ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaie_5.4.0.1/rzaiejklkerberos.htm

1042 lines
68 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="JKL Toy Company enables single signon for HTTP Server (powered by Apache)" />
<meta name="abstract" content="This scenario discusses how to enable single signon for your HTTP Server (powered by Apache)." />
<meta name="description" content="This scenario discusses how to enable single signon for your HTTP Server (powered by Apache)." />
<meta name="DC.Relation" scheme="URI" content="rzaiescenarios.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiejklkerberos" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>JKL Toy Company enables single signon for HTTP Server (powered by Apache)</title>
</head>
<body id="rzaiejklkerberos"><a name="rzaiejklkerberos"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">JKL Toy Company enables single signon for HTTP Server (powered by Apache)</h1>
<div><p>This scenario discusses how to enable single signon for your HTTP
Server (powered by Apache).</p>
<div class="p"><div class="important"><span class="importanttitle">Important:</span> Information
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
It is recommended that you install the latest PTFs to upgrade to the latest
level of the HTTP Server for i5/OS. Some of the topics documented here are
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
</div>
<div class="section"><p>To learn more about Kerberos and network security on the iSeries™, see <a href="../rzakh/rzakh000.htm">Network authentication
service</a>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiescenarios.htm" title="This topic provides information on how to use the IBM Web Administration for i5/OS interface to set up or manage your HTTP Server, step-by-step. Each task is specific and includes a usable HTTP Server configuration file when completed.">Scenarios for HTTP Server</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="scenariointro"><a name="scenariointro"><!-- --></a><h2 class="topictitle2">Scenario</h2>
<div><div class="section"><p>The JKL Web administrator, John Day, wants to enable single signon
for the JKL Toy Company network. The network consists of several iSeries systems
and a Windows<sup>®</sup> 2000
server, where the users are registered in Microsoft<sup>®</sup> Windows Active Directory.
Based on John Day's research, he knows that Microsoft Active Directory uses
the Kerberos protocol to authenticate Windows users. John Day also knows that i5/OS™ provides
a single signon solution based on an implementation of Kerberos authentication,
called network authentication service, in conjunction with Enterprise Identity
Mapping (EIM). </p>
<p>While excited about the benefits of a single signon
environment, John Day wants to thoroughly understand single signon configuration
and usage before using it across the entire enterprise. Consequently, John
Day decides to configure a test environment first.</p>
<p>After considering
the various groups in the company, John Day decides to create the test environment
for the <var class="varname">MYCO</var> Order Receiving department, a subsidiary of
JKL Toys. The employees in the Order Receiving department use multiple applications,
including HTTP Server, on one iSeries system to handle incoming customer orders.
John Day uses the Order Receiving department as a testing area to create a
single signon test environment that can be used to better understand how single
signon works and how to plan a single signon implementation across the JKL
enterprise.</p>
<p><strong>This scenario has the following advantages: </strong> </p>
<ul><li>Allows you to see some of the benefits of single signon on a small scale
to better understand how you can take full advantage of it before you create
a large-scale, single signon environment. </li>
<li>Provides you with a better understanding of the planning process required
to successfully and quickly implement a single signon environment across your
entire enterprise.</li>
</ul>
<p>As the network administrator at JKL Toy Company, John Day wants to
create a small single signon test environment that includes a small number
of users and a single iSeries server, <var class="varname">iSeries A</var>. John Day
wants to perform thorough testing to ensure that user identities are correctly
mapped within the test environment. The first step is to enable a single signon
environment for i5/OS and applications on <var class="varname">iSeries A</var>, including
the HTTP Server (powered by Apache). After implementing the configuration
successfully, John Day eventually wants to expand the test environment to
include the other systems and users in the JKL enterprise. </p>
<p><strong>The
objectives of this scenario are as follows:</strong></p>
<ul><li>The iSeries system, known as iSeries A, must be able to use Kerberos within
the MYCO.COM realm to authenticate the users and services that are participating
in this single signon test environment. To enable the system to use Kerberos,
iSeries A must be configured for network authentication service.</li>
<li>The directory server on iSeries A must function as the domain controller
for the new EIM domain.<blockquote><div class="note"><span class="notetitle">Note:</span> Two types of domains play key roles in the
single signon environment: an EIM domain and a Windows 2000 domain. Although
both of these terms contain the word <dfn class="term">domain</dfn>, these entities have
very different definitions. </div>
</blockquote>
<p>Use the following descriptions
to understand the differences between these two types of domains. For more
information about these terms, see the <a href="../rzalv/rzalvmst.htm">EIM</a> and <a href="../rzakh/rzakh000.htm">Network authentication service</a> topics. </p>
<dl><dt class="dlterm">EIM domain</dt>
<dd>An EIM domain is a collection of data, which includes the EIM identifiers,
EIM associations, and EIM user registry definitions that are defined in that
domain. This data is stored in a Lightweight Directory Access Protocol (LDAP)
server, such as the IBM<sup>®</sup> Directory Server for iSeries, which can run on any
system in the network defined in that domain. Administrators can configure
systems (EIM clients), such as i5/OS, to participate in the domain so that
systems and applications can use domain data for EIM lookup operations and
identity mapping. To find out more about an EIM domain, see <a href="../rzalv/rzalvmst.htm">EIM</a>.</dd>
</dl>
<dl><dt class="dlterm">Windows 2000 domain</dt>
<dd>In the context of single signon, a Windows 2000 domain is a Windows network
that contains several systems that operate as clients and servers, as well
as a variety of services and applications that the systems use. The following
are some of the components pertinent to single signon that you may find within
a Windows 2000 domain:<ul><li><strong>Realm</strong><p>A realm is a collection of machines and services. The main
purpose of a realm is to authenticate clients and services. Each realm uses
a single Kerberos server to manage the principals for that particular realm. </p>
</li>
<li><strong>Kerberos server</strong><div class="p">A Kerberos server, also known as a key distribution
center (KDC), is a network service that resides on the Windows 2000 server
and provides tickets and temporary session keys for network authentication
service. The Kerberos server maintains a database of principals (users and
services) and their associated secret keys. It is composed of the authentication
server and the ticket granting server. A Kerberos server uses Microsoft Windows
Active Directory to store and manage the information in a Kerberos user registry. <div class="note"><span class="notetitle">Note:</span> These
servers should be in the same subnet to ensure that the tokens can be validated.</div>
</div>
</li>
<li><strong>Microsoft Windows Active Directory</strong><p>Microsoft Windows Active Directory
is an LDAP server that resides on the Windows 2000 server along with the Kerberos
server. The Active Directory is used to store and manage the information in
a Kerberos user registry. Microsoft Windows Active Directory uses Kerberos
authentication as its default security mechanism. Therefore, if you are using
Microsoft Active Directory to manage your users, you are already using Kerberos
technology. </p>
</li>
</ul>
</dd>
</dl>
</li>
<li>One user profile on <var class="varname">iSeries A</var> and one Kerberos principal
must each be mapped to a single EIM identifier.</li>
<li>A Kerberos service principal must be used to authenticate the user to
the IBM HTTP Server for iSeries.</li>
</ul>
</div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="details"><a name="details"><!-- --></a><h2 class="topictitle2">Details</h2>
<div><div class="section"><p>The following figure illustrates the network environment for this
scenario:</p>
<br /><img src="rzamz501.gif" alt="Single signon test environment diagram" /><br /><p>The figure illustrates the following points relevant to this scenario.</p>
<p><strong>EIM
domain data defined for the enterprise</strong></p>
<ul><li>An EIM domain called <var class="varname">MyCoEimDomain</var>.</li>
<li>An EIM registry definition for <var class="varname">iSeries A</var> called <var class="varname">ISERIESA.MYCO.COM</var>.
</li>
<li>An EIM registry definition for the Kerberos registry called <var class="varname">MYCO.COM</var>.
</li>
<li>An EIM identifier called John Day. This identifier uniquely identifies
John Day, the administrator for <var class="varname">MyCo</var>. </li>
<li>A source association for the <var class="varname">jday</var> Kerberos principal
on the Windows 2000 server. </li>
<li>A target association for the <var class="varname">JOHND</var> user profile on <var class="varname">iSeries
A</var> to access HTTP Server.</li>
</ul>
<p><strong>Windows 2000 server</strong></p>
<ul><li>Acts as the Kerberos server (<var class="varname">kdc1.myco.com</var>), also known
as a key distribution center (KDC), for the network. </li>
<li>The default realm for the Kerberos server is <var class="varname">MYCO.COM</var>.
</li>
<li>A Kerberos principal of <var class="varname">jday</var> is registered with the
Kerberos server on the Windows 2000 server. This principal will be used to
create a source association to the EIM identifier, John Day. </li>
</ul>
<p><strong><var class="varname">iSeries A</var></strong></p>
<ul><li>Runs OS/400<sup>®</sup> Version
5 Release 2 (V5R2) with the following options and licensed products installed:<ul><li>IBM HTTP Server for iSeries</li>
<li>OS/400 Host Servers</li>
<li>Qshell Interpreter</li>
<li>iSeries Access for Windows </li>
<li>Cryptographic Access Provider</li>
</ul>
</li>
<li>The IBM Directory Server for iSeries (LDAP) on <var class="varname">iSeries A</var> will
be configured to be the EIM domain controller for the new EIM domain, <var class="varname">MyCoEimDomain</var>.
<var class="varname">iSeries A</var> participates in the EIM domain, <var class="varname">MyCoEimDomain</var>.</li>
<li>The principal name for <var class="varname">iSeries A</var> is <var class="varname">krbsvr400/iseriesa.myco.com@MYCO.COM</var>.</li>
<li>The principal name for the HTTP Server on <var class="varname">iSeries A</var> is <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var>.</li>
<li>The user profile of <var class="varname">JOHND</var> exists on <var class="varname">iSeries
A</var>. You will create a target association between this user profile
and the EIM identifier, <var class="varname">John Day</var>. </li>
<li>The home directory for the i5/OS user profile, <var class="varname">JOHND</var>,
(<var class="varname">/home/JOHND</var>) is defined on <var class="varname">iSeries A</var>. </li>
</ul>
<p><strong>Client PC used for single signon administration</strong></p>
<ul><li>Runs Microsoft Windows 2000 operating system. </li>
<li>Runs V5R2 iSeries Access for Windows. </li>
<li>Runs iSeries Navigator with the following subcomponents installed:<ul><li>Network </li>
<li>Security </li>
</ul>
</li>
<li>Serves as the primary logon system for administrator John Day. </li>
<li>Configured to be part of the <var class="varname">MYCO.COM</var> realm (Windows
domain). </li>
</ul>
</div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="prereqs"><a name="prereqs"><!-- --></a><h2 class="topictitle2">Prerequisites</h2>
<div><div class="section"><p>Successful implementation of this scenario requires that the following
assumptions and prerequisites are met: </p>
<ol><li>It is assumed you have read <a href="rzaiescenarios.htm">Scenarios for HTTP Server</a>. </li>
<li>All system requirements, including software and operating system installation,
have been verified.<div class="p">Ensure that all the necessary licensed programs are
installed. To verify that the licensed programs have been installed, complete
the following:<ol type="a"><li>In iSeries Navigator, expand your <span class="menucascade"><span class="uicontrol">iSeries server</span> &gt; <span class="uicontrol">Configuration and Service</span> &gt; <span class="uicontrol">Software</span> &gt; <span class="uicontrol">Installed Products</span></span>. </li>
</ol>
</div>
</li>
<li>All necessary hardware planning and setup is complete. </li>
<li>TCP/IP and basic system security are configured and tested on each system.
</li>
<li>The directory server and EIM are not previously configured on <var class="varname">iSeries
A</var>.<div class="note"><span class="notetitle">Note:</span> Instructions in this scenario are based on the assumption
that the directory server has not been previously configured on <var class="varname">iSeries
A</var>. However, if you have previously configured the directory server,
you can still use these instructions with only slight differences. These differences
are noted in the appropriate places within the configuration steps.</div>
</li>
<li>A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
with Kerberos authentication may result in name resolution errors or other
problems.</div>
</li>
</ol>
</div>
</div>
<div class="nested2" xml:lang="en-us" id="configsteps"><a name="configsteps"><!-- --></a><h3 class="topictitle3">Configuration steps</h3>
<div><div class="section"><div class="note"><span class="notetitle">Note:</span> Before you implement this scenario, you need to thoroughly
understand the concepts related to single signon, including network authentication
service and Enterprise Identity Mapping (EIM). See the following information
to learn about the terms and concepts related to single signon:</div>
<ul><li><a href="../rzalv/rzalvmst.htm">Enterprise
Identity Mapping (EIM) </a> </li>
<li><a href="../rzakh/rzakh000.htm">Network
authentication service</a> </li>
</ul>
<p>These are the configuration steps John Day completed. Follow these
configuration steps to enable a single signon environment for your iSeries
server.</p>
<ul class="simple"><li><a href="#plnwrksht">Step 1: Planning work sheet</a></li>
<li><a href="#eim">Step 2: Create a basic single signon configuration for iSeries A</a></li>
<li><a href="#kerberos">Step 3: Add principal names to the KDC</a></li>
<li><a href="#addkerberoskeytab">Step 4: Add Kerberos keytab</a></li>
<li><a href="#crthmdirforjohn">Step 5: Create home directory for John Day on iSeries A</a></li>
<li><a href="#tstntwrkauthsrvconfig">Step 6: Test network authentication service configuration on iSeries A</a></li>
<li><a href="#crteimidforjohnd">Step 7: Create EIM identifier for John Day</a></li>
<li><a href="#crtsrcassctntrgtassctneimid">Step 8: Create a source association and target association for the new EIM identifier</a></li>
<li><a href="#cnfgiseriesaccess">Step 9: Configure iSeries Access for Windows applications to use Kerberos authentication</a></li>
<li><a href="#addtoexistingeim">Step 10: Add iSeries A to and existing EIM domain</a></li>
<li><a href="#httpserver">Step 11: Configure HTTP Server for single signon</a></li>
<li><a href="#post">Step 12: (Optional) Post configuration considerations</a></li>
</ul>
</div>
</div>
</div>
<div class="nested2" xml:lang="en-us" id="plnwrksht"><a name="plnwrksht"><!-- --></a><h3 class="topictitle3">Step 1: Planning work sheet</h3>
<div><div class="section"><p>The following planning work sheets are tailored to fit this scenario.
These planning work sheets demonstrate the information that you need to gather
and the decisions you need to make to prepare the single signon implementation
described by this scenario. To ensure a successful implementation, you must
be able to answer <strong>Yes</strong> to all prerequisite items in the work sheet and
be able to gather all the information necessary to complete the work sheets
before you perform any configuration tasks.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Single signon prerequisite work sheet</caption><thead align="left"><tr><th valign="top" id="d0e437">Prerequisite work sheet</th>
<th valign="top" id="d0e439">Answers </th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e437 ">Are you running OS/400 or i5/OS at version V5R2 or higher?</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Are the following options and licensed products installed
on <var class="varname">iSeries A</var>?<ul><li>i5/OS Host Servers</li>
<li>Qshell Interpreter</li>
<li>iSeries Access for Windows</li>
<li>Cryptographic Access Provider</li>
</ul>
</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Have you installed an application that is enabled for
single signon on each of the PCs that will participate in the single signon
environment? <div class="note"><span class="notetitle">Note:</span> For this scenario, all of the participating PCs have iSeries
Access for Windows installed and <var class="varname">iSeries A</var> has the HTTP
Server for iSeries installed.</div>
</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Is iSeries Navigator installed on the administrator's
PC?<ul><li>Is the Security subcomponent of iSeries Navigator installed on the administrator's
PC?</li>
<li>Is the Network subcomponent of iSeries Navigator installed on the administrator's
PC?</li>
</ul>
</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Have you installed the latest iSeries Access for Windows
service pack? See <a href="http://www.ibm.com/servers/eserver/iseries/access/" target="_blank">iSeries Access</a> <img src="www.gif" alt="Link outside Information Center" /> for the latest service pack.</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Do you, the administrator, have *SECADM, *ALLOBJ, and
*IOSYSCFG special authorities?</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Do you have one of the following systems in the network
acting as the Kerberos server (also known as the KDC)? If yes, specify which
system. <ol><li>Windows 2000 Server<div class="note"><span class="notetitle">Note:</span> Microsoft Windows 2000 Server uses Kerberos authentication
as its default security mechanism. </div>
</li>
<li>Windows Server 2003 </li>
<li>i5/OS0 PASE</li>
<li>AIX<sup>®</sup> server
</li>
<li>zSeries<sup>®</sup></li>
</ol>
</td>
<td valign="top" headers="d0e439 ">Yes, Windows 2000 Server</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Are all your PCs in your network configured in a Windows
(R) 2000 domain?</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Have you applied the latest program temporary fixes
(PTFs)?</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e437 ">Is the iSeries system time within 5 minutes of the system
time on the Kerberos server? If not see <a href="../rzakh/rzakhsync.htm">Synchronize system times</a>.</td>
<td valign="top" headers="d0e439 ">Yes</td>
</tr>
</tbody>
</table>
</div>
<p>You need this information to configure EIM and network authentication
service to create a single signon test environment.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 2. Single signon configuration planning work sheet for iSeries A. <p>Use the following information to complete the EIM Configuration wizard.
The information in this work sheet correlates with the information you need
to supply for each page in the wizard:</p>
</caption><thead align="left"><tr><th valign="top" id="d0e551">Configuration planning work sheet for iSeries
A</th>
<th valign="top" id="d0e553">Answers</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e551 ">How do you want to configure EIM for your system?<ul><li>Join an existing domain </li>
<li>Create and join a new domain <div class="note"><span class="notetitle">Note:</span> This option allows you to configure
the current system's directory server as the EIM domain controller when the
directory server is not already configured as the EIM domain controller.</div>
</li>
</ul>
</td>
<td valign="top" headers="d0e553 ">Create and join a new domain<div class="note"><span class="notetitle">Note:</span> This will configure
the directory server on the same system on which you are currently configuring
EIM.</div>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">Do you want to configure network authentication service?<div class="note"><span class="notetitle">Note:</span> You
must configure network authentication service to configure single signon.</div>
</td>
<td valign="top" headers="d0e553 ">Yes</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">The Network Authentication Service wizard
launches from the EIM Configuration wizard. Use the following information
to complete the Network Authentication Service wizard:<div class="note"><span class="notetitle">Note:</span> You can launch
the Network Authentication Service wizard independently of the EIM Configuration
wizard.</div>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">What is the name of the Kerberos default realm to which
your iSeries will belong?<div class="note"><span class="notetitle">Note:</span> A Windows 2000 domain is similar to a Kerberos
realm. Microsoft Windows Active Directory uses Kerberos authentication as
its default security mechanism.</div>
</td>
<td valign="top" headers="d0e553 "><var class="varname">MYCO.COM</var></td>
</tr>
<tr><td valign="top" headers="d0e551 ">Are you using Microsoft Active Directory?</td>
<td valign="top" headers="d0e553 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e551 ">What is the Kerberos server, also known as a key distribution
center (KDC), for this Kerberos default realm? What is the port on which the
Kerberos server listens?</td>
<td valign="top" headers="d0e553 "><ul class="simple"><li><strong>KDC</strong>: <var class="varname">kdc1.myco.com</var></li>
<li><strong>Port</strong>:<var class="varname">88</var></li>
</ul>
<div class="note"><span class="notetitle">Note:</span> This is the default port for the Kerberos server.</div>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">Do you want to configure a password server for this
default realm? If yes, answer the following questions: <p>What is name of
the password server for this Kerberos server? What is the port on which the
password server listens?</p>
</td>
<td valign="top" headers="d0e553 ">Yes<ul class="simple"><li><strong>Password</strong> server: <var class="varname">kdc1.myco.com</var></li>
<li><strong>Port</strong>: <var class="varname">464</var></li>
</ul>
<div class="note"><span class="notetitle">Note:</span> This is the default port for the Kerberos server.</div>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">For which services do you want to create keytab entries?<ul><li>i5/OS Kerberos Authentication </li>
<li>LDAP </li>
<li>iSeries IBM HTTP Server for iSeries</li>
<li>iSeries NetServer™ </li>
</ul>
</td>
<td valign="top" headers="d0e553 ">i5/OS Kerberos Authentication<div class="note"><span class="notetitle">Note:</span> A keytab entry for
HTTP Server must be done manually as described later in the configuration
steps.</div>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">What is the password for your service principal or principals? </td>
<td valign="top" headers="d0e553 "><var class="varname">iseriesa123 </var><div class="note"><span class="notetitle">Note:</span> Any and all passwords
specified in this scenario are for example purposes only. To prevent a compromise
to your system or network security, never use these passwords as part of your
own configuration.</div>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">Do you want to create a batch file to automate adding
the service principals for iSeries A to the Kerberos registry?</td>
<td valign="top" headers="d0e553 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e551 ">Do you want to include passwords with the i5/OS service
principals in the batch file?</td>
<td valign="top" headers="d0e553 ">Yes</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">As you exit the Network Authentication
Service wizard, you will return to the EIM Configuration wizard. Use the following
information to complete the EIM Configuration wizard:</td>
</tr>
<tr><td valign="top" headers="d0e551 ">Specify user information for the wizard to use when
configuring the directory server. This is the connection user. You must specify
the port number, administrator distinguished name, and a password for the
administrator.<div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's distinguished name (DN)
and password to ensure the wizard has enough authority to administer the EIM
domain and the objects in it.</div>
</td>
<td valign="top" headers="d0e553 "><ul class="simple"><li><strong>Port</strong>: <var class="varname">389</var></li>
<li><strong>Distinguished name</strong>: <var class="varname">cn=administrator </var></li>
<li><strong>Password</strong>: <var class="varname">mycopwd</var></li>
</ul>
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
purposes only. To prevent a compromise to your system or network security,
do not use these passwords as part of your own configuration.</div>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">What is the name of the EIM domain that you want to
create?</td>
<td valign="top" headers="d0e553 "><var class="varname">MyCoEimDomain</var></td>
</tr>
<tr><td valign="top" headers="d0e551 ">Do you want to specify a parent DN for the EIM domain?</td>
<td valign="top" headers="d0e553 ">No</td>
</tr>
<tr><td valign="top" headers="d0e551 ">Which user registries do you want to add to the EIM
domain?</td>
<td valign="top" headers="d0e553 ">Local i5/OS--<var class="varname">ISERIESA.MYCO.COM</var> Kerberos--<var class="varname">MYCO.COM</var><div class="note"><span class="notetitle">Note:</span> The
Kerberos principals stored on the Windows 2000 server are not case sensitive;
therefore do not select <strong>Kerberos user identities are case sensitive.</strong></div>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">Which EIM user do you want iSeries A to use when performing
EIM operations? This is the system user<div class="note"><span class="notetitle">Note:</span> If you have not configured the
directory server prior to configuring single signon, the only distinguished
name (DN) you can provide for the system user is the LDAP administrator's
DN and password.</div>
</td>
<td valign="top" headers="d0e553 "><ul class="simple"><li><strong>User type</strong>: Distinguished name and password </li>
<li><strong>User</strong>: <var class="varname">cn=administrator</var></li>
<li><strong>Password</strong>: <var class="varname">mycopwd</var></li>
</ul>
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
purposes only. To prevent a compromise to your system or network security,
never use these passwords as part of your own configuration.</div>
</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">After you complete the EIM Configuration
wizard, use the following information to complete the remaining steps required
for configuring single signon:</td>
</tr>
<tr><td valign="top" headers="d0e551 ">What is the i5/OS user profile name for the user?</td>
<td valign="top" headers="d0e553 "><var class="varname">JOHND</var></td>
</tr>
<tr><td valign="top" headers="d0e551 ">What is the name of the EIM identifier that you want
to create?</td>
<td valign="top" headers="d0e553 "><var class="varname">John Day</var></td>
</tr>
<tr><td valign="top" headers="d0e551 ">What kinds of associations do you want to create? </td>
<td valign="top" headers="d0e553 "><ul class="simple"><li><strong>Source association</strong>: Kerberos principal <var class="varname">jday</var></li>
<li><strong>Target association</strong>: i5/OS user profile <var class="varname">JOHND</var> </li>
</ul>
</td>
</tr>
<tr><td valign="top" headers="d0e551 ">What is the name of the user registry that contains
the Kerberos principal for which you are creating the source association?</td>
<td valign="top" headers="d0e553 "><var class="varname">MYCO.COM</var></td>
</tr>
<tr><td valign="top" headers="d0e551 ">What is the name of the user registry that contains
the i5/OS user profile for which you are creating the target association?</td>
<td valign="top" headers="d0e553 "><var class="varname">ISERIESA.MYCO.COM</var></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="eim"><a name="eim"><!-- --></a><h2 class="topictitle2">Step 2: Create a basic single signon configuration for <var class="varname">iSeries
A</var></h2>
<div><div class="section"><p>You need to create a basic single signon configuration using the
iSeries Navigator. The EIM configuration wizard will assist in the configuration
process. Use the information from your planning work sheets to configure EIM
and network authentication service on <var class="varname">iSeries A</var>.</p>
<div class="note"><span class="notetitle">Note:</span> For
more information about EIM, see the <a href="../rzalv/rzalveservercncpts.htm" target="_blank">EIM concepts</a> topic.</div>
</div>
<ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li>
<li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span></span>.</span></li>
<li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure</span> to
start the EIM Configuration wizard. </span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page, select <span class="uicontrol">Create
and join a new domain</span>. Click <span class="uicontrol">Next.</span></span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM Domain Location</span> page,
select <span class="uicontrol">On the local Directory server</span>. </span></li>
<li class="stepexpand"><span>Click <span class="uicontrol">Next</span> and the <span class="uicontrol">Network Authentication
Service</span> wizard is displayed.</span> <div class="note"><span class="notetitle">Note:</span> The Network Authentication
Service wizard only displays when the system determines that you need to enter
additional information to configure network authentication service for the
single signon implementation.</div>
</li>
<li class="stepexpand"><span>Complete these tasks to configure network authentication service:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page,
select <span class="uicontrol">Yes</span>.</span> <div class="note"><span class="notetitle">Note:</span> This launches the Network
Authentication Service wizard. With this wizard, you can configure several
i5/OS interfaces and services to participate in the Kerberos realm.</div>
</li>
<li class="substepexpand"><span>On the Specify Realm Information page, enter <var class="varname">MYCO.COM</var> in
the <span class="uicontrol">Default realm</span> field and select <span class="uicontrol">Microsoft
Active Directory is used for Kerberos authentication</span>. Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page,
enter <var class="varname">kdc1.myco.com</var> in the <span class="uicontrol">KDC</span> field
and enter <var class="varname">88</var> in the <span class="uicontrol">Port</span> field.
Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page,
select <span class="uicontrol">Yes</span>. Enter <var class="varname">kdc1.myco.com</var> in
the <span class="uicontrol">Password server</span> field and <var class="varname">464</var> in
the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS
Kerberos Authentication</span>. Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Create OS/400 Keytab Entry</span> page,
enter and confirm a password, and click <span class="uicontrol">Next</span>. For example, <var class="varname">iSeries
A123</var>. This password will be used when <var class="varname">iSeries A</var> is
added to the Kerberos server. </span> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified
in this scenario are for example purposes only. To prevent a compromise to
your system or network security, never use these passwords as part of your
own configuration</div>
</li>
<li class="substepexpand"><span>On the <span class="uicontrol">Create Batch File</span> page,
select <span class="uicontrol">Yes</span>, specify the following information, and
click <span class="uicontrol">Next</span>:</span> <ul><li><strong>Batch file</strong>: Add the text <kbd class="userinput">iSeries A</kbd> to the
end of the default batch file name. For example, <kbd class="userinput">C:\Documents</kbd> and <kbd class="userinput">Settings\All
Users\Documents\IBM\Client Access\NASConfigiSeries A.bat</kbd>. </li>
<li><strong>Select Include password</strong>: This ensures that all passwords associated
with the i5/OS service principal are included in the batch file. It is important
to note that passwords are displayed in clear text and can be read by anyone
with read access to the batch file. Therefore, it is recommended that you
delete the batch file from the Kerberos server and from your PC immediately
after use.</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> If you do not include the password, you will be prompted for the
password when the batch file is run.</div>
<div class="note"><span class="notetitle">Note:</span> You must have <strong>ktpass</strong> and <strong>SETSPN</strong> (set
service principal name) installed on your Windows 2000 server before running
this bat file. The <strong>ktpass</strong> tool is provided in the Service Tools folder
on the Windows 2000 Server installation CD. The <strong>SETSPN</strong> tool is included
in the Microsoft Windows 2000 Resource Kit and can be downloaded from the
Microsoft website.</div>
</li>
<li class="substepexpand"><span>On the <span class="uicontrol">Summary</span> page, review the network
authentication service configuration details. Click <span class="uicontrol">Finish</span> to
complete the Network Authentication Service wizard and return to the EIM Configuration
wizard. </span></li>
</ol>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Configure Directory Server</span> page,
enter the following information, and click <span class="uicontrol">Next</span>:</span> <div class="note"><span class="notetitle">Note:</span> If you configured the directory server before you started this
scenario, you will see the <span class="uicontrol">Specify User for Connection</span> page
instead of the <span class="uicontrol">Configure Directory Server</span> page. In
that case, you must specify the distinguished name and password for the LDAP
administrator.</div>
<ul><li>Port: <var class="varname">389</var> </li>
<li>Distinguished name: <var class="varname">cn=administrator</var> </li>
<li>Password: <var class="varname">mycopwd </var></li>
</ul>
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
purposes only. To prevent a compromise to your system or network security,
never use these passwords as part of your own configuration.</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain</span> page, enter the name
of the domain in the <span class="uicontrol">Domain</span> field, and click <span class="uicontrol">Next</span>.
For example, <var class="varname">MyCoEimDomain</var>. </span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Parent DN for Domain</span> page,
select <span class="uicontrol">No</span>, and click <span class="uicontrol">Next</span>. </span> <div class="note"><span class="notetitle">Note:</span> If the directory server is active, a message is displayed that
indicates you need to end and restart the directory server for the changes
to take effect. Click <span class="uicontrol">Yes</span> to restart the directory
server.</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, select <span class="uicontrol">Local
OS/400 and Kerberos</span>, and click <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> <ul><li>Registry names must be unique to the domain.</li>
<li>You can enter a specific registry definition name for the user registry
if you want to use a specific registry definition naming plan. However, for
this scenario you can accept the default values. </li>
</ul>
</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select
the user for the operating system to use when performing EIM operations on
behalf of operating system functions, and click <span class="uicontrol">Next</span>:</span> <div class="note"><span class="notetitle">Note:</span> Because you did not configure the directory server prior to performing
the steps in this scenario, the only distinguished name (DN) that you can
choose is the LDAP administrator's DN.</div>
<ul><li>User type: <var class="varname">Distinguished name and password</var></li>
<li>Distinguished name: <span class="apiname">cn=administrator</span></li>
<li>Password: <var class="varname">mycopwd</var> </li>
</ul>
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
purposes only. To prevent a compromise to your system or network security,
never use these passwords as part of your own configuration.</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Summary</span> page, confirm the EIM configuration
information. Click <span class="uicontrol">Finish</span>. </span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="kerberos"><a name="kerberos"><!-- --></a><h2 class="topictitle2">Step 3: Add principal names to the KDC</h2>
<div><div class="section"><p>To add the iSeries system to the Windows 2000 KDC, use the documentation
for your KDC that describes the process of adding principals. By convention,
the iSeries system name can be used as the username. Add the following principal
names to the KDC:</p>
<pre>krbsvr400/iSeriesA.ordept.myco.com@ORDEPT.MYCO.COM
HTTP/iseriesa.myco.com@MYCO.COM</pre>
<p>On a Windows 2000 server, follow
these steps: </p>
</div>
<ol><li class="stepexpand"><span>Use the Active Directory Management tool to create a user account
for the iSeries system (select the <span class="uicontrol">Users</span> folder, right-click,
select <span class="uicontrol">New</span>, then select <span class="uicontrol">User</span>.)
Specify <var class="varname">iSeriesA</var> as the Active Directory user and <var class="varname">HTTPiSeriesA</var> as
the service principal for HTTP.</span></li>
<li class="stepexpand"><span>Access the properties on the Active Directory user <var class="varname">iSeriesA</var> and
the service principal <var class="varname">HTTPiSeriesA</var>. From the <span class="uicontrol">Account</span> tab,
select the <span class="uicontrol">Account is trusted for delegation</span>. This
will allows the <var class="varname">HTTPiSeriesA</var> service principal to access
other services on behalf of a signed-in user. </span></li>
<li class="stepexpand"><span>Map the user account to the principal by using the <span class="uicontrol">ktpass</span> command.
This needs to be done twice, once for <var class="varname">iSeriesa</var> and once
for <var class="varname">HTTPiSeriesA</var>. The <span class="uicontrol">ktpass</span> tool
is provided in the Service Tools folder on the Windows 2000 Server installation
CD. To map the user account, open the <span class="uicontrol">ktpass</span> command
window and enter the following: </span> <pre>ktpass -princ krbsvr400/iSeriesA.ordept.myco.com@ORDEPT.MYCO.COM -mapuser iSeries A -pass iseriesa123 </pre>
<p>Then add the HTTP Server to the KDC:</p>
<pre>ktpass -princ HTTP/iseriesa.myco.com@MYCO.COM -mapuser iSeries A -pass iseriesa123 </pre>
<p>For HTTP, an additional step (setspn - set service principal name) is
required after the <span class="uicontrol">ktpass</span> is done:</p>
<pre>SETSPN -A HTTP/iseriesA.myco.com@MYCO.COM HTTPiSeriesA</pre>
<div class="note"><span class="notetitle">Note:</span> The <strong>SETSPN</strong> tool is included in the Microsoft Windows 2000 Resource Kit and
can be downloaded from the Microsoft website.</div>
<div class="note"><span class="notetitle">Note:</span> The value <var class="varname">iseriesa123</var> is
the password that you specified when you configured network authentication
service. Any and all passwords used within this scenario are for example purposes
only. Do not use the passwords during an actual configuration.</div>
</li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="addkerberoskeytab"><a name="addkerberoskeytab"><!-- --></a><h2 class="topictitle2">Step 4: Add Kerberos keytab</h2>
<div><div class="section"><p>You need keytab entries for authentication purposes as well as
for generating the authorization identity. The network authentication service
(the i5/OS implementation of the Kerberos protocol) wizard creates a keytab
entry for <var class="varname">iSeriesA</var>, however a keytab for HTTP must be manually
created. The wizard is only able to create keytab entries for the system and
certain applications that the code is aware are Kerberos-enabled. The network
authentication service wizard configures network authentication service (Kerberos)
for you. The wizard is called by the EIM wizard if you have not already configure
network authentication service on the system or if your network authentication
service configuration is not complete. </p>
<p>The <span class="cmdname">kinit</span> command
is used to initiate Kerberos authentication. A Kerberos ticket-granting ticket
(TGT) is obtained and cached for the HTTP Server principal. Use <span class="cmdname">kinit</span> to
perform the ticket exchange for the HTTP Server principal. The ticket is
cached for reuse.</p>
</div>
<ol><li class="stepexpand"><span>Start a 5250 session on <var class="varname">iSeries A</var>.</span></li>
<li class="stepexpand"><span>Type <kbd class="userinput">QSH</kbd>.</span></li>
<li class="stepexpand"><span>Type <kbd class="userinput">keytab add</kbd> <var class="varname">HTTP/iseriesa.myco.com</var>.</span></li>
<li class="stepexpand"><span>Type <var class="varname">iseries123</var> for the password.</span></li>
<li class="stepexpand"><span>Type <var class="varname">iseries123</var> again to confirm the password.</span></li>
<li class="stepexpand"><span>Type <kbd class="userinput">keytab list</kbd>.</span> <div class="note"><span class="notetitle">Note:</span> The <span class="cmdname">keytab
list</span> command lists the keytab information on your iSeries server.</div>
</li>
<li class="stepexpand"><span>Now test the password entered in the keytab to make sure it matches
the password used for this service principal on the KDC. Do this with the
following command: <kbd class="userinput">kinit -k HTTP/</kbd><var class="varname">iseriesa.myco.com</var> </span> The -k option tells the kinit command not to prompt for a password;
only use the password that is in the keytab. If the kinit command fails, it
is likely that different passwords were used on either the <kbd class="userinput">ktpass</kbd> command
done on the Windows Domain controller or on the keytab command entered in <kbd class="userinput">QSH</kbd>.</li>
<li class="stepexpand"><span>Now test the iSeries Kerberos authentication to make sure the keytab
password is the same as the password stored in the KDC. Do this with the following
command: <kbd class="userinput">kinit -k krbsvr400</kbd><var class="varname">/iseriesa.myco.com</var></span> <div class="note"><span class="notetitle">Note:</span> The Network Authentication Service wizard created this keytab
entry.</div>
</li>
<li class="stepexpand"><span>Type <kbd class="userinput">klist</kbd>.</span> <div class="note"><span class="notetitle">Note:</span> If the kinit
command returns without errors, then klist will show your ticket cache.</div>
</li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="crthmdirforjohn"><a name="crthmdirforjohn"><!-- --></a><h2 class="topictitle2">Step 5: Create home directory for <var class="varname">John Day</var> on <var class="varname">iSeries
A</var> </h2>
<div><div class="section"><p>You need to create a directory in the <span class="filepath">/home</span> directory
to store your Kerberos credentials cache. To create a home directory, complete
the following: </p>
</div>
<ol><li><span>Start a 5250 session on <var class="varname">iSeries A</var>.</span></li>
<li><span>Type <kbd class="userinput">QSH</kbd>.</span></li>
<li><span>On a command line, enter: <kbd class="userinput">CRTDIR</kbd><var class="varname"> '/home/user
profile'</var> where <var class="varname">user profile</var> is your i5/OS user
profile name. For example: <var class="varname">CRTDIR '/home/JOHND'</var>. </span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="tstntwrkauthsrvconfig"><a name="tstntwrkauthsrvconfig"><!-- --></a><h2 class="topictitle2">Step 6: Test network authentication service configuration on <var class="varname">iSeries
A</var></h2>
<div><div class="section"><p>Now that you have completed the network authentication service
configuration tasks for <var class="varname">iSeries A</var>, you need to test that
your configuration. You can do this by requesting a ticket-granting ticket
for the HTTP principal name, <var class="varname">HTTP/iseriesa.myco.com</var>.</p>
<p>To
test the network authentication service configuration, complete these steps:</p>
<div class="note"><span class="notetitle">Note:</span> Ensure
that you have created a home directory for your i5/OS user profile before
performing this procedure.</div>
</div>
<ol><li><span>On a command line, enter <kbd class="userinput">QSH</kbd> to start the
Qshell Interpreter. </span></li>
<li><span>Enter <kbd class="userinput">keytab list</kbd> to display a list of principals
registered in the keytab file. In this scenario, <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var> displays
as the principal name for <var class="varname">iSeries A</var>. </span></li>
<li><span>Enter <kbd class="userinput">kinit -k HTTP</kbd><var class="varname">/iseriesa.myco.com@MYCO.COM</var>.
If this is successful, then the <span class="cmdname">kinit</span> command is displayed
without errors. </span></li>
<li><span>Enter <kbd class="userinput">klist</kbd> to verify that the default principal
is <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var>. </span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="crteimidforjohnd"><a name="crteimidforjohnd"><!-- --></a><h2 class="topictitle2">Step 7: Create EIM identifier for <var class="varname">John Day</var></h2>
<div><div class="section"><p>Now that you have performed the initial steps to create a basic
single signon configuration, you can begin to add information to this configuration
to complete your single signon test environment. You need to create the EIM
identifier that you specified in <a href="#plnwrksht">Step 1: Planning work sheet</a>.
In this scenario, this EIM identifier is a name that uniquely identifies <var class="varname">John
Day</var> in the enterprise.</p>
<p>To create an EIM identifier, follow
these steps: </p>
</div>
<ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li>
<li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span> &gt; <span class="uicontrol">Domain Management</span> &gt; <span class="uicontrol">MyCoEimDomain</span></span></span> <div class="note"><span class="notetitle">Note:</span> If the
domain is not listed under Domain Management, you may need to <a href="../rzalv/rzalvadmindomainadd.htm">add the domain</a>.
You may be prompted to connect to the domain controller. In that case, the <span class="uicontrol">Connect
to EIM Domain Controller</span> dialog is displayed. You must connect
to the domain before you can perform actions in it. To connect to the domain
controller, provide the following information and click <span class="uicontrol">OK</span>:</div>
<ul><li><strong>User type</strong>: Distinguished name</li>
<li><strong>Distinguished name</strong>: <var class="varname">cn=administrator</var></li>
<li><strong>Password</strong>: <var class="varname">mycopwd</var></li>
</ul>
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
purposes only. To prevent a compromise to your system or network security,
never use these passwords as part of your own configuration.</div>
</li>
<li class="stepexpand"><span>Right-click <span class="uicontrol">Identifiers</span> and select <span class="uicontrol">New
Identifier.... </span></span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">New EIM Identifier</span> dialog, enter a name for the new identifier in the <span class="uicontrol">Identifier</span> field,
and click <span class="uicontrol">OK</span>. For example, <var class="varname">John Day</var>. </span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="crtsrcassctntrgtassctneimid"><a name="crtsrcassctntrgtassctneimid"><!-- --></a><h2 class="topictitle2">Step 8: Create a source association and target association for the
new EIM identifier</h2>
<div><div class="section"><p>You must create the appropriate associations between the EIM identifier
and the user identities that the person represented by the identifier uses.
These identifier associations, when properly configured, enable the user to
participate in a single signon environment.</p>
<p>In this scenario, you need
to create two identifier associations for the <var class="varname">John Day</var> identifier:</p>
<ul><li>A source association for the <var class="varname">jday</var> Kerberos principal,
which is the user identity that <var class="varname">John Day</var>, the person, uses
to log in to Windows and the network. The source association allows the Kerberos
principal to be mapped to another user identity as defined in a corresponding
target association.</li>
<li>A target association for the <var class="varname">JOHND</var> i5/OS user profile,
which is the user identity that <var class="varname">John Day</var>, the person, uses
to log in to iSeries Navigator and other i5/OS applications on <var class="varname">iSeries
A</var>. The target association specifies that a mapping lookup operation
can map to this user identity from another one as defined in a source association
for the same identifier. </li>
</ul>
<p>Now that you have created the <var class="varname">John Day</var> identifier,
you need to create both a source association and a target association for
it. </p>
<p>To create a source association between the Kerberos principal <var class="varname">jday</var> identifier,
follow these steps:</p>
</div>
<ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li>
<li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> &gt; <span class="uicontrol">Enterprise
Identity Mapping</span> &gt; <span class="uicontrol">Domain Management</span> &gt; <span class="uicontrol">MyCoEimDomain</span> &gt; <span class="uicontrol">Identifiers</span></span></span></li>
<li class="stepexpand"><span>Right-click <var class="varname">John Day</var>, and select <span class="uicontrol">Properties</span>. </span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Associations</span> page, click <span class="uicontrol">Add</span>. </span></li>
<li class="stepexpand"><span>In the <span class="uicontrol">Add Association</span> dialog, specify or
click <span class="uicontrol">Browse...</span> to select the following information,
and click <span class="uicontrol">OK</span>: </span> <ul><li><strong>Registry</strong>: <var class="varname">MYCO.COM</var></li>
<li><strong>User</strong>: <var class="varname">jday</var></li>
<li><strong>Association type</strong>: <kbd class="userinput">Source</kbd> </li>
</ul>
</li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Add Association</span> dialog.</span> <p>To create a target association between the i5/OS user profile and
the <var class="varname">John Day</var> identifier, follow these steps: </p>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Associations</span> page, click <span class="uicontrol">Add</span>. </span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Add Association</span> dialog, specify or <span class="uicontrol">Browse...</span> to
select the following information, and click <span class="uicontrol">OK</span>: </span> <ul><li><strong>Registry</strong>: <var class="varname">iSeriesA.MYCO.COM</var></li>
<li><strong>User</strong>: <var class="varname">JOHND</var><div class="note"><span class="notetitle">Note:</span> The default behavior in V5R2
is to create the Kerberos registry as case sensitive. The <span class="uicontrol">user</span> value
entered here must be the same case as the user in Active Directory.</div>
</li>
<li><strong>Association type</strong>: <kbd class="userinput">Target</kbd> </li>
</ul>
</li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Add Association</span> dialog. </span></li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Properties</span> dialog.</span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="cnfgiseriesaccess"><a name="cnfgiseriesaccess"><!-- --></a><h2 class="topictitle2">Step 9: Configure iSeries Access for Windows applications to use Kerberos
authentication</h2>
<div><div class="section"><p>You must use Kerberos to authenticate before you can use iSeries
Navigator to access <var class="varname">iSeries A</var>. Therefore, from your PC,
you need to configure iSeries Access for Windows to use Kerberos authentication.
Jay Day will use iSeries Access to monitor the status of the iSeries HTTP
Server and monitor the other activities on the iSeries.</p>
<p>To configure
iSeries Access for Windows applications to use Kerberos authentication, complete
the following steps:</p>
</div>
<ol><li><span>Log on to the Windows 2000 domain by logging on to your PC.</span></li>
<li><span>In iSeries Navigator on your PC, right-click <var class="varname">iSeries A</var> and
select <span class="uicontrol">Properties</span>. </span></li>
<li><span>On the <span class="uicontrol">Connection</span> page, select <span class="uicontrol">Use
Kerberos principal name, no prompting</span>. This will allow iSeries
Access for Windows connections to use the Kerberos principal name and password
for authentication. </span></li>
<li><span>A message is displayed that indicates you need to close and restart
all applications that are currently running for the changes to the connection
settings to take effect. Click <span class="uicontrol">OK</span>. Then, end and restart
iSeries Navigator. </span></li>
</ol>
</div>
<div class="nested2" xml:lang="en-us" id="addtoexistingeim"><a name="addtoexistingeim"><!-- --></a><h3 class="topictitle3">Step 10: Add <var class="varname">iSeries A</var> to and existing EIM domain</h3>
<div><div class="section"><p>The iSeries server does not require mapping, per the EIM configuration,
as it is not a signon-type entity. You do, however, have to add the iSeries
server to an existing EIM domain.</p>
<div class="note"><span class="notetitle">Note:</span> IF EIM resides on the same iSeries
server as the HTTP Server, then skip this step.</div>
</div>
<ol><li><span>Start iSeries Navigator.</span></li>
<li><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> &gt; <span class="uicontrol">Enterprise
Identity Mapping</span> &gt; <span class="uicontrol"> Configuration</span></span>.</span></li>
<li><span>Click <span class="uicontrol">Configure system for EIM</span>.</span></li>
<li><span>Click <span class="uicontrol">Join an existing domain</span>. Click <span class="uicontrol">Next</span>.</span></li>
<li><span>Type <var class="varname">iseriesa.myco.com</var> in the <span class="uicontrol">Domain
controller name</span> field.</span></li>
<li><span>Type <var class="varname">389</var> in the <span class="uicontrol">Port</span> field.
Click <span class="uicontrol">Next</span>.</span></li>
<li><span>Select <span class="uicontrol">Distinguished name and password</span> from
the <span class="uicontrol">User type</span> field.</span></li>
<li><span>Type <var class="varname">cn=administrator</var> in the <span class="uicontrol">Distinguished
name</span> field.</span></li>
<li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Password</span> field.</span></li>
<li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Confirm password</span> field.
Click <span class="uicontrol">Next</span>.</span></li>
<li><span>Select <var class="varname">MyCoEimDomain</var> from the <span class="uicontrol">Domain</span> column.
Click <span class="uicontrol">Next</span>.</span></li>
<li><span>Select <var class="varname">iseriesa.myco.com</var> for <span class="uicontrol">Local
OS/400</span> and <var class="varname">kdc1.myco.com</var> for <span class="uicontrol">Kerberos</span>.</span></li>
<li><span>Select <span class="uicontrol">Kerberos user identities are case sensitive</span>.
Click <span class="uicontrol">Next</span>.</span></li>
<li><span>Select <span class="uicontrol">Distinguished name and password</span> from
the <span class="uicontrol">User type</span> list.</span></li>
<li><span>Type <var class="varname">cn=administrator</var> in the <span class="uicontrol">Distinguished
name</span> field.</span></li>
<li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Password</span> field.</span></li>
<li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Confirm password</span> field.
Click <span class="uicontrol">Next</span>.</span></li>
<li><span>Review the information and click <span class="uicontrol">Finish</span>.</span></li>
</ol>
</div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="httpserver"><a name="httpserver"><!-- --></a><h2 class="topictitle2">Step <span>11</span>: Configure
HTTP Server for single signon</h2>
<div><div class="section"><p>After the basic test environment is working, John Day configures
the HTTP Server to participate in the single signon environment. Once single
signon is enabled, John Day can access the HTTP Server without being prompted
for a user ID and password after signing on to the Windows environment</p>
<p>To
set up Kerberos for your HTTP Server, complete the following steps:</p>
</div>
<ol><li class="stepexpand"><span>Start the <span>IBM Web Administration for i5/OS interface</span>.</span></li>
<li class="stepexpand"><span>Click the <span class="uicontrol">Manage</span> tab.</span></li>
<li class="stepexpand"><span>Click the <span class="uicontrol">HTTP Servers</span> subtab.</span></li>
<li class="stepexpand"><span>Select the HTTP Server (powered by Apache) you want to work with
from the <span class="uicontrol">Server</span> list.</span></li>
<li class="stepexpand"><span>Select the resource from the server area (a directory or a file)
you want to work with from the <span class="uicontrol">Server area</span> list.</span></li>
<li class="stepexpand"><span>Expand <span class="uicontrol">Server Properties</span>.</span></li>
<li class="stepexpand"><span>Click <span class="uicontrol">Security</span>.</span></li>
<li class="stepexpand"><span>Click the <span class="uicontrol">Authentication</span> tab.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Kerberos</span> under <span class="uicontrol">User authentication
method</span>.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">enable</span> or <span class="uicontrol">disable</span> to
match the source user identity (user ID) associated with the server ticket
with an iSeries system profile defined in a target association.</span> If
enabled when Kerberos is specified for the AuthType directive, the server
will use EIM to attempt to match the user ID associated with the server ticket
with an iSeries system profile. If there is no appropriate target association
for an iSeries system profile, the HTTP request will fail.</li>
<li class="stepexpand"><span>Click <span class="uicontrol">Apply</span>.</span></li>
</ol>
<div class="section"><p>Restart the HTTP Server (powered by Apache) instance to use your
new Kerberos settings.</p>
</div>
<div class="example"><p>Your configuration file will now include new code for the Kerberos
options you selected.</p>
<div class="note"><span class="notetitle">Note:</span> These examples are used as reference only.
Your configuration file may differ from what is shown.</div>
<p>Processing
requests using client's authority is <span class="uicontrol">Disable</span>:</p>
<pre>&lt;Directory /&gt;
Order Deny,Allow
Deny From all
Require valid-user
PasswdFile %%KERBEROS%%
AuthType Kerberos
&lt;/Directory&gt;</pre>
<p>Processing requests using client's authority
is <span class="uicontrol">Enabled</span>:</p>
<pre>&lt;Directory /&gt;
Order Deny,Allow
Deny From all
Require valid-user
PasswdFile %%KERBEROS%%
UserID %%CLIENT%%
AuthType Kerberos
&lt;/Directory&gt;</pre>
<div class="note"><span class="notetitle">Note:</span> If your Directory or File server area does
not contain any control access restrictions, perform the following steps:<ol><li>Start the <span>IBM Web Administration for i5/OS interface</span>.</li>
<li>Click the <span class="uicontrol">Manage</span> tab.</li>
<li>Click the <span class="uicontrol">HTTP Servers</span> subtab.</li>
<li>Select your HTTP Server (powered by Apache) from the <span class="uicontrol">Server</span> list.</li>
<li>Select the server area you want to work with from the <span class="uicontrol">Server
area</span> list.</li>
<li>Expand <span class="uicontrol">Server Properties</span>.</li>
<li>Click <span class="uicontrol">Security</span>.</li>
<li>Click the <span class="uicontrol">Control Access</span> tab.</li>
<li>Select <span class="uicontrol">Deny then allow</span> from the <span class="uicontrol">Order
for evaluating access</span> list.</li>
<li>Select <span class="uicontrol">Deny access to all, except the following</span>.</li>
<li>Click <span class="uicontrol">Add</span> under the <span class="uicontrol">Specific allowed
client hosts</span> table.</li>
<li>Type <var class="varname">*.jkl.com</var> under the <span class="uicontrol">Domain name or
IP address</span> column to allow clients in the JKL domain to access
the resource.<div class="note"><span class="notetitle">Note:</span> You should type the domain name or IP address of your server.
If you do not, no client is allowed access to the resources.</div>
</li>
<li>Click <span class="uicontrol">Continue</span>.</li>
<li>Click <span class="uicontrol">OK</span>.</li>
</ol>
</div>
</div>
</div>
<div class="nested2" xml:lang="en-us" id="post"><a name="post"><!-- --></a><h3 class="topictitle3">Step <span>12</span>: (Optional)
Post configuration considerations </h3>
<div><div class="section"><p>Now that you finished this scenario, the only EIM user you have
defined that EIM can use is the Distinguished Name (DN) for the LDAP administrator.
The LDAP administrator DN that you specified for the system user on <var class="varname">iSeries
A</var> has a high level of authority to all data on the directory server.
Therefore, you might consider creating one or more DNs as additional users
that have more appropriate and limited access control for EIM data. The number
of additional EIM users that you define depends on your security policy's
emphasis on the separation of security duties and responsibilities. Typically,
you might create at least the two following types of DNs:</p>
<ul><li>A user that has EIM administrator access control<p>This EIM administrator
DN provides the appropriate level of authority for an administrator who is
responsible for managing the EIM domain. This EIM administrator DN could be
used to connect to the domain controller when managing all aspects of the
EIM domain by means of iSeries Navigator. </p>
</li>
<li>At least one user that has all of the following access controls:<ul><li>Identifier administrator</li>
<li>Registry administrator</li>
<li>EIM mapping operations </li>
</ul>
<p>This user provides the appropriate level of access control required
for the system user that performs EIM operations on behalf of the operating
system. </p>
</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> To use the new DN for the system user instead of the LDAP administrator
DN, you must change the EIM configuration properties for the system user on
each system.</div>
<p>To use Microsoft Internet Explorer to access a Kerberos
protected resource, the Integrated Windows Authentication option must be enabled.
To enable it, from Internet Explorer go to <span class="uicontrol">Tools &gt; Internet options
&gt; Advanced tab and Enable Integrated Windows Authentication</span>.</p>
</div>
</div>
</div>
</div>
</body>
</html>