ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahx_5.4.0.1/rzahxagentkerberos.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure your platform to use Kerberos" />
<meta name="abstract" content="The intelligent agent platform uses Kerberos principals to authenticate users and services throughout the agent platform. Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an insecure network." />
<meta name="description" content="The intelligent agent platform uses Kerberos principals to authenticate users and services throughout the agent platform. Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an insecure network." />
<meta name="DC.Relation" scheme="URI" content="rzahxagentsecure.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconfigpase.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconfig.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahxagentsecurepref.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahxagentsecurepref.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahxagentkerberos" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure your platform to use Kerberos</title>
</head>
<body id="rzahxagentkerberos"><a name="rzahxagentkerberos"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure your platform to use Kerberos</h1>
<div><p>The intelligent agent platform uses Kerberos principals to authenticate
users and services throughout the agent platform. Kerberos protocol, developed
by Massachusetts Institute of Technology, allows a principal (a user or service)
to prove its identity to another service within an insecure network.</p>
<div class="section"><p>Authentication of principals is completed through a centralized
server called a key distribution center (KDC). The KDC authenticates a user
with a Kerberos ticket. These tickets prove the principal's identity to other
services in a network. After a principal is authenticated by these tickets,
they can exchange encrypted data with a target service.</p>
<p>The platform
uses Kerberos to authenticate user signon and initial platform startup. To
use Kerberos to secure your platform, you must either find an existing KDC,
or create a working KDC that all parts of the platform will use. Every system
running a piece of the platform and every PC running a console that connects
to this platform must be configured to use this KDC. You need to list all
Kerberos principals in the <strong>ableplatform.preferences</strong> file that are used
by the platform to authenticate users and services. Each platform Java™ Virtual
Machine (agent pool) will have a service principal associated with it, and
each user logging onto the platform from a console will need a user principal.
All of these principals will need to be added to the KDC.</p>
</div>
<ol><li class="stepexpand"><span><strong>Find or create a usable Kerberos key distribution center (KDC)</strong> </span> <p>The agent platform does not require a KDC on <span class="keyword">i5/OS™</span>,
a KDC running on any platform will work. If you cannot find an existing KDC
to use, you can create your own. <span><img src="./delta.gif" alt="Start of change" />In V5R3 or later<img src="./deltaend.gif" alt="End of change" /></span>, <span class="keyword">i5/OS</span> supports a native Kerberos
server in <span class="keyword">i5/OS</span> PASE. You
can configure and manage a Kerberos server from your <span class="keyword">iSeries™</span> system.
To configure a Kerberos server in <span class="keyword">i5/OS</span> PASE,
complete the following tasks:</p>
<ol type="a"><li><span>In a character-based interface, type:  <strong>call QP2TERM</strong>.
This command opens an interactive shell environment that allows you to work
with <span class="keyword">i5/OS</span> PASE applications.</span></li>
<li><span>At the command line, enter:  <strong>export PATH=$PATH:/usr/krb5/sbin</strong>.
This command points to the Kerberos scripts that are necessary to run the
executable files.</span></li>
<li><span>At the command line, enter:  <strong>config.krb5 -S -d iseriesa.myco.com
-r MYCO.COM</strong>. This command updates the krb5.config file with the domain
name and realm for the Kerberos server, creates the Kerberos database within
the integrated file system, and configures the Kerberos server in <span class="keyword">i5/OS</span> PASE. You will be prompted
to add a database Master Password and a password for the admin/admin principal
which is used to administer the Kerberos server.</span></li>
<li><span>At the command line, enter:  <strong>/usr/krb5/sbin/start.krb5</strong> to
start the servers.</span></li>
</ol>
</li>
<li class="stepexpand"><span><strong>Configure systems in your agent environment to use Kerberos</strong> </span> <p>After you create a Kerberos server (KDC), you need to individually
configure each client PC that will attempt to connect to the secure platform,
and each <span class="keyword">iSeries</span> system in
your agent platform to point to your Kerberos server (KDC).</p>
<ul><li><strong>Configure your client PC</strong> <p>To configure a client PC, you need
to create a text file called <strong>krb5.conf</strong> in the security folder of the
JVM that runs your <span class="keyword">iSeries Navigator</span> intelligent
agents console located here (where C: is the drive your Client Access driver
is installed on):</p>
<blockquote>C:\Program Files\IBM\Client Access\JRE\Lib\Security</blockquote>
<div class="p">The <strong>krb5.conf</strong> file
tells all JVMs started from this JRE which KDC to use when dealing with Kerberos.
The following is an example of what a generic <strong>krb5.conf</strong> file might
look like if the KDC realm was KDC_REALM.PASE.COM and was found on system1.ibm.com:<div class="note"><span class="notetitle">Note:</span> By
using the code examples, you agree to the terms of the <a href="codedisclaimer.htm">Code license and disclaimer information</a>.</div>
</div>
<pre>[libdefaults]
 default_realm           = KDC_REALM.PASE.COM
 default_tkt_enctypes    = des-cbc-crc
 default_tgs_enctypes    = des-cbc-crc

[realms]
 KDC_REALM.PASE.COM = {
         kdc = system1.rchland.ibm.com:88
}
        
[domain_realm]
 .rchland.ibm.com = KDC_REALM.PASE.COM</pre>
</li>
<li><strong>Configure your <span class="keyword">iSeries</span> system</strong> <p>To
point your <span class="keyword">iSeries</span> system to
your KDC, you need to modify the following file:</p>
<blockquote>/QIBM/userdata/OS400/networkauthentication/ <strong>krb5.conf</strong></blockquote>
<p>The <strong>krb5.conf</strong> file
tells all JVMs started from this JRE which KDC to use when dealing with Kerberos.
The following is an example of what a generic <strong>krb5.conf</strong> file might
look like on the server if the KDC realm was KDC_REALM.PASE.COM and was found
on system1.ibm.com:</p>
<pre>??(libdefaults??)                                     
  default_realm = KDC_REALM.PASE.COM                    
??(appdefaults??)                                     
??(realms??)                                          
  KDC_REALM.PASE.COM = {                                
    kdc = system1.rchland.ibm.com:88                  
  }                                                   
??(domain_realm??)                                    
 system1.rchland.ibm.com = KDC_REALM.PASE.COM</pre>
</li>
</ul>
 </li>
<li class="stepexpand"><span><strong>Acquire Kerberos user and service principals</strong></span> <p>After
you configure a KDC, you will need to create the user and service principals
you plan to use to secure the platform, and register these principals to the
KDC:</p>
<dl><dt class="dlterm">Service Principals:</dt>
<dd>Each agent pool (JVM) defined in <span class="uicontrol">ableplatform.preferences</span> must
have a service principal associated with it. Service principals are specific
to the system that they will run on, so they must include that system name
and be in the following format:  <span class="uicontrol">ServicePrincipalName/systemName@KDCRealm</span>.
Each of the agent pools on the platform can use the same service principal,
or you can specify that each pool use its own service principal. If each of
your agent pools have different authority levels, then different principals
should be used for each different authority level.</dd>
<dt class="dlterm">User Principals:</dt>
<dd>Each user that you want to allow to connect to the secure platform through
the console will need a user principal. User principals can be associated
with each agent definition listed in <span class="uicontrol">ableplatform.preferences</span>.
A user principal can connect to a platform from the console, regardless of
the system the console is running on. Because of this, a user principal only
needs to include the principal name and the KDC realm the principal belongs
to:  <span class="uicontrol">UserPrincipalName@KDCRealm</span>.</dd>
</dl>
 <p>You need to add a principal to the KDC for
each Service and User principal that your platform will use. The following
steps will help you add your principals to your KDC if you are using the native
KDC on the server:</p>
<ol type="a"><li class="substepexpand"><span>In a character-based interface, type:  <kbd class="userinput">call QP2TERM</kbd>.</span></li>
<li class="substepexpand"><span>At the command line, enter:  <kbd class="userinput">export PATH=$PATH:/usr/krb5/sbin</kbd>.
This command points to the Kerberos scripts that are necessary to run the
executable files.</span></li>
<li class="substepexpand"><span>At the command line, type:  <kbd class="userinput">kadmin -p admin/admin</kbd>,
and press  <span class="uicontrol">Enter</span>.</span></li>
<li class="substepexpand"><span>Sign in with administrator's password.</span></li>
<li class="substepexpand"><span>At the command line:</span> <ul><li>To add service principals for Pools running on an <span class="keyword">iSeries</span> server: <p><kbd class="userinput">addprinc
-pw secret servicePrincipalName/iSeries fully qualified host name@REALM</kbd></p>
 </li>
<li>To add user principals: <p><kbd class="userinput">addprinc -pw secret jonesm</kbd>.
This creates a principal for a user to log in from a console.</p>
 </li>
<li>To add service principals for Pools running on a PC: <p><kbd class="userinput">addprinc
-requires_preauth -e des-cbc-crc:normal -pw host/pc1.myco.com.</kbd></p>
</li>
</ul>
</li>
</ol>
  <p>If you are using the native KDC, see the following topics for more
information on how to add principals to your KDC:</p>
<p>If you are adding
Service principals for Pools that will be running on an <span class="keyword">iSeries</span> server,
see: <a href="../rzakh/rzakhdefineiseries.htm">Add <span class="keyword">i5/OS</span> principals to the Kerberos
server</a>.</p>
<p>If you are adding User principals or Service principals
for Pools that will be running on a PC, see: <a href="../rzakh/rzakhcreatehostprin.htm">Create
Host principals for Windows<sup>®</sup> 2000 workstations and users</a></p>
 </li>
<li class="stepexpand"><span><strong>Add service principals to each keytab file</strong></span> <p>When
starting up a secure platform each agent pool will use the principal that
it was defined to start with, and use it to authenticate itself. This requires
each Pool JVM to have access to valid Kerberos credentials for the principal
it is using. The <span class="keyword">iSeries</span> <span class="cmdname">Start
Agent Services (STRAGTSRV)</span> command will handle this, as long as
there is an entry in the keytab file for the principal that is being used.
Follow these steps to add an entry to the keytab file for each service principal
that is to run on each of your platform systems:</p>
<p>If you are running
the native KDC on an <span class="keyword">iSeries</span> server:</p>
 <ol type="a"><li><span>In a character-based interface, type:  <kbd class="userinput">STRQSH</kbd>.
This command starts the qsh shell interpreter.</span></li>
<li><span>Enter the following command (where <var class="varname">ServicePrincipal</var> is
the name of the service principal you want to add, <var class="varname">system@KDCRealm</var> is
the fully qualified system name and Kerberos realm, and where <var class="varname">thePassword</var> is
the password associated with your service principal): <kbd class="userinput">keytab add
ServicePrincipal/system@KDCRealm -p thePassword</kbd></span></li>
</ol>
</li>
</ol>
<div class="section"><p>After you set up your KDC and create your user and service principals,
you need to configure security in your <span class="uicontrol">ableplatform.preferences</span> file.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahxagentsecure.htm" title="It is strongly recommended that you use Kerberos user and service principals to authenticate users, agent pools, and agent services to one another on or across a secure platform or distributed platform.">Secure your agent environment</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="../rzakh/rzakhconfigpase.htm">Configure a Kerberos server in i5/OS PASE</a></div>
<div><a href="../rzakh/rzakhconfig.htm">Configure network authentication</a></div>
<div><a href="rzahxagentsecurepref.htm" title="Before you begin, ensure that you have configured your Kerberos key distribution center (KDC).">Configure platform security</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="task" />`
			`<meta name="DC.Title" content="Configure your platform to use Kerberos" />`
			`<meta name="abstract" content="The intelligent agent platform uses Kerberos principals to authenticate users and services throughout the agent platform. Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an insecure network." />`
			`<meta name="description" content="The intelligent agent platform uses Kerberos principals to authenticate users and services throughout the agent platform. Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an insecure network." />`
			`<meta name="DC.Relation" scheme="URI" content="rzahxagentsecure.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconfigpase.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconfig.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahxagentsecurepref.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahxagentsecurepref.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzahxagentkerberos" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Configure your platform to use Kerberos</title>`
			`</head>`
			`<body id="rzahxagentkerberos"><a name="rzahxagentkerberos"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Configure your platform to use Kerberos</h1>`
			`<div><p>The intelligent agent platform uses Kerberos principals to authenticate`
			`users and services throughout the agent platform. Kerberos protocol, developed`
			`by Massachusetts Institute of Technology, allows a principal (a user or service)`
			`to prove its identity to another service within an insecure network.</p>`
			`<div class="section"><p>Authentication of principals is completed through a centralized`
			`server called a key distribution center (KDC). The KDC authenticates a user`
			`with a Kerberos ticket. These tickets prove the principal's identity to other`
			`services in a network. After a principal is authenticated by these tickets,`
			`they can exchange encrypted data with a target service.</p>`
			`<p>The platform`
			`uses Kerberos to authenticate user signon and initial platform startup. To`
			`use Kerberos to secure your platform, you must either find an existing KDC,`
			`or create a working KDC that all parts of the platform will use. Every system`
			`running a piece of the platform and every PC running a console that connects`
			`to this platform must be configured to use this KDC. You need to list all`
			`Kerberos principals in the <strong>ableplatform.preferences</strong> file that are used`
			`by the platform to authenticate users and services. Each platform Java™ Virtual`
			`Machine (agent pool) will have a service principal associated with it, and`
			`each user logging onto the platform from a console will need a user principal.`
			`All of these principals will need to be added to the KDC.</p>`
			`</div>`
			`<ol><li class="stepexpand"><span><strong>Find or create a usable Kerberos key distribution center (KDC)</strong> </span> <p>The agent platform does not require a KDC on <span class="keyword">i5/OS™</span>,`
			`a KDC running on any platform will work. If you cannot find an existing KDC`
			`to use, you can create your own. <span><img src="./delta.gif" alt="Start of change" />In V5R3 or later<img src="./deltaend.gif" alt="End of change" /></span>, <span class="keyword">i5/OS</span> supports a native Kerberos`
			`server in <span class="keyword">i5/OS</span> PASE. You`
			`can configure and manage a Kerberos server from your <span class="keyword">iSeries™</span> system.`
			`To configure a Kerberos server in <span class="keyword">i5/OS</span> PASE,`
			`complete the following tasks:</p>`
			`<ol type="a"><li><span>In a character-based interface, type: <strong>call QP2TERM</strong>.`
			`This command opens an interactive shell environment that allows you to work`
			`with <span class="keyword">i5/OS</span> PASE applications.</span></li>`
			`<li><span>At the command line, enter: <strong>export PATH=$PATH:/usr/krb5/sbin</strong>.`
			`This command points to the Kerberos scripts that are necessary to run the`
			`executable files.</span></li>`
			`<li><span>At the command line, enter: <strong>config.krb5 -S -d iseriesa.myco.com`
			`-r MYCO.COM</strong>. This command updates the krb5.config file with the domain`
			`name and realm for the Kerberos server, creates the Kerberos database within`
			`the integrated file system, and configures the Kerberos server in <span class="keyword">i5/OS</span> PASE. You will be prompted`
			`to add a database Master Password and a password for the admin/admin principal`
			`which is used to administer the Kerberos server.</span></li>`
			`<li><span>At the command line, enter: <strong>/usr/krb5/sbin/start.krb5</strong> to`
			`start the servers.</span></li>`
			`</ol>`
			`</li>`
			`<li class="stepexpand"><span><strong>Configure systems in your agent environment to use Kerberos</strong> </span> <p>After you create a Kerberos server (KDC), you need to individually`
			`configure each client PC that will attempt to connect to the secure platform,`
			`and each <span class="keyword">iSeries</span> system in`
			`your agent platform to point to your Kerberos server (KDC).</p>`
			`<ul><li><strong>Configure your client PC</strong> <p>To configure a client PC, you need`
			`to create a text file called <strong>krb5.conf</strong> in the security folder of the`
			`JVM that runs your <span class="keyword">iSeries Navigator</span> intelligent`
			`agents console located here (where C: is the drive your Client Access driver`
			`is installed on):</p>`
			`<blockquote>C:\Program Files\IBM\Client Access\JRE\Lib\Security</blockquote>`
			`<div class="p">The <strong>krb5.conf</strong> file`
			`tells all JVMs started from this JRE which KDC to use when dealing with Kerberos.`
			`The following is an example of what a generic <strong>krb5.conf</strong> file might`
			`look like if the KDC realm was KDC_REALM.PASE.COM and was found on system1.ibm.com:<div class="note"><span class="notetitle">Note:</span> By`
			`using the code examples, you agree to the terms of the <a href="codedisclaimer.htm">Code license and disclaimer information</a>.</div>`
			`</div>`
			`<pre>[libdefaults]`
			`default_realm = KDC_REALM.PASE.COM`
			`default_tkt_enctypes = des-cbc-crc`
			`default_tgs_enctypes = des-cbc-crc`

			`[realms]`
			`KDC_REALM.PASE.COM = {`
			`kdc = system1.rchland.ibm.com:88`
			`}`

			`[domain_realm]`
			`.rchland.ibm.com = KDC_REALM.PASE.COM</pre>`
			`</li>`
			`<li><strong>Configure your <span class="keyword">iSeries</span> system</strong> <p>To`
			`point your <span class="keyword">iSeries</span> system to`
			`your KDC, you need to modify the following file:</p>`
			`<blockquote>/QIBM/userdata/OS400/networkauthentication/ <strong>krb5.conf</strong></blockquote>`
			`<p>The <strong>krb5.conf</strong> file`
			`tells all JVMs started from this JRE which KDC to use when dealing with Kerberos.`
			`The following is an example of what a generic <strong>krb5.conf</strong> file might`
			`look like on the server if the KDC realm was KDC_REALM.PASE.COM and was found`
			`on system1.ibm.com:</p>`
			`<pre>??(libdefaults??)`
			`default_realm = KDC_REALM.PASE.COM`
			`??(appdefaults??)`
			`??(realms??)`
			`KDC_REALM.PASE.COM = {`
			`kdc = system1.rchland.ibm.com:88`
			`}`
			`??(domain_realm??)`
			`system1.rchland.ibm.com = KDC_REALM.PASE.COM</pre>`
			`</li>`
			`</ul>`
			`</li>`
			`<li class="stepexpand"><span><strong>Acquire Kerberos user and service principals</strong></span> <p>After`
			`you configure a KDC, you will need to create the user and service principals`
			`you plan to use to secure the platform, and register these principals to the`
			`KDC:</p>`
			`<dl><dt class="dlterm">Service Principals:</dt>`
			`<dd>Each agent pool (JVM) defined in <span class="uicontrol">ableplatform.preferences</span> must`
			`have a service principal associated with it. Service principals are specific`
			`to the system that they will run on, so they must include that system name`
			`and be in the following format: <span class="uicontrol">ServicePrincipalName/systemName@KDCRealm</span>.`
			`Each of the agent pools on the platform can use the same service principal,`
			`or you can specify that each pool use its own service principal. If each of`
			`your agent pools have different authority levels, then different principals`
			`should be used for each different authority level.</dd>`
			`<dt class="dlterm">User Principals:</dt>`
			`<dd>Each user that you want to allow to connect to the secure platform through`
			`the console will need a user principal. User principals can be associated`
			`with each agent definition listed in <span class="uicontrol">ableplatform.preferences</span>.`
			`A user principal can connect to a platform from the console, regardless of`
			`the system the console is running on. Because of this, a user principal only`
			`needs to include the principal name and the KDC realm the principal belongs`
			`to: <span class="uicontrol">UserPrincipalName@KDCRealm</span>.</dd>`
			`</dl>`
			`<p>You need to add a principal to the KDC for`
			`each Service and User principal that your platform will use. The following`
			`steps will help you add your principals to your KDC if you are using the native`
			`KDC on the server:</p>`
			`<ol type="a"><li class="substepexpand"><span>In a character-based interface, type: <kbd class="userinput">call QP2TERM</kbd>.</span></li>`
			`<li class="substepexpand"><span>At the command line, enter: <kbd class="userinput">export PATH=$PATH:/usr/krb5/sbin</kbd>.`
			`This command points to the Kerberos scripts that are necessary to run the`
			`executable files.</span></li>`
			`<li class="substepexpand"><span>At the command line, type: <kbd class="userinput">kadmin -p admin/admin</kbd>,`
			`and press <span class="uicontrol">Enter</span>.</span></li>`
			`<li class="substepexpand"><span>Sign in with administrator's password.</span></li>`
			`<li class="substepexpand"><span>At the command line:</span> <ul><li>To add service principals for Pools running on an <span class="keyword">iSeries</span> server: <p><kbd class="userinput">addprinc`
			`-pw secret servicePrincipalName/iSeries fully qualified host name@REALM</kbd></p>`
			`</li>`
			`<li>To add user principals: <p><kbd class="userinput">addprinc -pw secret jonesm</kbd>.`
			`This creates a principal for a user to log in from a console.</p>`
			`</li>`
			`<li>To add service principals for Pools running on a PC: <p><kbd class="userinput">addprinc`
			`-requires_preauth -e des-cbc-crc:normal -pw host/pc1.myco.com.</kbd></p>`
			`</li>`
			`</ul>`
			`</li>`
			`</ol>`
			`<p>If you are using the native KDC, see the following topics for more`
			`information on how to add principals to your KDC:</p>`
			`<p>If you are adding`
			`Service principals for Pools that will be running on an <span class="keyword">iSeries</span> server,`
			`see: <a href="../rzakh/rzakhdefineiseries.htm">Add <span class="keyword">i5/OS</span> principals to the Kerberos`
			`server</a>.</p>`
			`<p>If you are adding User principals or Service principals`
			`for Pools that will be running on a PC, see: <a href="../rzakh/rzakhcreatehostprin.htm">Create`
			`Host principals for Windows<sup>®</sup> 2000 workstations and users</a></p>`
			`</li>`
			`<li class="stepexpand"><span><strong>Add service principals to each keytab file</strong></span> <p>When`
			`starting up a secure platform each agent pool will use the principal that`
			`it was defined to start with, and use it to authenticate itself. This requires`
			`each Pool JVM to have access to valid Kerberos credentials for the principal`
			`it is using. The <span class="keyword">iSeries</span> <span class="cmdname">Start`
			`Agent Services (STRAGTSRV)</span> command will handle this, as long as`
			`there is an entry in the keytab file for the principal that is being used.`
			`Follow these steps to add an entry to the keytab file for each service principal`
			`that is to run on each of your platform systems:</p>`
			`<p>If you are running`
			`the native KDC on an <span class="keyword">iSeries</span> server:</p>`
			`<ol type="a"><li><span>In a character-based interface, type: <kbd class="userinput">STRQSH</kbd>.`
			`This command starts the qsh shell interpreter.</span></li>`
			`<li><span>Enter the following command (where <var class="varname">ServicePrincipal</var> is`
			`the name of the service principal you want to add, <var class="varname">system@KDCRealm</var> is`
			`the fully qualified system name and Kerberos realm, and where <var class="varname">thePassword</var> is`
			`the password associated with your service principal): <kbd class="userinput">keytab add`
			`ServicePrincipal/system@KDCRealm -p thePassword</kbd></span></li>`
			`</ol>`
			`</li>`
			`</ol>`
			`<div class="section"><p>After you set up your KDC and create your user and service principals,`
			`you need to configure security in your <span class="uicontrol">ableplatform.preferences</span> file.</p>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahxagentsecure.htm" title="It is strongly recommended that you use Kerberos user and service principals to authenticate users, agent pools, and agent services to one another on or across a secure platform or distributed platform.">Secure your agent environment</a></div>`
			`</div>`
			`<div class="reltasks"><strong>Related tasks</strong><br />`
			`<div><a href="../rzakh/rzakhconfigpase.htm">Configure a Kerberos server in i5/OS PASE</a></div>`
			`<div><a href="../rzakh/rzakhconfig.htm">Configure network authentication</a></div>`
			`<div><a href="rzahxagentsecurepref.htm" title="Before you begin, ensure that you have configured your Kerberos key distribution center (KDC).">Configure platform security</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`