the EIM Configuration wizard. The information in this work sheet correlates
|
|||
|
with the information you need to supply for each page in the wizard:</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">How do you want to configure EIM for your system?<ul><li>Join an existing domain</li>
|
|||
|
<li>Create and join a new domain</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 ">Create and join a new domain</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">Where do you want to configure the EIM domain?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 ">On the local directory server<div class="note"><span class="notetitle">Note:</span> This will configure
|
|||
|
the directory server on the same system on which you are currently configuring
|
|||
|
EIM.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">Do you want to configure network authentication service?<div class="note"><span class="notetitle">Note:</span> You
|
|||
|
must configure network authentication service to configure single signon.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="2" valign="top" headers="d0e235 d0e241 ">The Network Authentication Service wizard
|
|||
|
launches from the EIM Configuration wizard. Use the following information
|
|||
|
to complete the Network Authentication Service wizard.</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">What is the name of the Kerberos default realm to which
|
|||
|
your <span class="keyword">iSeries</span> will belong?<div class="note"><span class="notetitle">Note:</span> A <span class="keyword">Windows 2000</span> domain is similar to a Kerberos
|
|||
|
realm. Microsoft Windows Active Directory uses Kerberos
|
|||
|
authentication as its default security mechanism.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 "><tt>MYCO.COM</tt></td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">Are you using Microsoft Active Directory?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e235 ">What is the Kerberos server, also known as
|
|||
|
a key distribution center (KDC), for this Kerberos default realm? What is
|
|||
|
the port on which the Kerberos server listens?</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e241 "><p><span class="uicontrol">KDC:</span> <tt>kdc1.myco.com</tt><br />
|
|||
|
<span class="uicontrol">Port:</span> <tt>88</tt> </p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> This is the default
|
|||
|
port for the Kerberos server.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e235 ">Do you want to configure a password server
|
|||
|
for this default realm? If yes, answer the following questions: <p>What is name of the password server for this Kerberos server?<br />
|
|||
|
What is the port on which the password server listens?</p>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e241 ">Yes <p><span class="uicontrol">Password server:</span> <tt>kdc1.myco.com</tt> <br />
|
|||
|
<span class="uicontrol">Port:</span> <tt>464</tt> </p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> This is the default
|
|||
|
port for the password server.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">For which services do you want to create keytab entries?<ul><li><span class="keyword">i5/OS</span> Kerberos Authentication</li>
|
|||
|
<li>LDAP</li>
|
|||
|
<li>iSeries IBM<sup>®</sup> HTTP
|
|||
|
Server</li>
|
|||
|
<li>iSeries NetServer™</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 "><span class="keyword">i5/OS</span> Kerberos
|
|||
|
Authentication</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e235 ">What is the password for your service principal
|
|||
|
or principals? </td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e241 "><tt>iseriesa123 </tt> <div class="note"><span class="notetitle">Note:</span> Any and all passwords
|
|||
|
specified in this scenario are for example purposes only. To prevent a compromise
|
|||
|
to your system or network security, you should never use these passwords as
|
|||
|
part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e235 ">Do you want to create a batch file to automate
|
|||
|
adding the service principals for <span class="keyword">iSeries</span> A
|
|||
|
to the Kerberos registry?</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e241 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">Do you want to include passwords with the <span class="keyword">i5/OS</span> service
|
|||
|
principals in the batch file?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="2" valign="top" headers="d0e235 d0e241 ">As you exit the Network Authentication
|
|||
|
Service wizard, you will return to the EIM Configuration wizard. Use the following
|
|||
|
information to complete the EIM Configuration wizard:</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">Specify user information that the wizard should use
|
|||
|
when configuring the directory server. This is the connection user. You must
|
|||
|
specify the port number, administrator distinguished name, and a password
|
|||
|
for the administrator. <div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's distinguished
|
|||
|
name (DN) and password to ensure the wizard has enough authority to administer
|
|||
|
the EIM domain and the objects in it.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 "><p><span class="uicontrol">Port:</span> <tt>389</tt><br />
|
|||
|
<span class="uicontrol">Distinguished name:</span> <tt>cn=administrator</tt> <br />
|
|||
|
<span class="uicontrol">Password:</span> <tt>mycopwd</tt> </p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Any and all
|
|||
|
passwords specified in this scenario are for example purposes only. To prevent
|
|||
|
a compromise to your system or network security, you should never use these
|
|||
|
passwords as part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">What is the name of the EIM domain that you want to
|
|||
|
create?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 "><tt>MyCoEimDomain</tt></td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">Do you want to specify a parent DN for the EIM domain?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 ">No</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">Which user registries do you want to add to the EIM
|
|||
|
domain?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 "><p>Local i5/OS--ISERIESA.MYCO.COM<br />
|
|||
|
Kerberos--KDC1.MYCO.COM</p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> You should not select <strong>Kerberos user
|
|||
|
identities are case sensitive</strong> when the wizard presents this option.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e235 ">Which EIM user do you want <span class="keyword">iSeries</span> A
|
|||
|
to use when performing EIM operations? This is the system user.<div class="note"><span class="notetitle">Note:</span> If you
|
|||
|
have not configured the directory server prior to configuring single signon,
|
|||
|
the only distinguished name (DN) you can provide for the system user is the
|
|||
|
LDAP administrator's DN and password.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e241 "><p><span class="uicontrol">User type:</span> <tt>Distinguished name</tt><br />
|
|||
|
<span class="uicontrol">Distinguished name:</span> <tt>cn=administrator</tt><br />
|
|||
|
<span class="uicontrol">Password:</span> <tt>mycopwd</tt></p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Any and all
|
|||
|
passwords specified in this scenario are for example purposes only. To prevent
|
|||
|
a compromise to your system or network security, you should never use these
|
|||
|
passwords as part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
<p> You need this information to allow <span class="keyword">iSeries</span> B
|
|||
|
to participate in the EIM domain and to configure network authentication service
|
|||
|
on iSeries B</p>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 3. Single signon configuration planning work
|
|||
|
sheet for <span class="keyword">iSeries</span> B</caption><thead align="left"><tr><th align="left" valign="top" width="58.58585858585859%" id="d0e508">Configuration planning work sheet for <span class="keyword">iSeries</span> B</th>
|
|||
|
<th align="left" valign="top" width="41.41414141414141%" id="d0e514">Answers</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td colspan="2" valign="top" headers="d0e508 d0e514 ">Use the following information to complete
|
|||
|
the EIM Configuration wizard for <span class="keyword">iSeries</span> B:</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">How do you want to configure EIM on your system?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">Join an existing domain</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">Do you want to configure network authentication service?<div class="note"><span class="notetitle">Note:</span> You
|
|||
|
must configure network authentication service to configure single signon.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="2" valign="top" headers="d0e508 d0e514 ">The Network Authentication Service wizard
|
|||
|
launches from the EIM Configuration wizard. Use the following information
|
|||
|
to complete the Network Authentication Service wizard:<div class="note"><span class="notetitle">Note:</span> You can launch
|
|||
|
the Network Authentication Service wizard independently of the EIM Configuration
|
|||
|
wizard.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e508 ">What is the name of the Kerberos default
|
|||
|
realm to which your <span class="keyword">iSeries</span> will
|
|||
|
belong?<div class="note"><span class="notetitle">Note:</span> A <span class="keyword">Windows 2000</span> domain
|
|||
|
is equivalent to a Kerberos realm. Microsoft Active Directory uses Kerberos
|
|||
|
authentication as its default security mechanism.</div>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e514 "><tt>MYCO.COM</tt></td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">Are you using Microsoft Active Directory?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e508 ">What is the Kerberos server for this Kerberos
|
|||
|
default realm? What is the port on which the Kerberos server listens?</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e514 "><p><span class="uicontrol">KDC:</span> <tt>kdc1.myco.com</tt><br />
|
|||
|
<span class="uicontrol">Port:</span> <tt>88</tt></p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> This is the default
|
|||
|
port for the Kerberos server.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e508 ">Do you want to configure a password server
|
|||
|
for this default realm? If yes, answer the following questions: <p>What is name of the password server for this Kerberos server?<br />
|
|||
|
What is the port on which the password server listens?</p>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e514 ">Yes <p><span class="uicontrol">Password server:</span> <tt>kdc1.myco.com</tt> <br />
|
|||
|
<span class="uicontrol">Port:</span> <tt>464</tt> </p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> This is the default
|
|||
|
port for the password server.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">For which services do you want to create keytab entries?<ul><li><span class="keyword">i5/OS</span> Kerberos Authentication</li>
|
|||
|
<li>LDAP</li>
|
|||
|
<li>iSeries IBM HTTP
|
|||
|
Server</li>
|
|||
|
<li>iSeries NetServer</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 "><span class="keyword">i5/OS</span> Kerberos
|
|||
|
Authentication</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e508 ">What is the password for your <span class="keyword">i5/OS</span> service
|
|||
|
principal(s)? </td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e514 ">iseriesb123 <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified
|
|||
|
in this scenario are for example purposes only. To prevent a compromise to
|
|||
|
your system or network security, you should never use these passwords as part
|
|||
|
of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e508 ">Do you want to create a batch file to automate
|
|||
|
adding the service principals for <span class="keyword">iSeries</span> B
|
|||
|
to the Kerberos registry?</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e514 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">Do you want to include passwords with the <span class="keyword">i5/OS</span> service
|
|||
|
principals in the batch file?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="2" valign="top" headers="d0e508 d0e514 ">As you exit the Network Authentication
|
|||
|
Service wizard, you will return to the EIM Configuration wizard. Use the following
|
|||
|
information to complete the EIM Configuration wizard for <span class="keyword">iSeries</span> B:</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">What is the name of the EIM domain controller for the
|
|||
|
EIM domain that you want to join?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">iseriesa.myco.com</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">Do you plan on securing the connection with SSL or TLS?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">No</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">What is the port on which the EIM domain controller
|
|||
|
listens?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">389</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">Which user do you want to use to connect to the domain
|
|||
|
controller? This is the connection user.<div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's
|
|||
|
distinguished name (DN) and password to ensure the wizard has enough authority
|
|||
|
to administer the EIM domain and the objects in it.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 "><p><span class="uicontrol">User type:</span> <tt>Distinguished name and password</tt><br />
|
|||
|
<span class="uicontrol">Distinguished name:</span> <tt>cn=administrator</tt><br />
|
|||
|
<span class="uicontrol">Password:</span> <tt>mycopwd</tt></p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Any and all
|
|||
|
passwords specified in this scenario are for example purposes only. To prevent
|
|||
|
a compromise to your system or network security, you should never use these
|
|||
|
passwords as part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">What is the name of the EIM domain that you want to
|
|||
|
join?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 "><tt>MyCoEimDomain</tt></td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">Do you want to specify a parent DN for the EIM domain?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">No</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">What is the name of the user registry that you want
|
|||
|
to add to the EIM domain?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 ">Local i5/OS--ISERIESB.MYCO.COM</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e508 ">Which EIM user do you want <span class="keyword">iSeries</span> B
|
|||
|
to use when performing EIM operations? This is the system user.<div class="note"><span class="notetitle">Note:</span> Earlier
|
|||
|
in this scenario, you used the EIM Configuration wizard to configure the directory
|
|||
|
server on <span class="keyword">iSeries</span> A. In doing
|
|||
|
so, you created a DN and password for the LDAP administrator. This is currently
|
|||
|
the only DN defined for the directory server. Therefore, this is the DN and
|
|||
|
password you must supply here.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e514 "><p><span class="uicontrol">User type:</span> <tt>Distinguished name and password</tt><br />
|
|||
|
<span class="uicontrol">Distinguished name:</span> <tt>cn=administrator</tt><br />
|
|||
|
<span class="uicontrol">Password:</span> <tt>mycopwd</tt></p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Any and all
|
|||
|
passwords specified in this scenario are for example purposes only. To prevent
|
|||
|
a compromise to your system or network security, you should never use these
|
|||
|
passwords as part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
<p></p>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 4. Single signon configuration planning work sheet
|
|||
|
- user profiles</caption><thead align="left"><tr><th valign="top" id="d0e778"><span class="keyword">i5/OS</span> user profile
|
|||
|
name</th>
|
|||
|
<th valign="top" id="d0e783">Password is specified</th>
|
|||
|
<th valign="top" id="d0e785">Special authority (Privilege class)</th>
|
|||
|
<th valign="top" id="d0e787">System</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td valign="top" headers="d0e778 ">SYSUSERA</td>
|
|||
|
<td valign="top" headers="d0e783 ">No</td>
|
|||
|
<td valign="top" headers="d0e785 ">User</td>
|
|||
|
<td valign="top" headers="d0e787 "><span class="keyword">iSeries</span> A</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e778 ">SYSUSERB</td>
|
|||
|
<td valign="top" headers="d0e783 ">No</td>
|
|||
|
<td valign="top" headers="d0e785 ">User</td>
|
|||
|
<td valign="top" headers="d0e787 "><span class="keyword">iSeries</span> B</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 5. Single signon configuration planning work sheet - EIM
|
|||
|
domain data</caption><thead align="left"><tr><th valign="top" width="19.838056680161944%" id="d0e825">Identifier name</th>
|
|||
|
<th valign="top" width="23.076923076923077%" id="d0e827">User registry</th>
|
|||
|
<th valign="top" width="25.303643724696357%" id="d0e829">User identity</th>
|
|||
|
<th valign="top" width="15.789473684210526%" id="d0e831">Association type</th>
|
|||
|
<th valign="top" width="15.991902834008098%" id="d0e833">Identifier description</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td valign="top" width="19.838056680161944%" headers="d0e825 ">John Day</td>
|
|||
|
<td valign="top" width="23.076923076923077%" headers="d0e827 ">MYCO.COM</td>
|
|||
|
<td valign="top" width="25.303643724696357%" headers="d0e829 ">jday</td>
|
|||
|
<td valign="top" width="15.789473684210526%" headers="d0e831 ">Source</td>
|
|||
|
<td valign="top" width="15.991902834008098%" headers="d0e833 ">Kerberos (<span class="keyword">Windows 2000</span>)
|
|||
|
login user identity</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.838056680161944%" headers="d0e825 ">John Day</td>
|
|||
|
<td valign="top" width="23.076923076923077%" headers="d0e827 ">ISERIESA.MYCO.COM</td>
|
|||
|
<td valign="top" width="25.303643724696357%" headers="d0e829 ">JOHND</td>
|
|||
|
<td valign="top" width="15.789473684210526%" headers="d0e831 ">Target</td>
|
|||
|
<td valign="top" width="15.991902834008098%" headers="d0e833 "><span class="keyword">i5/OS</span> user
|
|||
|
profile on <span class="keyword">iSeries</span> A</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.838056680161944%" headers="d0e825 ">John Day</td>
|
|||
|
<td valign="top" width="23.076923076923077%" headers="d0e827 ">ISERIESB.MYCO.COM</td>
|
|||
|
<td valign="top" width="25.303643724696357%" headers="d0e829 ">DAYJO</td>
|
|||
|
<td valign="top" width="15.789473684210526%" headers="d0e831 ">Target</td>
|
|||
|
<td valign="top" width="15.991902834008098%" headers="d0e833 "><span class="keyword">i5/OS</span> user
|
|||
|
profile on <span class="keyword">iSeries</span> B</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.838056680161944%" headers="d0e825 ">Sharon Jones</td>
|
|||
|
<td valign="top" width="23.076923076923077%" headers="d0e827 ">MYCO.COM</td>
|
|||
|
<td valign="top" width="25.303643724696357%" headers="d0e829 ">sjones</td>
|
|||
|
<td valign="top" width="15.789473684210526%" headers="d0e831 ">Source</td>
|
|||
|
<td valign="top" width="15.991902834008098%" headers="d0e833 ">Kerberos (<span class="keyword">Windows 2000</span>)
|
|||
|
login user identity</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.838056680161944%" headers="d0e825 ">Sharon Jones</td>
|
|||
|
<td valign="top" width="23.076923076923077%" headers="d0e827 ">ISERIESA.MYCO.COM</td>
|
|||
|
<td valign="top" width="25.303643724696357%" headers="d0e829 ">SHARONJ</td>
|
|||
|
<td valign="top" width="15.789473684210526%" headers="d0e831 ">Target</td>
|
|||
|
<td valign="top" width="15.991902834008098%" headers="d0e833 "><span class="keyword">i5/OS</span> user
|
|||
|
profile on <span class="keyword">iSeries</span> A</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.838056680161944%" headers="d0e825 ">Sharon Jones</td>
|
|||
|
<td valign="top" width="23.076923076923077%" headers="d0e827 ">ISERIESB.MYCO.COM</td>
|
|||
|
<td valign="top" width="25.303643724696357%" headers="d0e829 ">JONESSH</td>
|
|||
|
<td valign="top" width="15.789473684210526%" headers="d0e831 ">Target</td>
|
|||
|
<td valign="top" width="15.991902834008098%" headers="d0e833 "><span class="keyword">i5/OS</span> user
|
|||
|
profile on <span class="keyword">iSeries</span> B</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 6. Single signon configuration planning work sheet - EIM
|
|||
|
domain data - policy associations</caption><thead align="left"><tr><th valign="top" width="15.918367346938775%" id="d0e951">Policy association type</th>
|
|||
|
<th valign="top" width="25.30612244897959%" id="d0e953">Source user registry</th>
|
|||
|
<th valign="top" width="24.081632653061224%" id="d0e955">Target user registry</th>
|
|||
|
<th valign="top" width="17.551020408163264%" id="d0e957">User identity</th>
|
|||
|
<th valign="top" width="17.142857142857142%" id="d0e959">Description</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td valign="top" width="15.918367346938775%" headers="d0e951 ">Default registry</td>
|
|||
|
<td valign="top" width="25.30612244897959%" headers="d0e953 ">MYCO.COM</td>
|
|||
|
<td valign="top" width="24.081632653061224%" headers="d0e955 ">ISERIESA.MYCO.COM</td>
|
|||
|
<td valign="top" width="17.551020408163264%" headers="d0e957 ">SYSUSERA</td>
|
|||
|
<td valign="top" width="17.142857142857142%" headers="d0e959 ">Maps authenticated Kerberos user to appropriate <span class="keyword">i5/OS</span> user profile</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="15.918367346938775%" headers="d0e951 ">Default registry</td>
|
|||
|
<td valign="top" width="25.30612244897959%" headers="d0e953 ">MYCO.COM</td>
|
|||
|
<td valign="top" width="24.081632653061224%" headers="d0e955 ">ISERIESB.MYCO.COM</td>
|
|||
|
<td valign="top" width="17.551020408163264%" headers="d0e957 ">SYSUSERB</td>
|
|||
|
<td valign="top" width="17.142857142857142%" headers="d0e959 ">Maps authenticated Kerberos user to appropriate <span class="keyword">i5/OS</span> user profile</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzenablessoos400.htm" title="View this scenario to learn how to configure network authentication service and EIM to create a single signon environment across multiple systems in an enterprise. This scenario expands on the concepts and tasks presented in the previous scenario which demonstrates how to create a simple single signon test environment.">Scenario: Enable single signon for i5/OS</a></div>
|
|||
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzamzcreateabasicsinglesignonconfigurationforiseriesa2.htm">Create a basic single signon configuration for iSeries A</a></div>
|
|||
|
</div>
|
|||
|
<div class="relinfo"><strong>Related information</strong><br />
|
|||
|
<div><a href="../rzalv/rzalveservercncpts.htm">Enterprise Identity Mapping (EIM)</a></div>
|
|||
|
<div><a href="../rzakh/rzakhconcept.htm">Network authentication service</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|