1042 lines
68 KiB
HTML
1042 lines
68 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="JKL Toy Company enables single signon for HTTP Server (powered by Apache)" />
|
||
|
<meta name="abstract" content="This scenario discusses how to enable single signon for your HTTP Server (powered by Apache)." />
|
||
|
<meta name="description" content="This scenario discusses how to enable single signon for your HTTP Server (powered by Apache)." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaiescenarios.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzaiejklkerberos" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>JKL Toy Company enables single signon for HTTP Server (powered by Apache)</title>
|
||
|
</head>
|
||
|
<body id="rzaiejklkerberos"><a name="rzaiejklkerberos"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">JKL Toy Company enables single signon for HTTP Server (powered by Apache)</h1>
|
||
|
<div><p>This scenario discusses how to enable single signon for your HTTP
|
||
|
Server (powered by Apache).</p>
|
||
|
<div class="p"><div class="important"><span class="importanttitle">Important:</span> Information
|
||
|
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
|
||
|
It is recommended that you install the latest PTFs to upgrade to the latest
|
||
|
level of the HTTP Server for i5/OS. Some of the topics documented here are
|
||
|
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
|
||
|
</div>
|
||
|
<div class="section"><p>To learn more about Kerberos and network security on the iSeries™, see <a href="../rzakh/rzakh000.htm">Network authentication
|
||
|
service</a>.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiescenarios.htm" title="This topic provides information on how to use the IBM Web Administration for i5/OS interface to set up or manage your HTTP Server, step-by-step. Each task is specific and includes a usable HTTP Server configuration file when completed.">Scenarios for HTTP Server</a></div>
|
||
|
</div>
|
||
|
</div><div class="nested1" xml:lang="en-us" id="scenariointro"><a name="scenariointro"><!-- --></a><h2 class="topictitle2">Scenario</h2>
|
||
|
<div><div class="section"><p>The JKL Web administrator, John Day, wants to enable single signon
|
||
|
for the JKL Toy Company network. The network consists of several iSeries systems
|
||
|
and a Windows<sup>®</sup> 2000
|
||
|
server, where the users are registered in Microsoft<sup>®</sup> Windows Active Directory.
|
||
|
Based on John Day's research, he knows that Microsoft Active Directory uses
|
||
|
the Kerberos protocol to authenticate Windows users. John Day also knows that i5/OS™ provides
|
||
|
a single signon solution based on an implementation of Kerberos authentication,
|
||
|
called network authentication service, in conjunction with Enterprise Identity
|
||
|
Mapping (EIM). </p>
|
||
|
<p>While excited about the benefits of a single signon
|
||
|
environment, John Day wants to thoroughly understand single signon configuration
|
||
|
and usage before using it across the entire enterprise. Consequently, John
|
||
|
Day decides to configure a test environment first.</p>
|
||
|
<p>After considering
|
||
|
the various groups in the company, John Day decides to create the test environment
|
||
|
for the <var class="varname">MYCO</var> Order Receiving department, a subsidiary of
|
||
|
JKL Toys. The employees in the Order Receiving department use multiple applications,
|
||
|
including HTTP Server, on one iSeries system to handle incoming customer orders.
|
||
|
John Day uses the Order Receiving department as a testing area to create a
|
||
|
single signon test environment that can be used to better understand how single
|
||
|
signon works and how to plan a single signon implementation across the JKL
|
||
|
enterprise.</p>
|
||
|
<p><strong>This scenario has the following advantages: </strong> </p>
|
||
|
<ul><li>Allows you to see some of the benefits of single signon on a small scale
|
||
|
to better understand how you can take full advantage of it before you create
|
||
|
a large-scale, single signon environment. </li>
|
||
|
<li>Provides you with a better understanding of the planning process required
|
||
|
to successfully and quickly implement a single signon environment across your
|
||
|
entire enterprise.</li>
|
||
|
</ul>
|
||
|
<p>As the network administrator at JKL Toy Company, John Day wants to
|
||
|
create a small single signon test environment that includes a small number
|
||
|
of users and a single iSeries server, <var class="varname">iSeries A</var>. John Day
|
||
|
wants to perform thorough testing to ensure that user identities are correctly
|
||
|
mapped within the test environment. The first step is to enable a single signon
|
||
|
environment for i5/OS and applications on <var class="varname">iSeries A</var>, including
|
||
|
the HTTP Server (powered by Apache). After implementing the configuration
|
||
|
successfully, John Day eventually wants to expand the test environment to
|
||
|
include the other systems and users in the JKL enterprise. </p>
|
||
|
<p><strong>The
|
||
|
objectives of this scenario are as follows:</strong></p>
|
||
|
<ul><li>The iSeries system, known as iSeries A, must be able to use Kerberos within
|
||
|
the MYCO.COM realm to authenticate the users and services that are participating
|
||
|
in this single signon test environment. To enable the system to use Kerberos,
|
||
|
iSeries A must be configured for network authentication service.</li>
|
||
|
<li>The directory server on iSeries A must function as the domain controller
|
||
|
for the new EIM domain.<blockquote><div class="note"><span class="notetitle">Note:</span> Two types of domains play key roles in the
|
||
|
single signon environment: an EIM domain and a Windows 2000 domain. Although
|
||
|
both of these terms contain the word <dfn class="term">domain</dfn>, these entities have
|
||
|
very different definitions. </div>
|
||
|
</blockquote>
|
||
|
<p>Use the following descriptions
|
||
|
to understand the differences between these two types of domains. For more
|
||
|
information about these terms, see the <a href="../rzalv/rzalvmst.htm">EIM</a> and <a href="../rzakh/rzakh000.htm">Network authentication service</a> topics. </p>
|
||
|
<dl><dt class="dlterm">EIM domain</dt>
|
||
|
<dd>An EIM domain is a collection of data, which includes the EIM identifiers,
|
||
|
EIM associations, and EIM user registry definitions that are defined in that
|
||
|
domain. This data is stored in a Lightweight Directory Access Protocol (LDAP)
|
||
|
server, such as the IBM<sup>®</sup> Directory Server for iSeries, which can run on any
|
||
|
system in the network defined in that domain. Administrators can configure
|
||
|
systems (EIM clients), such as i5/OS, to participate in the domain so that
|
||
|
systems and applications can use domain data for EIM lookup operations and
|
||
|
identity mapping. To find out more about an EIM domain, see <a href="../rzalv/rzalvmst.htm">EIM</a>.</dd>
|
||
|
</dl>
|
||
|
<dl><dt class="dlterm">Windows 2000 domain</dt>
|
||
|
<dd>In the context of single signon, a Windows 2000 domain is a Windows network
|
||
|
that contains several systems that operate as clients and servers, as well
|
||
|
as a variety of services and applications that the systems use. The following
|
||
|
are some of the components pertinent to single signon that you may find within
|
||
|
a Windows 2000 domain:<ul><li><strong>Realm</strong><p>A realm is a collection of machines and services. The main
|
||
|
purpose of a realm is to authenticate clients and services. Each realm uses
|
||
|
a single Kerberos server to manage the principals for that particular realm. </p>
|
||
|
</li>
|
||
|
<li><strong>Kerberos server</strong><div class="p">A Kerberos server, also known as a key distribution
|
||
|
center (KDC), is a network service that resides on the Windows 2000 server
|
||
|
and provides tickets and temporary session keys for network authentication
|
||
|
service. The Kerberos server maintains a database of principals (users and
|
||
|
services) and their associated secret keys. It is composed of the authentication
|
||
|
server and the ticket granting server. A Kerberos server uses Microsoft Windows
|
||
|
Active Directory to store and manage the information in a Kerberos user registry. <div class="note"><span class="notetitle">Note:</span> These
|
||
|
servers should be in the same subnet to ensure that the tokens can be validated.</div>
|
||
|
</div>
|
||
|
</li>
|
||
|
<li><strong>Microsoft Windows Active Directory</strong><p>Microsoft Windows Active Directory
|
||
|
is an LDAP server that resides on the Windows 2000 server along with the Kerberos
|
||
|
server. The Active Directory is used to store and manage the information in
|
||
|
a Kerberos user registry. Microsoft Windows Active Directory uses Kerberos
|
||
|
authentication as its default security mechanism. Therefore, if you are using
|
||
|
Microsoft Active Directory to manage your users, you are already using Kerberos
|
||
|
technology. </p>
|
||
|
</li>
|
||
|
</ul>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
</li>
|
||
|
<li>One user profile on <var class="varname">iSeries A</var> and one Kerberos principal
|
||
|
must each be mapped to a single EIM identifier.</li>
|
||
|
<li>A Kerberos service principal must be used to authenticate the user to
|
||
|
the IBM HTTP Server for iSeries.</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="details"><a name="details"><!-- --></a><h2 class="topictitle2">Details</h2>
|
||
|
<div><div class="section"><p>The following figure illustrates the network environment for this
|
||
|
scenario:</p>
|
||
|
<br /><img src="rzamz501.gif" alt="Single signon test environment diagram" /><br /><p>The figure illustrates the following points relevant to this scenario.</p>
|
||
|
<p><strong>EIM
|
||
|
domain data defined for the enterprise</strong></p>
|
||
|
<ul><li>An EIM domain called <var class="varname">MyCoEimDomain</var>.</li>
|
||
|
<li>An EIM registry definition for <var class="varname">iSeries A</var> called <var class="varname">ISERIESA.MYCO.COM</var>.
|
||
|
</li>
|
||
|
<li>An EIM registry definition for the Kerberos registry called <var class="varname">MYCO.COM</var>.
|
||
|
</li>
|
||
|
<li>An EIM identifier called John Day. This identifier uniquely identifies
|
||
|
John Day, the administrator for <var class="varname">MyCo</var>. </li>
|
||
|
<li>A source association for the <var class="varname">jday</var> Kerberos principal
|
||
|
on the Windows 2000 server. </li>
|
||
|
<li>A target association for the <var class="varname">JOHND</var> user profile on <var class="varname">iSeries
|
||
|
A</var> to access HTTP Server.</li>
|
||
|
</ul>
|
||
|
<p><strong>Windows 2000 server</strong></p>
|
||
|
<ul><li>Acts as the Kerberos server (<var class="varname">kdc1.myco.com</var>), also known
|
||
|
as a key distribution center (KDC), for the network. </li>
|
||
|
<li>The default realm for the Kerberos server is <var class="varname">MYCO.COM</var>.
|
||
|
</li>
|
||
|
<li>A Kerberos principal of <var class="varname">jday</var> is registered with the
|
||
|
Kerberos server on the Windows 2000 server. This principal will be used to
|
||
|
create a source association to the EIM identifier, John Day. </li>
|
||
|
</ul>
|
||
|
<p><strong><var class="varname">iSeries A</var></strong></p>
|
||
|
<ul><li>Runs OS/400<sup>®</sup> Version
|
||
|
5 Release 2 (V5R2) with the following options and licensed products installed:<ul><li>IBM HTTP Server for iSeries</li>
|
||
|
<li>OS/400 Host Servers</li>
|
||
|
<li>Qshell Interpreter</li>
|
||
|
<li>iSeries Access for Windows </li>
|
||
|
<li>Cryptographic Access Provider</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li>The IBM Directory Server for iSeries (LDAP) on <var class="varname">iSeries A</var> will
|
||
|
be configured to be the EIM domain controller for the new EIM domain, <var class="varname">MyCoEimDomain</var>.
|
||
|
<var class="varname">iSeries A</var> participates in the EIM domain, <var class="varname">MyCoEimDomain</var>.</li>
|
||
|
<li>The principal name for <var class="varname">iSeries A</var> is <var class="varname">krbsvr400/iseriesa.myco.com@MYCO.COM</var>.</li>
|
||
|
<li>The principal name for the HTTP Server on <var class="varname">iSeries A</var> is <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var>.</li>
|
||
|
<li>The user profile of <var class="varname">JOHND</var> exists on <var class="varname">iSeries
|
||
|
A</var>. You will create a target association between this user profile
|
||
|
and the EIM identifier, <var class="varname">John Day</var>. </li>
|
||
|
<li>The home directory for the i5/OS user profile, <var class="varname">JOHND</var>,
|
||
|
(<var class="varname">/home/JOHND</var>) is defined on <var class="varname">iSeries A</var>. </li>
|
||
|
</ul>
|
||
|
<p><strong>Client PC used for single signon administration</strong></p>
|
||
|
<ul><li>Runs Microsoft Windows 2000 operating system. </li>
|
||
|
<li>Runs V5R2 iSeries Access for Windows. </li>
|
||
|
<li>Runs iSeries Navigator with the following subcomponents installed:<ul><li>Network </li>
|
||
|
<li>Security </li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li>Serves as the primary logon system for administrator John Day. </li>
|
||
|
<li>Configured to be part of the <var class="varname">MYCO.COM</var> realm (Windows
|
||
|
domain). </li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="prereqs"><a name="prereqs"><!-- --></a><h2 class="topictitle2">Prerequisites</h2>
|
||
|
<div><div class="section"><p>Successful implementation of this scenario requires that the following
|
||
|
assumptions and prerequisites are met: </p>
|
||
|
<ol><li>It is assumed you have read <a href="rzaiescenarios.htm">Scenarios for HTTP Server</a>. </li>
|
||
|
<li>All system requirements, including software and operating system installation,
|
||
|
have been verified.<div class="p">Ensure that all the necessary licensed programs are
|
||
|
installed. To verify that the licensed programs have been installed, complete
|
||
|
the following:<ol type="a"><li>In iSeries Navigator, expand your <span class="menucascade"><span class="uicontrol">iSeries server</span> > <span class="uicontrol">Configuration and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed Products</span></span>. </li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</li>
|
||
|
<li>All necessary hardware planning and setup is complete. </li>
|
||
|
<li>TCP/IP and basic system security are configured and tested on each system.
|
||
|
</li>
|
||
|
<li>The directory server and EIM are not previously configured on <var class="varname">iSeries
|
||
|
A</var>.<div class="note"><span class="notetitle">Note:</span> Instructions in this scenario are based on the assumption
|
||
|
that the directory server has not been previously configured on <var class="varname">iSeries
|
||
|
A</var>. However, if you have previously configured the directory server,
|
||
|
you can still use these instructions with only slight differences. These differences
|
||
|
are noted in the appropriate places within the configuration steps.</div>
|
||
|
</li>
|
||
|
<li>A single DNS server is used for host name resolution for the network.
|
||
|
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
|
||
|
with Kerberos authentication may result in name resolution errors or other
|
||
|
problems.</div>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested2" xml:lang="en-us" id="configsteps"><a name="configsteps"><!-- --></a><h3 class="topictitle3">Configuration steps</h3>
|
||
|
<div><div class="section"><div class="note"><span class="notetitle">Note:</span> Before you implement this scenario, you need to thoroughly
|
||
|
understand the concepts related to single signon, including network authentication
|
||
|
service and Enterprise Identity Mapping (EIM). See the following information
|
||
|
to learn about the terms and concepts related to single signon:</div>
|
||
|
<ul><li><a href="../rzalv/rzalvmst.htm">Enterprise
|
||
|
Identity Mapping (EIM) </a> </li>
|
||
|
<li><a href="../rzakh/rzakh000.htm">Network
|
||
|
authentication service</a> </li>
|
||
|
</ul>
|
||
|
<p>These are the configuration steps John Day completed. Follow these
|
||
|
configuration steps to enable a single signon environment for your iSeries
|
||
|
server.</p>
|
||
|
<ul class="simple"><li><a href="#plnwrksht">Step 1: Planning work sheet</a></li>
|
||
|
<li><a href="#eim">Step 2: Create a basic single signon configuration for iSeries A</a></li>
|
||
|
<li><a href="#kerberos">Step 3: Add principal names to the KDC</a></li>
|
||
|
<li><a href="#addkerberoskeytab">Step 4: Add Kerberos keytab</a></li>
|
||
|
<li><a href="#crthmdirforjohn">Step 5: Create home directory for John Day on iSeries A</a></li>
|
||
|
<li><a href="#tstntwrkauthsrvconfig">Step 6: Test network authentication service configuration on iSeries A</a></li>
|
||
|
<li><a href="#crteimidforjohnd">Step 7: Create EIM identifier for John Day</a></li>
|
||
|
<li><a href="#crtsrcassctntrgtassctneimid">Step 8: Create a source association and target association for the new EIM identifier</a></li>
|
||
|
<li><a href="#cnfgiseriesaccess">Step 9: Configure iSeries Access for Windows applications to use Kerberos authentication</a></li>
|
||
|
<li><a href="#addtoexistingeim">Step 10: Add iSeries A to and existing EIM domain</a></li>
|
||
|
<li><a href="#httpserver">Step 11: Configure HTTP Server for single signon</a></li>
|
||
|
<li><a href="#post">Step 12: (Optional) Post configuration considerations</a></li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested2" xml:lang="en-us" id="plnwrksht"><a name="plnwrksht"><!-- --></a><h3 class="topictitle3">Step 1: Planning work sheet</h3>
|
||
|
<div><div class="section"><p>The following planning work sheets are tailored to fit this scenario.
|
||
|
These planning work sheets demonstrate the information that you need to gather
|
||
|
and the decisions you need to make to prepare the single signon implementation
|
||
|
described by this scenario. To ensure a successful implementation, you must
|
||
|
be able to answer <strong>Yes</strong> to all prerequisite items in the work sheet and
|
||
|
be able to gather all the information necessary to complete the work sheets
|
||
|
before you perform any configuration tasks.</p>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Single signon prerequisite work sheet</caption><thead align="left"><tr><th valign="top" id="d0e437">Prerequisite work sheet</th>
|
||
|
<th valign="top" id="d0e439">Answers </th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td valign="top" headers="d0e437 ">Are you running OS/400 or i5/OS at version V5R2 or higher?</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Are the following options and licensed products installed
|
||
|
on <var class="varname">iSeries A</var>?<ul><li>i5/OS Host Servers</li>
|
||
|
<li>Qshell Interpreter</li>
|
||
|
<li>iSeries Access for Windows</li>
|
||
|
<li>Cryptographic Access Provider</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Have you installed an application that is enabled for
|
||
|
single signon on each of the PCs that will participate in the single signon
|
||
|
environment? <div class="note"><span class="notetitle">Note:</span> For this scenario, all of the participating PCs have iSeries
|
||
|
Access for Windows installed and <var class="varname">iSeries A</var> has the HTTP
|
||
|
Server for iSeries installed.</div>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Is iSeries Navigator installed on the administrator's
|
||
|
PC?<ul><li>Is the Security subcomponent of iSeries Navigator installed on the administrator's
|
||
|
PC?</li>
|
||
|
<li>Is the Network subcomponent of iSeries Navigator installed on the administrator's
|
||
|
PC?</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Have you installed the latest iSeries Access for Windows
|
||
|
service pack? See <a href="http://www.ibm.com/servers/eserver/iseries/access/" target="_blank">iSeries Access</a> <img src="www.gif" alt="Link outside Information Center" /> for the latest service pack.</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Do you, the administrator, have *SECADM, *ALLOBJ, and
|
||
|
*IOSYSCFG special authorities?</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Do you have one of the following systems in the network
|
||
|
acting as the Kerberos server (also known as the KDC)? If yes, specify which
|
||
|
system. <ol><li>Windows 2000 Server<div class="note"><span class="notetitle">Note:</span> Microsoft Windows 2000 Server uses Kerberos authentication
|
||
|
as its default security mechanism. </div>
|
||
|
</li>
|
||
|
<li>Windows Server 2003 </li>
|
||
|
<li>i5/OS0 PASE</li>
|
||
|
<li>AIX<sup>®</sup> server
|
||
|
</li>
|
||
|
<li>zSeries<sup>®</sup></li>
|
||
|
</ol>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes, Windows 2000 Server</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Are all your PCs in your network configured in a Windows
|
||
|
(R) 2000 domain?</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Have you applied the latest program temporary fixes
|
||
|
(PTFs)?</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e437 ">Is the iSeries system time within 5 minutes of the system
|
||
|
time on the Kerberos server? If not see <a href="../rzakh/rzakhsync.htm">Synchronize system times</a>.</td>
|
||
|
<td valign="top" headers="d0e439 ">Yes</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>You need this information to configure EIM and network authentication
|
||
|
service to create a single signon test environment.</p>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 2. Single signon configuration planning work sheet for iSeries A. <p>Use the following information to complete the EIM Configuration wizard.
|
||
|
The information in this work sheet correlates with the information you need
|
||
|
to supply for each page in the wizard:</p>
|
||
|
</caption><thead align="left"><tr><th valign="top" id="d0e551">Configuration planning work sheet for iSeries
|
||
|
A</th>
|
||
|
<th valign="top" id="d0e553">Answers</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td valign="top" headers="d0e551 ">How do you want to configure EIM for your system?<ul><li>Join an existing domain </li>
|
||
|
<li>Create and join a new domain <div class="note"><span class="notetitle">Note:</span> This option allows you to configure
|
||
|
the current system's directory server as the EIM domain controller when the
|
||
|
directory server is not already configured as the EIM domain controller.</div>
|
||
|
</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e553 ">Create and join a new domain<div class="note"><span class="notetitle">Note:</span> This will configure
|
||
|
the directory server on the same system on which you are currently configuring
|
||
|
EIM.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Do you want to configure network authentication service?<div class="note"><span class="notetitle">Note:</span> You
|
||
|
must configure network authentication service to configure single signon.</div>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e553 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">The Network Authentication Service wizard
|
||
|
launches from the EIM Configuration wizard. Use the following information
|
||
|
to complete the Network Authentication Service wizard:<div class="note"><span class="notetitle">Note:</span> You can launch
|
||
|
the Network Authentication Service wizard independently of the EIM Configuration
|
||
|
wizard.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What is the name of the Kerberos default realm to which
|
||
|
your iSeries will belong?<div class="note"><span class="notetitle">Note:</span> A Windows 2000 domain is similar to a Kerberos
|
||
|
realm. Microsoft Windows Active Directory uses Kerberos authentication as
|
||
|
its default security mechanism.</div>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e553 "><var class="varname">MYCO.COM</var></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Are you using Microsoft Active Directory?</td>
|
||
|
<td valign="top" headers="d0e553 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What is the Kerberos server, also known as a key distribution
|
||
|
center (KDC), for this Kerberos default realm? What is the port on which the
|
||
|
Kerberos server listens?</td>
|
||
|
<td valign="top" headers="d0e553 "><ul class="simple"><li><strong>KDC</strong>: <var class="varname">kdc1.myco.com</var></li>
|
||
|
<li><strong>Port</strong>:<var class="varname">88</var></li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> This is the default port for the Kerberos server.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Do you want to configure a password server for this
|
||
|
default realm? If yes, answer the following questions: <p>What is name of
|
||
|
the password server for this Kerberos server? What is the port on which the
|
||
|
password server listens?</p>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e553 ">Yes<ul class="simple"><li><strong>Password</strong> server: <var class="varname">kdc1.myco.com</var></li>
|
||
|
<li><strong>Port</strong>: <var class="varname">464</var></li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> This is the default port for the Kerberos server.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">For which services do you want to create keytab entries?<ul><li>i5/OS Kerberos Authentication </li>
|
||
|
<li>LDAP </li>
|
||
|
<li>iSeries IBM HTTP Server for iSeries</li>
|
||
|
<li>iSeries NetServer™ </li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e553 ">i5/OS Kerberos Authentication<div class="note"><span class="notetitle">Note:</span> A keytab entry for
|
||
|
HTTP Server must be done manually as described later in the configuration
|
||
|
steps.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What is the password for your service principal or principals? </td>
|
||
|
<td valign="top" headers="d0e553 "><var class="varname">iseriesa123 </var><div class="note"><span class="notetitle">Note:</span> Any and all passwords
|
||
|
specified in this scenario are for example purposes only. To prevent a compromise
|
||
|
to your system or network security, never use these passwords as part of your
|
||
|
own configuration.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Do you want to create a batch file to automate adding
|
||
|
the service principals for iSeries A to the Kerberos registry?</td>
|
||
|
<td valign="top" headers="d0e553 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Do you want to include passwords with the i5/OS service
|
||
|
principals in the batch file?</td>
|
||
|
<td valign="top" headers="d0e553 ">Yes</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">As you exit the Network Authentication
|
||
|
Service wizard, you will return to the EIM Configuration wizard. Use the following
|
||
|
information to complete the EIM Configuration wizard:</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Specify user information for the wizard to use when
|
||
|
configuring the directory server. This is the connection user. You must specify
|
||
|
the port number, administrator distinguished name, and a password for the
|
||
|
administrator.<div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's distinguished name (DN)
|
||
|
and password to ensure the wizard has enough authority to administer the EIM
|
||
|
domain and the objects in it.</div>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e553 "><ul class="simple"><li><strong>Port</strong>: <var class="varname">389</var></li>
|
||
|
<li><strong>Distinguished name</strong>: <var class="varname">cn=administrator </var></li>
|
||
|
<li><strong>Password</strong>: <var class="varname">mycopwd</var></li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
|
||
|
purposes only. To prevent a compromise to your system or network security,
|
||
|
do not use these passwords as part of your own configuration.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What is the name of the EIM domain that you want to
|
||
|
create?</td>
|
||
|
<td valign="top" headers="d0e553 "><var class="varname">MyCoEimDomain</var></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Do you want to specify a parent DN for the EIM domain?</td>
|
||
|
<td valign="top" headers="d0e553 ">No</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Which user registries do you want to add to the EIM
|
||
|
domain?</td>
|
||
|
<td valign="top" headers="d0e553 ">Local i5/OS--<var class="varname">ISERIESA.MYCO.COM</var> Kerberos--<var class="varname">MYCO.COM</var><div class="note"><span class="notetitle">Note:</span> The
|
||
|
Kerberos principals stored on the Windows 2000 server are not case sensitive;
|
||
|
therefore do not select <strong>Kerberos user identities are case sensitive.</strong></div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">Which EIM user do you want iSeries A to use when performing
|
||
|
EIM operations? This is the system user<div class="note"><span class="notetitle">Note:</span> If you have not configured the
|
||
|
directory server prior to configuring single signon, the only distinguished
|
||
|
name (DN) you can provide for the system user is the LDAP administrator's
|
||
|
DN and password.</div>
|
||
|
</td>
|
||
|
<td valign="top" headers="d0e553 "><ul class="simple"><li><strong>User type</strong>: Distinguished name and password </li>
|
||
|
<li><strong>User</strong>: <var class="varname">cn=administrator</var></li>
|
||
|
<li><strong>Password</strong>: <var class="varname">mycopwd</var></li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
|
||
|
purposes only. To prevent a compromise to your system or network security,
|
||
|
never use these passwords as part of your own configuration.</div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">After you complete the EIM Configuration
|
||
|
wizard, use the following information to complete the remaining steps required
|
||
|
for configuring single signon:</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What is the i5/OS user profile name for the user?</td>
|
||
|
<td valign="top" headers="d0e553 "><var class="varname">JOHND</var></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What is the name of the EIM identifier that you want
|
||
|
to create?</td>
|
||
|
<td valign="top" headers="d0e553 "><var class="varname">John Day</var></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What kinds of associations do you want to create? </td>
|
||
|
<td valign="top" headers="d0e553 "><ul class="simple"><li><strong>Source association</strong>: Kerberos principal <var class="varname">jday</var></li>
|
||
|
<li><strong>Target association</strong>: i5/OS user profile <var class="varname">JOHND</var> </li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What is the name of the user registry that contains
|
||
|
the Kerberos principal for which you are creating the source association?</td>
|
||
|
<td valign="top" headers="d0e553 "><var class="varname">MYCO.COM</var></td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e551 ">What is the name of the user registry that contains
|
||
|
the i5/OS user profile for which you are creating the target association?</td>
|
||
|
<td valign="top" headers="d0e553 "><var class="varname">ISERIESA.MYCO.COM</var></td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="eim"><a name="eim"><!-- --></a><h2 class="topictitle2">Step 2: Create a basic single signon configuration for <var class="varname">iSeries
|
||
|
A</var></h2>
|
||
|
<div><div class="section"><p>You need to create a basic single signon configuration using the
|
||
|
iSeries Navigator. The EIM configuration wizard will assist in the configuration
|
||
|
process. Use the information from your planning work sheets to configure EIM
|
||
|
and network authentication service on <var class="varname">iSeries A</var>.</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> For
|
||
|
more information about EIM, see the <a href="../rzalv/rzalveservercncpts.htm" target="_blank">EIM concepts</a> topic.</div>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li>
|
||
|
<li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">Enterprise Identity Mapping</span></span>.</span></li>
|
||
|
<li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure</span> to
|
||
|
start the EIM Configuration wizard. </span></li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page, select <span class="uicontrol">Create
|
||
|
and join a new domain</span>. Click <span class="uicontrol">Next.</span></span></li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM Domain Location</span> page,
|
||
|
select <span class="uicontrol">On the local Directory server</span>. </span></li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">Next</span> and the <span class="uicontrol">Network Authentication
|
||
|
Service</span> wizard is displayed.</span> <div class="note"><span class="notetitle">Note:</span> The Network Authentication
|
||
|
Service wizard only displays when the system determines that you need to enter
|
||
|
additional information to configure network authentication service for the
|
||
|
single signon implementation.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Complete these tasks to configure network authentication service:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page,
|
||
|
select <span class="uicontrol">Yes</span>.</span> <div class="note"><span class="notetitle">Note:</span> This launches the Network
|
||
|
Authentication Service wizard. With this wizard, you can configure several
|
||
|
i5/OS interfaces and services to participate in the Kerberos realm.</div>
|
||
|
</li>
|
||
|
<li class="substepexpand"><span>On the Specify Realm Information page, enter <var class="varname">MYCO.COM</var> in
|
||
|
the <span class="uicontrol">Default realm</span> field and select <span class="uicontrol">Microsoft
|
||
|
Active Directory is used for Kerberos authentication</span>. Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page,
|
||
|
enter <var class="varname">kdc1.myco.com</var> in the <span class="uicontrol">KDC</span> field
|
||
|
and enter <var class="varname">88</var> in the <span class="uicontrol">Port</span> field.
|
||
|
Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page,
|
||
|
select <span class="uicontrol">Yes</span>. Enter <var class="varname">kdc1.myco.com</var> in
|
||
|
the <span class="uicontrol">Password server</span> field and <var class="varname">464</var> in
|
||
|
the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS
|
||
|
Kerberos Authentication</span>. Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Create OS/400 Keytab Entry</span> page,
|
||
|
enter and confirm a password, and click <span class="uicontrol">Next</span>. For example, <var class="varname">iSeries
|
||
|
A123</var>. This password will be used when <var class="varname">iSeries A</var> is
|
||
|
added to the Kerberos server. </span> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified
|
||
|
in this scenario are for example purposes only. To prevent a compromise to
|
||
|
your system or network security, never use these passwords as part of your
|
||
|
own configuration</div>
|
||
|
</li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Create Batch File</span> page,
|
||
|
select <span class="uicontrol">Yes</span>, specify the following information, and
|
||
|
click <span class="uicontrol">Next</span>:</span> <ul><li><strong>Batch file</strong>: Add the text <kbd class="userinput">iSeries A</kbd> to the
|
||
|
end of the default batch file name. For example, <kbd class="userinput">C:\Documents</kbd> and <kbd class="userinput">Settings\All
|
||
|
Users\Documents\IBM\Client Access\NASConfigiSeries A.bat</kbd>. </li>
|
||
|
<li><strong>Select Include password</strong>: This ensures that all passwords associated
|
||
|
with the i5/OS service principal are included in the batch file. It is important
|
||
|
to note that passwords are displayed in clear text and can be read by anyone
|
||
|
with read access to the batch file. Therefore, it is recommended that you
|
||
|
delete the batch file from the Kerberos server and from your PC immediately
|
||
|
after use.</li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> If you do not include the password, you will be prompted for the
|
||
|
password when the batch file is run.</div>
|
||
|
<div class="note"><span class="notetitle">Note:</span> You must have <strong>ktpass</strong> and <strong>SETSPN</strong> (set
|
||
|
service principal name) installed on your Windows 2000 server before running
|
||
|
this bat file. The <strong>ktpass</strong> tool is provided in the Service Tools folder
|
||
|
on the Windows 2000 Server installation CD. The <strong>SETSPN</strong> tool is included
|
||
|
in the Microsoft Windows 2000 Resource Kit and can be downloaded from the
|
||
|
Microsoft website.</div>
|
||
|
</li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Summary</span> page, review the network
|
||
|
authentication service configuration details. Click <span class="uicontrol">Finish</span> to
|
||
|
complete the Network Authentication Service wizard and return to the EIM Configuration
|
||
|
wizard. </span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Configure Directory Server</span> page,
|
||
|
enter the following information, and click <span class="uicontrol">Next</span>:</span> <div class="note"><span class="notetitle">Note:</span> If you configured the directory server before you started this
|
||
|
scenario, you will see the <span class="uicontrol">Specify User for Connection</span> page
|
||
|
instead of the <span class="uicontrol">Configure Directory Server</span> page. In
|
||
|
that case, you must specify the distinguished name and password for the LDAP
|
||
|
administrator.</div>
|
||
|
<ul><li>Port: <var class="varname">389</var> </li>
|
||
|
<li>Distinguished name: <var class="varname">cn=administrator</var> </li>
|
||
|
<li>Password: <var class="varname">mycopwd </var></li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
|
||
|
purposes only. To prevent a compromise to your system or network security,
|
||
|
never use these passwords as part of your own configuration.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain</span> page, enter the name
|
||
|
of the domain in the <span class="uicontrol">Domain</span> field, and click <span class="uicontrol">Next</span>.
|
||
|
For example, <var class="varname">MyCoEimDomain</var>. </span></li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Parent DN for Domain</span> page,
|
||
|
select <span class="uicontrol">No</span>, and click <span class="uicontrol">Next</span>. </span> <div class="note"><span class="notetitle">Note:</span> If the directory server is active, a message is displayed that
|
||
|
indicates you need to end and restart the directory server for the changes
|
||
|
to take effect. Click <span class="uicontrol">Yes</span> to restart the directory
|
||
|
server.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, select <span class="uicontrol">Local
|
||
|
OS/400 and Kerberos</span>, and click <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> <ul><li>Registry names must be unique to the domain.</li>
|
||
|
<li>You can enter a specific registry definition name for the user registry
|
||
|
if you want to use a specific registry definition naming plan. However, for
|
||
|
this scenario you can accept the default values. </li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select
|
||
|
the user for the operating system to use when performing EIM operations on
|
||
|
behalf of operating system functions, and click <span class="uicontrol">Next</span>:</span> <div class="note"><span class="notetitle">Note:</span> Because you did not configure the directory server prior to performing
|
||
|
the steps in this scenario, the only distinguished name (DN) that you can
|
||
|
choose is the LDAP administrator's DN.</div>
|
||
|
<ul><li>User type: <var class="varname">Distinguished name and password</var></li>
|
||
|
<li>Distinguished name: <span class="apiname">cn=administrator</span></li>
|
||
|
<li>Password: <var class="varname">mycopwd</var> </li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
|
||
|
purposes only. To prevent a compromise to your system or network security,
|
||
|
never use these passwords as part of your own configuration.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Summary</span> page, confirm the EIM configuration
|
||
|
information. Click <span class="uicontrol">Finish</span>. </span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="kerberos"><a name="kerberos"><!-- --></a><h2 class="topictitle2">Step 3: Add principal names to the KDC</h2>
|
||
|
<div><div class="section"><p>To add the iSeries system to the Windows 2000 KDC, use the documentation
|
||
|
for your KDC that describes the process of adding principals. By convention,
|
||
|
the iSeries system name can be used as the username. Add the following principal
|
||
|
names to the KDC:</p>
|
||
|
<pre>krbsvr400/iSeriesA.ordept.myco.com@ORDEPT.MYCO.COM
|
||
|
HTTP/iseriesa.myco.com@MYCO.COM</pre>
|
||
|
<p>On a Windows 2000 server, follow
|
||
|
these steps: </p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Use the Active Directory Management tool to create a user account
|
||
|
for the iSeries system (select the <span class="uicontrol">Users</span> folder, right-click,
|
||
|
select <span class="uicontrol">New</span>, then select <span class="uicontrol">User</span>.)
|
||
|
Specify <var class="varname">iSeriesA</var> as the Active Directory user and <var class="varname">HTTPiSeriesA</var> as
|
||
|
the service principal for HTTP.</span></li>
|
||
|
<li class="stepexpand"><span>Access the properties on the Active Directory user <var class="varname">iSeriesA</var> and
|
||
|
the service principal <var class="varname">HTTPiSeriesA</var>. From the <span class="uicontrol">Account</span> tab,
|
||
|
select the <span class="uicontrol">Account is trusted for delegation</span>. This
|
||
|
will allows the <var class="varname">HTTPiSeriesA</var> service principal to access
|
||
|
other services on behalf of a signed-in user. </span></li>
|
||
|
<li class="stepexpand"><span>Map the user account to the principal by using the <span class="uicontrol">ktpass</span> command.
|
||
|
This needs to be done twice, once for <var class="varname">iSeriesa</var> and once
|
||
|
for <var class="varname">HTTPiSeriesA</var>. The <span class="uicontrol">ktpass</span> tool
|
||
|
is provided in the Service Tools folder on the Windows 2000 Server installation
|
||
|
CD. To map the user account, open the <span class="uicontrol">ktpass</span> command
|
||
|
window and enter the following: </span> <pre>ktpass -princ krbsvr400/iSeriesA.ordept.myco.com@ORDEPT.MYCO.COM -mapuser iSeries A -pass iseriesa123 </pre>
|
||
|
<p>Then add the HTTP Server to the KDC:</p>
|
||
|
<pre>ktpass -princ HTTP/iseriesa.myco.com@MYCO.COM -mapuser iSeries A -pass iseriesa123 </pre>
|
||
|
<p>For HTTP, an additional step (setspn - set service principal name) is
|
||
|
required after the <span class="uicontrol">ktpass</span> is done:</p>
|
||
|
<pre>SETSPN -A HTTP/iseriesA.myco.com@MYCO.COM HTTPiSeriesA</pre>
|
||
|
<div class="note"><span class="notetitle">Note:</span> The <strong>SETSPN</strong> tool is included in the Microsoft Windows 2000 Resource Kit and
|
||
|
can be downloaded from the Microsoft website.</div>
|
||
|
<div class="note"><span class="notetitle">Note:</span> The value <var class="varname">iseriesa123</var> is
|
||
|
the password that you specified when you configured network authentication
|
||
|
service. Any and all passwords used within this scenario are for example purposes
|
||
|
only. Do not use the passwords during an actual configuration.</div>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="addkerberoskeytab"><a name="addkerberoskeytab"><!-- --></a><h2 class="topictitle2">Step 4: Add Kerberos keytab</h2>
|
||
|
<div><div class="section"><p>You need keytab entries for authentication purposes as well as
|
||
|
for generating the authorization identity. The network authentication service
|
||
|
(the i5/OS implementation of the Kerberos protocol) wizard creates a keytab
|
||
|
entry for <var class="varname">iSeriesA</var>, however a keytab for HTTP must be manually
|
||
|
created. The wizard is only able to create keytab entries for the system and
|
||
|
certain applications that the code is aware are Kerberos-enabled. The network
|
||
|
authentication service wizard configures network authentication service (Kerberos)
|
||
|
for you. The wizard is called by the EIM wizard if you have not already configure
|
||
|
network authentication service on the system or if your network authentication
|
||
|
service configuration is not complete. </p>
|
||
|
<p>The <span class="cmdname">kinit</span> command
|
||
|
is used to initiate Kerberos authentication. A Kerberos ticket-granting ticket
|
||
|
(TGT) is obtained and cached for the HTTP Server principal. Use <span class="cmdname">kinit</span> to
|
||
|
perform the ticket exchange for the HTTP Server principal. The ticket is
|
||
|
cached for reuse.</p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Start a 5250 session on <var class="varname">iSeries A</var>.</span></li>
|
||
|
<li class="stepexpand"><span>Type <kbd class="userinput">QSH</kbd>.</span></li>
|
||
|
<li class="stepexpand"><span>Type <kbd class="userinput">keytab add</kbd> <var class="varname">HTTP/iseriesa.myco.com</var>.</span></li>
|
||
|
<li class="stepexpand"><span>Type <var class="varname">iseries123</var> for the password.</span></li>
|
||
|
<li class="stepexpand"><span>Type <var class="varname">iseries123</var> again to confirm the password.</span></li>
|
||
|
<li class="stepexpand"><span>Type <kbd class="userinput">keytab list</kbd>.</span> <div class="note"><span class="notetitle">Note:</span> The <span class="cmdname">keytab
|
||
|
list</span> command lists the keytab information on your iSeries server.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Now test the password entered in the keytab to make sure it matches
|
||
|
the password used for this service principal on the KDC. Do this with the
|
||
|
following command: <kbd class="userinput">kinit -k HTTP/</kbd><var class="varname">iseriesa.myco.com</var> </span> The -k option tells the kinit command not to prompt for a password;
|
||
|
only use the password that is in the keytab. If the kinit command fails, it
|
||
|
is likely that different passwords were used on either the <kbd class="userinput">ktpass</kbd> command
|
||
|
done on the Windows Domain controller or on the keytab command entered in <kbd class="userinput">QSH</kbd>.</li>
|
||
|
<li class="stepexpand"><span>Now test the iSeries Kerberos authentication to make sure the keytab
|
||
|
password is the same as the password stored in the KDC. Do this with the following
|
||
|
command: <kbd class="userinput">kinit -k krbsvr400</kbd><var class="varname">/iseriesa.myco.com</var></span> <div class="note"><span class="notetitle">Note:</span> The Network Authentication Service wizard created this keytab
|
||
|
entry.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Type <kbd class="userinput">klist</kbd>.</span> <div class="note"><span class="notetitle">Note:</span> If the kinit
|
||
|
command returns without errors, then klist will show your ticket cache.</div>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="crthmdirforjohn"><a name="crthmdirforjohn"><!-- --></a><h2 class="topictitle2">Step 5: Create home directory for <var class="varname">John Day</var> on <var class="varname">iSeries
|
||
|
A</var> </h2>
|
||
|
<div><div class="section"><p>You need to create a directory in the <span class="filepath">/home</span> directory
|
||
|
to store your Kerberos credentials cache. To create a home directory, complete
|
||
|
the following: </p>
|
||
|
</div>
|
||
|
<ol><li><span>Start a 5250 session on <var class="varname">iSeries A</var>.</span></li>
|
||
|
<li><span>Type <kbd class="userinput">QSH</kbd>.</span></li>
|
||
|
<li><span>On a command line, enter: <kbd class="userinput">CRTDIR</kbd><var class="varname"> '/home/user
|
||
|
profile'</var> where <var class="varname">user profile</var> is your i5/OS user
|
||
|
profile name. For example: <var class="varname">CRTDIR '/home/JOHND'</var>. </span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="tstntwrkauthsrvconfig"><a name="tstntwrkauthsrvconfig"><!-- --></a><h2 class="topictitle2">Step 6: Test network authentication service configuration on <var class="varname">iSeries
|
||
|
A</var></h2>
|
||
|
<div><div class="section"><p>Now that you have completed the network authentication service
|
||
|
configuration tasks for <var class="varname">iSeries A</var>, you need to test that
|
||
|
your configuration. You can do this by requesting a ticket-granting ticket
|
||
|
for the HTTP principal name, <var class="varname">HTTP/iseriesa.myco.com</var>.</p>
|
||
|
<p>To
|
||
|
test the network authentication service configuration, complete these steps:</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Ensure
|
||
|
that you have created a home directory for your i5/OS user profile before
|
||
|
performing this procedure.</div>
|
||
|
</div>
|
||
|
<ol><li><span>On a command line, enter <kbd class="userinput">QSH</kbd> to start the
|
||
|
Qshell Interpreter. </span></li>
|
||
|
<li><span>Enter <kbd class="userinput">keytab list</kbd> to display a list of principals
|
||
|
registered in the keytab file. In this scenario, <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var> displays
|
||
|
as the principal name for <var class="varname">iSeries A</var>. </span></li>
|
||
|
<li><span>Enter <kbd class="userinput">kinit -k HTTP</kbd><var class="varname">/iseriesa.myco.com@MYCO.COM</var>.
|
||
|
If this is successful, then the <span class="cmdname">kinit</span> command is displayed
|
||
|
without errors. </span></li>
|
||
|
<li><span>Enter <kbd class="userinput">klist</kbd> to verify that the default principal
|
||
|
is <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var>. </span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="crteimidforjohnd"><a name="crteimidforjohnd"><!-- --></a><h2 class="topictitle2">Step 7: Create EIM identifier for <var class="varname">John Day</var></h2>
|
||
|
<div><div class="section"><p>Now that you have performed the initial steps to create a basic
|
||
|
single signon configuration, you can begin to add information to this configuration
|
||
|
to complete your single signon test environment. You need to create the EIM
|
||
|
identifier that you specified in <a href="#plnwrksht">Step 1: Planning work sheet</a>.
|
||
|
In this scenario, this EIM identifier is a name that uniquely identifies <var class="varname">John
|
||
|
Day</var> in the enterprise.</p>
|
||
|
<p>To create an EIM identifier, follow
|
||
|
these steps: </p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li>
|
||
|
<li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">Enterprise Identity Mapping</span> > <span class="uicontrol">Domain Management</span> > <span class="uicontrol">MyCoEimDomain</span></span></span> <div class="note"><span class="notetitle">Note:</span> If the
|
||
|
domain is not listed under Domain Management, you may need to <a href="../rzalv/rzalvadmindomainadd.htm">add the domain</a>.
|
||
|
You may be prompted to connect to the domain controller. In that case, the <span class="uicontrol">Connect
|
||
|
to EIM Domain Controller</span> dialog is displayed. You must connect
|
||
|
to the domain before you can perform actions in it. To connect to the domain
|
||
|
controller, provide the following information and click <span class="uicontrol">OK</span>:</div>
|
||
|
<ul><li><strong>User type</strong>: Distinguished name</li>
|
||
|
<li><strong>Distinguished name</strong>: <var class="varname">cn=administrator</var></li>
|
||
|
<li><strong>Password</strong>: <var class="varname">mycopwd</var></li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example
|
||
|
purposes only. To prevent a compromise to your system or network security,
|
||
|
never use these passwords as part of your own configuration.</div>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Right-click <span class="uicontrol">Identifiers</span> and select <span class="uicontrol">New
|
||
|
Identifier.... </span></span></li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">New EIM Identifier</span> dialog, enter a name for the new identifier in the <span class="uicontrol">Identifier</span> field,
|
||
|
and click <span class="uicontrol">OK</span>. For example, <var class="varname">John Day</var>. </span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="crtsrcassctntrgtassctneimid"><a name="crtsrcassctntrgtassctneimid"><!-- --></a><h2 class="topictitle2">Step 8: Create a source association and target association for the
|
||
|
new EIM identifier</h2>
|
||
|
<div><div class="section"><p>You must create the appropriate associations between the EIM identifier
|
||
|
and the user identities that the person represented by the identifier uses.
|
||
|
These identifier associations, when properly configured, enable the user to
|
||
|
participate in a single signon environment.</p>
|
||
|
<p>In this scenario, you need
|
||
|
to create two identifier associations for the <var class="varname">John Day</var> identifier:</p>
|
||
|
<ul><li>A source association for the <var class="varname">jday</var> Kerberos principal,
|
||
|
which is the user identity that <var class="varname">John Day</var>, the person, uses
|
||
|
to log in to Windows and the network. The source association allows the Kerberos
|
||
|
principal to be mapped to another user identity as defined in a corresponding
|
||
|
target association.</li>
|
||
|
<li>A target association for the <var class="varname">JOHND</var> i5/OS user profile,
|
||
|
which is the user identity that <var class="varname">John Day</var>, the person, uses
|
||
|
to log in to iSeries Navigator and other i5/OS applications on <var class="varname">iSeries
|
||
|
A</var>. The target association specifies that a mapping lookup operation
|
||
|
can map to this user identity from another one as defined in a source association
|
||
|
for the same identifier. </li>
|
||
|
</ul>
|
||
|
<p>Now that you have created the <var class="varname">John Day</var> identifier,
|
||
|
you need to create both a source association and a target association for
|
||
|
it. </p>
|
||
|
<p>To create a source association between the Kerberos principal <var class="varname">jday</var> identifier,
|
||
|
follow these steps:</p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li>
|
||
|
<li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> > <span class="uicontrol">Enterprise
|
||
|
Identity Mapping</span> > <span class="uicontrol">Domain Management</span> > <span class="uicontrol">MyCoEimDomain</span> > <span class="uicontrol">Identifiers</span></span></span></li>
|
||
|
<li class="stepexpand"><span>Right-click <var class="varname">John Day</var>, and select <span class="uicontrol">Properties</span>. </span></li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Associations</span> page, click <span class="uicontrol">Add</span>. </span></li>
|
||
|
<li class="stepexpand"><span>In the <span class="uicontrol">Add Association</span> dialog, specify or
|
||
|
click <span class="uicontrol">Browse...</span> to select the following information,
|
||
|
and click <span class="uicontrol">OK</span>: </span> <ul><li><strong>Registry</strong>: <var class="varname">MYCO.COM</var></li>
|
||
|
<li><strong>User</strong>: <var class="varname">jday</var></li>
|
||
|
<li><strong>Association type</strong>: <kbd class="userinput">Source</kbd> </li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Add Association</span> dialog.</span> <p>To create a target association between the i5/OS user profile and
|
||
|
the <var class="varname">John Day</var> identifier, follow these steps: </p>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Associations</span> page, click <span class="uicontrol">Add</span>. </span></li>
|
||
|
<li class="stepexpand"><span>On the <span class="uicontrol">Add Association</span> dialog, specify or <span class="uicontrol">Browse...</span> to
|
||
|
select the following information, and click <span class="uicontrol">OK</span>: </span> <ul><li><strong>Registry</strong>: <var class="varname">iSeriesA.MYCO.COM</var></li>
|
||
|
<li><strong>User</strong>: <var class="varname">JOHND</var><div class="note"><span class="notetitle">Note:</span> The default behavior in V5R2
|
||
|
is to create the Kerberos registry as case sensitive. The <span class="uicontrol">user</span> value
|
||
|
entered here must be the same case as the user in Active Directory.</div>
|
||
|
</li>
|
||
|
<li><strong>Association type</strong>: <kbd class="userinput">Target</kbd> </li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Add Association</span> dialog. </span></li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Properties</span> dialog.</span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="cnfgiseriesaccess"><a name="cnfgiseriesaccess"><!-- --></a><h2 class="topictitle2">Step 9: Configure iSeries Access for Windows applications to use Kerberos
|
||
|
authentication</h2>
|
||
|
<div><div class="section"><p>You must use Kerberos to authenticate before you can use iSeries
|
||
|
Navigator to access <var class="varname">iSeries A</var>. Therefore, from your PC,
|
||
|
you need to configure iSeries Access for Windows to use Kerberos authentication.
|
||
|
Jay Day will use iSeries Access to monitor the status of the iSeries HTTP
|
||
|
Server and monitor the other activities on the iSeries.</p>
|
||
|
<p>To configure
|
||
|
iSeries Access for Windows applications to use Kerberos authentication, complete
|
||
|
the following steps:</p>
|
||
|
</div>
|
||
|
<ol><li><span>Log on to the Windows 2000 domain by logging on to your PC.</span></li>
|
||
|
<li><span>In iSeries Navigator on your PC, right-click <var class="varname">iSeries A</var> and
|
||
|
select <span class="uicontrol">Properties</span>. </span></li>
|
||
|
<li><span>On the <span class="uicontrol">Connection</span> page, select <span class="uicontrol">Use
|
||
|
Kerberos principal name, no prompting</span>. This will allow iSeries
|
||
|
Access for Windows connections to use the Kerberos principal name and password
|
||
|
for authentication. </span></li>
|
||
|
<li><span>A message is displayed that indicates you need to close and restart
|
||
|
all applications that are currently running for the changes to the connection
|
||
|
settings to take effect. Click <span class="uicontrol">OK</span>. Then, end and restart
|
||
|
iSeries Navigator. </span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div class="nested2" xml:lang="en-us" id="addtoexistingeim"><a name="addtoexistingeim"><!-- --></a><h3 class="topictitle3">Step 10: Add <var class="varname">iSeries A</var> to and existing EIM domain</h3>
|
||
|
<div><div class="section"><p>The iSeries server does not require mapping, per the EIM configuration,
|
||
|
as it is not a signon-type entity. You do, however, have to add the iSeries
|
||
|
server to an existing EIM domain.</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> IF EIM resides on the same iSeries
|
||
|
server as the HTTP Server, then skip this step.</div>
|
||
|
</div>
|
||
|
<ol><li><span>Start iSeries Navigator.</span></li>
|
||
|
<li><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> > <span class="uicontrol">Enterprise
|
||
|
Identity Mapping</span> > <span class="uicontrol"> Configuration</span></span>.</span></li>
|
||
|
<li><span>Click <span class="uicontrol">Configure system for EIM</span>.</span></li>
|
||
|
<li><span>Click <span class="uicontrol">Join an existing domain</span>. Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li><span>Type <var class="varname">iseriesa.myco.com</var> in the <span class="uicontrol">Domain
|
||
|
controller name</span> field.</span></li>
|
||
|
<li><span>Type <var class="varname">389</var> in the <span class="uicontrol">Port</span> field.
|
||
|
Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li><span>Select <span class="uicontrol">Distinguished name and password</span> from
|
||
|
the <span class="uicontrol">User type</span> field.</span></li>
|
||
|
<li><span>Type <var class="varname">cn=administrator</var> in the <span class="uicontrol">Distinguished
|
||
|
name</span> field.</span></li>
|
||
|
<li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Password</span> field.</span></li>
|
||
|
<li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Confirm password</span> field.
|
||
|
Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li><span>Select <var class="varname">MyCoEimDomain</var> from the <span class="uicontrol">Domain</span> column.
|
||
|
Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li><span>Select <var class="varname">iseriesa.myco.com</var> for <span class="uicontrol">Local
|
||
|
OS/400</span> and <var class="varname">kdc1.myco.com</var> for <span class="uicontrol">Kerberos</span>.</span></li>
|
||
|
<li><span>Select <span class="uicontrol">Kerberos user identities are case sensitive</span>.
|
||
|
Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li><span>Select <span class="uicontrol">Distinguished name and password</span> from
|
||
|
the <span class="uicontrol">User type</span> list.</span></li>
|
||
|
<li><span>Type <var class="varname">cn=administrator</var> in the <span class="uicontrol">Distinguished
|
||
|
name</span> field.</span></li>
|
||
|
<li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Password</span> field.</span></li>
|
||
|
<li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Confirm password</span> field.
|
||
|
Click <span class="uicontrol">Next</span>.</span></li>
|
||
|
<li><span>Review the information and click <span class="uicontrol">Finish</span>.</span></li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested1" xml:lang="en-us" id="httpserver"><a name="httpserver"><!-- --></a><h2 class="topictitle2">Step <span>11</span>: Configure
|
||
|
HTTP Server for single signon</h2>
|
||
|
<div><div class="section"><p>After the basic test environment is working, John Day configures
|
||
|
the HTTP Server to participate in the single signon environment. Once single
|
||
|
signon is enabled, John Day can access the HTTP Server without being prompted
|
||
|
for a user ID and password after signing on to the Windows environment</p>
|
||
|
<p>To
|
||
|
set up Kerberos for your HTTP Server, complete the following steps:</p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Start the <span>IBM Web Administration for i5/OS interface</span>.</span></li>
|
||
|
<li class="stepexpand"><span>Click the <span class="uicontrol">Manage</span> tab.</span></li>
|
||
|
<li class="stepexpand"><span>Click the <span class="uicontrol">HTTP Servers</span> subtab.</span></li>
|
||
|
<li class="stepexpand"><span>Select the HTTP Server (powered by Apache) you want to work with
|
||
|
from the <span class="uicontrol">Server</span> list.</span></li>
|
||
|
<li class="stepexpand"><span>Select the resource from the server area (a directory or a file)
|
||
|
you want to work with from the <span class="uicontrol">Server area</span> list.</span></li>
|
||
|
<li class="stepexpand"><span>Expand <span class="uicontrol">Server Properties</span>.</span></li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">Security</span>.</span></li>
|
||
|
<li class="stepexpand"><span>Click the <span class="uicontrol">Authentication</span> tab.</span></li>
|
||
|
<li class="stepexpand"><span>Select <span class="uicontrol">Kerberos</span> under <span class="uicontrol">User authentication
|
||
|
method</span>.</span></li>
|
||
|
<li class="stepexpand"><span>Select <span class="uicontrol">enable</span> or <span class="uicontrol">disable</span> to
|
||
|
match the source user identity (user ID) associated with the server ticket
|
||
|
with an iSeries system profile defined in a target association.</span> If
|
||
|
enabled when Kerberos is specified for the AuthType directive, the server
|
||
|
will use EIM to attempt to match the user ID associated with the server ticket
|
||
|
with an iSeries system profile. If there is no appropriate target association
|
||
|
for an iSeries system profile, the HTTP request will fail.</li>
|
||
|
<li class="stepexpand"><span>Click <span class="uicontrol">Apply</span>.</span></li>
|
||
|
</ol>
|
||
|
<div class="section"><p>Restart the HTTP Server (powered by Apache) instance to use your
|
||
|
new Kerberos settings.</p>
|
||
|
</div>
|
||
|
<div class="example"><p>Your configuration file will now include new code for the Kerberos
|
||
|
options you selected.</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> These examples are used as reference only.
|
||
|
Your configuration file may differ from what is shown.</div>
|
||
|
<p>Processing
|
||
|
requests using client's authority is <span class="uicontrol">Disable</span>:</p>
|
||
|
<pre><Directory />
|
||
|
Order Deny,Allow
|
||
|
Deny From all
|
||
|
Require valid-user
|
||
|
PasswdFile %%KERBEROS%%
|
||
|
AuthType Kerberos
|
||
|
</Directory></pre>
|
||
|
<p>Processing requests using client's authority
|
||
|
is <span class="uicontrol">Enabled</span>:</p>
|
||
|
<pre><Directory />
|
||
|
Order Deny,Allow
|
||
|
Deny From all
|
||
|
Require valid-user
|
||
|
PasswdFile %%KERBEROS%%
|
||
|
UserID %%CLIENT%%
|
||
|
AuthType Kerberos
|
||
|
</Directory></pre>
|
||
|
<div class="note"><span class="notetitle">Note:</span> If your Directory or File server area does
|
||
|
not contain any control access restrictions, perform the following steps:<ol><li>Start the <span>IBM Web Administration for i5/OS interface</span>.</li>
|
||
|
<li>Click the <span class="uicontrol">Manage</span> tab.</li>
|
||
|
<li>Click the <span class="uicontrol">HTTP Servers</span> subtab.</li>
|
||
|
<li>Select your HTTP Server (powered by Apache) from the <span class="uicontrol">Server</span> list.</li>
|
||
|
<li>Select the server area you want to work with from the <span class="uicontrol">Server
|
||
|
area</span> list.</li>
|
||
|
<li>Expand <span class="uicontrol">Server Properties</span>.</li>
|
||
|
<li>Click <span class="uicontrol">Security</span>.</li>
|
||
|
<li>Click the <span class="uicontrol">Control Access</span> tab.</li>
|
||
|
<li>Select <span class="uicontrol">Deny then allow</span> from the <span class="uicontrol">Order
|
||
|
for evaluating access</span> list.</li>
|
||
|
<li>Select <span class="uicontrol">Deny access to all, except the following</span>.</li>
|
||
|
<li>Click <span class="uicontrol">Add</span> under the <span class="uicontrol">Specific allowed
|
||
|
client hosts</span> table.</li>
|
||
|
<li>Type <var class="varname">*.jkl.com</var> under the <span class="uicontrol">Domain name or
|
||
|
IP address</span> column to allow clients in the JKL domain to access
|
||
|
the resource.<div class="note"><span class="notetitle">Note:</span> You should type the domain name or IP address of your server.
|
||
|
If you do not, no client is allowed access to the resources.</div>
|
||
|
</li>
|
||
|
<li>Click <span class="uicontrol">Continue</span>.</li>
|
||
|
<li>Click <span class="uicontrol">OK</span>.</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="nested2" xml:lang="en-us" id="post"><a name="post"><!-- --></a><h3 class="topictitle3">Step <span>12</span>: (Optional)
|
||
|
Post configuration considerations </h3>
|
||
|
<div><div class="section"><p>Now that you finished this scenario, the only EIM user you have
|
||
|
defined that EIM can use is the Distinguished Name (DN) for the LDAP administrator.
|
||
|
The LDAP administrator DN that you specified for the system user on <var class="varname">iSeries
|
||
|
A</var> has a high level of authority to all data on the directory server.
|
||
|
Therefore, you might consider creating one or more DNs as additional users
|
||
|
that have more appropriate and limited access control for EIM data. The number
|
||
|
of additional EIM users that you define depends on your security policy's
|
||
|
emphasis on the separation of security duties and responsibilities. Typically,
|
||
|
you might create at least the two following types of DNs:</p>
|
||
|
<ul><li>A user that has EIM administrator access control<p>This EIM administrator
|
||
|
DN provides the appropriate level of authority for an administrator who is
|
||
|
responsible for managing the EIM domain. This EIM administrator DN could be
|
||
|
used to connect to the domain controller when managing all aspects of the
|
||
|
EIM domain by means of iSeries Navigator. </p>
|
||
|
</li>
|
||
|
<li>At least one user that has all of the following access controls:<ul><li>Identifier administrator</li>
|
||
|
<li>Registry administrator</li>
|
||
|
<li>EIM mapping operations </li>
|
||
|
</ul>
|
||
|
<p>This user provides the appropriate level of access control required
|
||
|
for the system user that performs EIM operations on behalf of the operating
|
||
|
system. </p>
|
||
|
</li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> To use the new DN for the system user instead of the LDAP administrator
|
||
|
DN, you must change the EIM configuration properties for the system user on
|
||
|
each system.</div>
|
||
|
<p>To use Microsoft Internet Explorer to access a Kerberos
|
||
|
protected resource, the Integrated Windows Authentication option must be enabled.
|
||
|
To enable it, from Internet Explorer go to <span class="uicontrol">Tools > Internet options
|
||
|
> Advanced tab and Enable Integrated Windows Authentication</span>.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
</body>
|
||
|
</html>
|