ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhscen1.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Scenario: Configure network authentication service" />
<meta name="abstract" content="Use the following scenario to become familiar with the prerequisites and objectives of adding network authentication service to your network." />
<meta name="description" content="Use the following scenario to become familiar with the prerequisites and objectives of adding network authentication service to your network." />
<meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_planningworksheets.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_configurenasseriesa.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_addiseriesaprincipal.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_homedirectoryiseriesa.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_testnasoniseriesa.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhscen1" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Configure network authentication service</title>
</head>
<body id="rzakhscen1"><a name="rzakhscen1"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Configure network authentication service</h1>
<div><p>Use the following scenario to become familiar with the prerequisites
and objectives of adding network authentication service to your network.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are
a network administrator that manages the network for the order receiving department
in your company. You recently added an iSeries™ to your network to house several
necessary applications for your department. In your network you manage users
with Microsoft<sup>®</sup> Windows<sup>®</sup> Active
Directory on a Microsoft Windows 2000 server. Currently all of
your users have workstations that run Microsoft Windows 2000 operating system. You have
your own Kerberos-enabled applications that use Generic Security Services
(GSS) APIs.</p>
<p>This scenario has the following advantages: </p>
<ul><li>Simplifies authentication process for users</li>
<li>Eases the overhead of managing access to servers in the network</li>
<li>Minimizes threat of password theft</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
scenario, MyCo, Inc. wants to add an iSeries system to an existing realm where
a Windows 2000
server acts as the Kerberos server. The iSeries contains several business critical
applications that need to be accessed by the correct users. Users need to
be authenticated by the Kerberos server to gain access to these applications.</p>
<p>The
objectives of this scenario are as follows:</p>
<ul><li>To allow the iSeries to
participate with an existing Kerberos server</li>
<li>To allow for both principal names and user names in the network</li>
<li>To allow Kerberos users to change their own passwords on the Kerberos
server</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
figure illustrates the network characteristics of MyCo.</p>
<p><br /><img src="rzakh502.gif" longdesc="scen1graphicdesc.htm" alt=" Diagram of network for Network authentication service configuration" /><br /></p>
<p><strong>iSeries A</strong></p>
<ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS™ Version 5 Release 3 (V5R3) or later with the
following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host
Servers (5722-SS1 Option 12)</li>
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
<li>iSeries Access
for Windows (5722-XE1)</li>
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
</ul>
</li>
<li>iSeries A's
principal name is krbsvr400/iseriesa.myco.com@MYCO.COM</li>
</ul>
<p><strong>Windows 2000 server</strong></p>
<ul><li>Acts as the Kerberos server for the MYCO.COM realm.</li>
<li>The Kerberos server's fully qualified host name is kdc1.myco.com</li>
</ul>
<p><strong>Client PCs</strong></p>
<ul><li>Run Windows 2000.</li>
<li>PC used to administer network authentication service has the following
products installed:<ul><li>iSeries Access
for Windows (5722-XE1)</li>
<li>iSeries Navigator
and the Security and Network subcomponents</li>
</ul>
 </li>
</ul>
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />The KDC server name, <strong>kdc1.myco.com</strong>, and the
hostname, <strong>iseriesa.myco.com</strong> are fictitious names used in this scenario.<img src="./deltaend.gif" alt="End of change" /></div>
</div>
<div class="section"><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><ol><li>All system requirements, including software and operating system installation,
have been verified.<div class="p">To verify that the required licensed products have been
installed, complete the following:<ol type="a"><li>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Configuration
and Service</span> &gt; <span class="uicontrol">Software</span> &gt; <span class="uicontrol">Installed
Products</span></span>.</li>
<li>Ensure that all the necessary licensed products are installed.</li>
</ol>
</div>
</li>
<li>All necessary hardware planning and setup have been completed.</li>
<li>TCP/IP and basic system security have been configured and tested on each
of these servers.</li>
<li>A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
with Kerberos authentication may result in name resolution errors or other
problems. For more detailed information about how host name resolution works
with Kerberos authentication, see <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a>.</div>
</li>
</ol>
</div>
<div class="section"><h4 class="sectionscenariobar">Configuration steps</h4><p>To
configure network authentication service on your system, complete these steps.</p>
</div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzakhnasscenario_planningworksheets.htm">Complete the planning work sheets</a><br />
</li>
<li class="olchildlink"><a href="rzakhnasscenario_configurenasseriesa.htm">Configure network authentication service on iSeries A</a><br />
</li>
<li class="olchildlink"><a href="rzakhnasscenario_addiseriesaprincipal.htm">Add iSeries A principal to the Kerberos server</a><br />
</li>
<li class="olchildlink"><a href="rzakhnasscenario_homedirectoryiseriesa.htm">Create a home directory for users on iSeries A</a><br />
</li>
<li class="olchildlink"><a href="rzakhnasscenario_testnasoniseriesa.htm">Test network authentication service on iSeries A</a><br />
</li>
</ol>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen.htm" title="Use these scenarios to learn about network authentication service.">Scenarios</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="reference" />`
			`<meta name="DC.Title" content="Scenario: Configure network authentication service" />`
			`<meta name="abstract" content="Use the following scenario to become familiar with the prerequisites and objectives of adding network authentication service to your network." />`
			`<meta name="description" content="Use the following scenario to become familiar with the prerequisites and objectives of adding network authentication service to your network." />`
			`<meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_planningworksheets.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_configurenasseriesa.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_addiseriesaprincipal.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_homedirectoryiseriesa.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzakhnasscenario_testnasoniseriesa.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzakhscen1" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Scenario: Configure network authentication service</title>`
			`</head>`
			`<body id="rzakhscen1"><a name="rzakhscen1"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Scenario: Configure network authentication service</h1>`
			`<div><p>Use the following scenario to become familiar with the prerequisites`
			`and objectives of adding network authentication service to your network.</p>`
			`<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are`
			`a network administrator that manages the network for the order receiving department`
			`in your company. You recently added an iSeries™ to your network to house several`
			`necessary applications for your department. In your network you manage users`
			`with Microsoft<sup>®</sup> Windows<sup>®</sup> Active`
			`Directory on a Microsoft Windows 2000 server. Currently all of`
			`your users have workstations that run Microsoft Windows 2000 operating system. You have`
			`your own Kerberos-enabled applications that use Generic Security Services`
			`(GSS) APIs.</p>`
			`<p>This scenario has the following advantages: </p>`
			`<ul><li>Simplifies authentication process for users</li>`
			`<li>Eases the overhead of managing access to servers in the network</li>`
			`<li>Minimizes threat of password theft</li>`
			`</ul>`
			`</div>`
			`<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this`
			`scenario, MyCo, Inc. wants to add an iSeries system to an existing realm where`
			`a Windows 2000`
			`server acts as the Kerberos server. The iSeries contains several business critical`
			`applications that need to be accessed by the correct users. Users need to`
			`be authenticated by the Kerberos server to gain access to these applications.</p>`
			`<p>The`
			`objectives of this scenario are as follows:</p>`
			`<ul><li>To allow the iSeries to`
			`participate with an existing Kerberos server</li>`
			`<li>To allow for both principal names and user names in the network</li>`
			`<li>To allow Kerberos users to change their own passwords on the Kerberos`
			`server</li>`
			`</ul>`
			`</div>`
			`<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following`
			`figure illustrates the network characteristics of MyCo.</p>`
			`<p><br /><img src="rzakh502.gif" longdesc="scen1graphicdesc.htm" alt=" Diagram of network for Network authentication service configuration" /><br /></p>`
			`<p><strong>iSeries A</strong></p>`
			`<ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS™ Version 5 Release 3 (V5R3) or later with the`
			`following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host`
			`Servers (5722-SS1 Option 12)</li>`
			`<li>Qshell Interpreter (5722-SS1 Option 30)</li>`
			`<li>iSeries Access`
			`for Windows (5722-XE1)</li>`
			`<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using`
			`V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>`
			`<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running`
			`V5R3<img src="./deltaend.gif" alt="End of change" /></li>`
			`</ul>`
			`</li>`
			`<li>iSeries A's`
			`principal name is krbsvr400/iseriesa.myco.com@MYCO.COM</li>`
			`</ul>`
			`<p><strong>Windows 2000 server</strong></p>`
			`<ul><li>Acts as the Kerberos server for the MYCO.COM realm.</li>`
			`<li>The Kerberos server's fully qualified host name is kdc1.myco.com</li>`
			`</ul>`
			`<p><strong>Client PCs</strong></p>`
			`<ul><li>Run Windows 2000.</li>`
			`<li>PC used to administer network authentication service has the following`
			`products installed:<ul><li>iSeries Access`
			`for Windows (5722-XE1)</li>`
			`<li>iSeries Navigator`
			`and the Security and Network subcomponents</li>`
			`</ul>`
			`</li>`
			`</ul>`
			`<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />The KDC server name, <strong>kdc1.myco.com</strong>, and the`
			`hostname, <strong>iseriesa.myco.com</strong> are fictitious names used in this scenario.<img src="./deltaend.gif" alt="End of change" /></div>`
			`</div>`
			`<div class="section"><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><ol><li>All system requirements, including software and operating system installation,`
			`have been verified.<div class="p">To verify that the required licensed products have been`
			`installed, complete the following:<ol type="a"><li>In iSeries Navigator,`
			`expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Configuration`
			`and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed`
			`Products</span></span>.</li>`
			`<li>Ensure that all the necessary licensed products are installed.</li>`
			`</ol>`
			`</div>`
			`</li>`
			`<li>All necessary hardware planning and setup have been completed.</li>`
			`<li>TCP/IP and basic system security have been configured and tested on each`
			`of these servers.</li>`
			`<li>A single DNS server is used for host name resolution for the network.`
			`Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables`
			`with Kerberos authentication may result in name resolution errors or other`
			`problems. For more detailed information about how host name resolution works`
			`with Kerberos authentication, see <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a>.</div>`
			`</li>`
			`</ol>`
			`</div>`
			`<div class="section"><h4 class="sectionscenariobar">Configuration steps</h4><p>To`
			`configure network authentication service on your system, complete these steps.</p>`
			`</div>`
			`</div>`
			`<div>`
			`<ol>`
			`<li class="olchildlink"><a href="rzakhnasscenario_planningworksheets.htm">Complete the planning work sheets</a><br />`
			`</li>`
			`<li class="olchildlink"><a href="rzakhnasscenario_configurenasseriesa.htm">Configure network authentication service on iSeries A</a><br />`
			`</li>`
			`<li class="olchildlink"><a href="rzakhnasscenario_addiseriesaprincipal.htm">Add iSeries A principal to the Kerberos server</a><br />`
			`</li>`
			`<li class="olchildlink"><a href="rzakhnasscenario_homedirectoryiseriesa.htm">Create a home directory for users on iSeries A</a><br />`
			`</li>`
			`<li class="olchildlink"><a href="rzakhnasscenario_testnasoniseriesa.htm">Test network authentication service on iSeries A</a><br />`
			`</li>`
			`</ol>`

			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen.htm" title="Use these scenarios to learn about network authentication service.">Scenarios</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`