80 lines
5.6 KiB
HTML
80 lines
5.6 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Test authentication on the endpoint systems" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhscenmc2.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_repeatsteps4through6.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzakhkerberosscenario_testauthenticationon" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Test authentication on the endpoint systems</title>
|
||
|
</head>
|
||
|
<body id="rzakhkerberosscenario_testauthenticationon"><a name="rzakhkerberosscenario_testauthenticationon"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Test authentication on the endpoint systems</h1>
|
||
|
<div><div class="section">Once the servers have been restarted, the systems will be using Kerberos
|
||
|
for authentication and the trusted group for authorization. For a system
|
||
|
to accept and carry out a request, that system will verify not only that the
|
||
|
requesting system has a valid Kerberos principal, but also that it trusts
|
||
|
that Kerberos principal by checking if that principal is in its trusted group
|
||
|
list. <div class="note"><span class="notetitle">Note:</span> You need to repeat these steps on each of the target systems,
|
||
|
using the following i5/OS™ service principals:<ul><li>krbsvr400/iseriesa.myco.com@MYCO.COM</li>
|
||
|
<li>krbsvr400/iseriesb.myco.com@MYCO.COM</li>
|
||
|
<li>krbsvr400/iseriesc.myco.com@MYCO.COM</li>
|
||
|
<li>krbsvr400/iseriesd.myco.com@MYCO.COM</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
To verify that Kerberos authentication is working on the endpoint
|
||
|
systems, complete the following tasks:<div class="note"><span class="notetitle">Note:</span> Be sure you have created a home
|
||
|
directory for your i5/OS user profile before performing these tasks.</div>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>Close any sessions of iSeries™ Navigator.</span></li>
|
||
|
<li class="stepexpand"><span>On a command line, enter <tt>QSH</tt> to start the Qshell Interpreter.</span></li>
|
||
|
<li class="stepexpand"><span>Enter <tt>keytab list</tt> to display a list of principals registered
|
||
|
in the keytab file. You should see results that are similar to this display:</span> <pre class="screen">Principal: krbsvr400/iseriesa.myc.com@MYCO.COM
|
||
|
Key version: 2
|
||
|
Key type: 56-bit DES using key derivation
|
||
|
Entry timestamp: 200X/05/29-11:02:58 </pre>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Enter <tt>kinit -k krbsvr400/iseriesa.myco.com@MYCO.COM</tt> to
|
||
|
request a ticket-granting ticket from the Kerberos server. </span> This
|
||
|
command verifies that your iSeries server has been configured properly and the
|
||
|
password in the keytab file matches the password stored on the Kerberos server.
|
||
|
If this is successful then the QSH command will display without errors.</li>
|
||
|
<li class="stepexpand"><span>Enter <tt>klist</tt> to verify that the default principal is krbsvr400/iseriesa.myco.com@MYCO.COM. </span> This command displays the contents of a Kerberos credentials cache and
|
||
|
verifies that a valid ticket has been created for the i5/OS service principal and placed within
|
||
|
the credentials cache on the iSeries system.<pre class="screen"> Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred
|
||
|
|
||
|
Default principal: krbsvr400/iseriesa.myco.com@MYCO.COM
|
||
|
|
||
|
Server: krbtgt/MYCO.COM@MYCO.COM
|
||
|
Valid 200X/06/09-12:08:45 to 20XX/11/05-03:08:45
|
||
|
$ </pre>
|
||
|
</li>
|
||
|
</ol>
|
||
|
<div class="section">You have now completed the tasks required to configure your Management
|
||
|
Central server jobs to use Kerberos authentication between endpoint systems.</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscenmc2.htm" title="Use the following scenario to become familiar with the prerequisites and objectives for using Kerberos authentication between Management Central servers.">Scenario: Use Kerberos authentication between Management Central servers</a></div>
|
||
|
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzakhkerberosscenario_repeatsteps4through6.htm">Repeat Steps 4 through 6 for target systems</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|