ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhscencross.htm

224 lines
13 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Scenario: Set up cross realm trust" />
<meta name="abstract" content="Use the following scenario to become familiar with the prerequisites and objectives of setting up cross realm trust on your network." />
<meta name="description" content="Use the following scenario to become familiar with the prerequisites and objectives of setting up cross realm trust on your network." />
<meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_completeplanningworksheets.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_ensurekerberosiseriesbstarted.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_createrealmtrustprincipal.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_changeencryptiononserver.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_configurethewindowsservertotrust.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_addtheshipdepttoiseriesa.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhscencross" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Set up cross realm trust</title>
</head>
<body id="rzakhscencross"><a name="rzakhscencross"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Set up cross realm trust</h1>
<div><p>Use the following scenario to become familiar with the prerequisites
and objectives of setting up cross realm trust on your network.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are
a security administrator for a large wholesale company. Currently you manage
security for systems used by employees of the Order Receiving Department and
the Shipping Department. You have configured a Kerberos server for the Order
Receiving Department. You have configured network authentication service on
the iSeries™ system
in that department to point to that Kerberos server. The Shipping Department
consists of an iSeries system
that has a Kerberos server configured in i5/OS™ PASE. You have also configured network
authentication service on this iSeries system to point to the Kerberos
server in i5/OS PASE.</p>
<p>Since
users in both realms need to use services stored on iSeries systems located in each department,
you want both of the Kerberos servers in each department to authenticate users
regardless of which Kerberos realm they are located in.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
scenario, MyCo, Inc. wants to establish a trust relationship between two already
existing Kerberos realms. One realm consists of a Windows<sup>®</sup> 2000 server acting as the Kerberos
server for the Order Receiving Department. This server authenticates users
within that department to services located on an iSeries server. The other realm consists
of a Kerberos server configured in i5/OS PASE on one iSeries, which provides services for
the users within the Shipping Department. Your users need to be authenticated
to services in both departments.</p>
<div class="p">The objectives of this scenario are
as follows: <ul><li>To give clients and hosts on each network access to the other's network</li>
<li>To simplify authentication across networks</li>
<li>To allow ticket delegation for users and services in both networks</li>
</ul>
</div>
</div>
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>Detailed
description of the environment that this scenario describes, including a figure
that shows the topology and all major elements of that environment and how
they relate to each other.</p>
<br /><img src="rzakh509.gif" longdesc="rzakh509desc.htm" alt="Cross realm trust diagram" /><br /><p><strong>Order Receiving
Department</strong></p>
<p><strong>iSeries A</strong></p>
<ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) or later with the
following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host
Servers (5722-SS1 Option 12)</li>
<li>iSeries Access
for Windows (5722-XE1)</li>
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
</ul>
</li>
<li>Has network authentication service configured to participate in the realm
ORDEPT.MYCO.COM. The i5/OS principal, krbsrv400/iseriesa.ordept.myco.com@ORDEPT.MYCO.COM,
has been added to the Windows 2000 domain.</li>
<li>iSeries A
has the fully qualified host name of iseriesa.ordept.myco.com.</li>
</ul>
<p><strong>Windows 2000 server</strong></p>
<ul><li>Acts as the Kerberos server for the realm, ORDEPT.MYCO.COM.</li>
<li>Has the DNS host name of kdc1.ordept.myco.com.</li>
<li>Each user within the Order Department has been defined in Microsoft<sup>®</sup> Active
Directory on the Windows 2000 server with a principal name and password. </li>
</ul>
<p><strong>Client PCs</strong></p>
<ul><li>Run Windows 2000 operating system.</li>
<li>PC used to administer network authentication service has the following
products installed:<ul><li>iSeries Access
for Windows (5722-XE1)</li>
<li>iSeries Navigator
and the following subcomponents:<ul><li>Security</li>
<li>Network</li>
</ul>
</li>
</ul>
</li>
</ul>
<p><strong>Shipping Department</strong></p>
<p><strong>iSeries B</strong></p>
<ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) with the following
options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS PASE
(5722 SS1 Option 33)</li>
<li>Cryptographic Access Provider (5722-AC3)</li>
<li>iSeries Access
for Windows (5722-XE1)</li>
</ul>
</li>
<li>Has a Kerberos server configured in i5/OS PASE with the realm of SHIPDEPT.MYCO.COM.</li>
<li>Has network authentication service configured to participate in the realm
SHIPDEPT.MYCO.COM. The i5/OS principal, krbsrv400/iseriesb.shipdept.myco.com@SHIPDEPT.MYCO.COM,
has been added to the i5/OS PASE Kerberos server.</li>
<li>Both iSeries B
and the i5/OS PASE
Kerberos server share the fully qualified host name iseriesb.shipdept.myco.com.</li>
<li>Each user within the Shipping Department has been defined in the i5/OS PASE Kerberos
server with a principal name and password.</li>
</ul>
<p><strong>Client PCs</strong></p>
<ul><li>Run Windows 2000 operating system.</li>
<li>PC used to administer network authentication service has the following
products installed:<ul><li>iSeries Access
for Windows (5722-XE1)</li>
<li>iSeries Navigator
and the following subcomponents:<ul><li>Security</li>
<li>Network</li>
</ul>
</li>
</ul>
</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />The KDC server name, <strong>kdc1.myco.com</strong>, and the
hostname, <strong>iseriesa.myco.com</strong> are fictitious names used in this scenario.<img src="./deltaend.gif" alt="End of change" /></div>
</div>
<div class="section" id="rzakhscencross__prereq1"><a name="rzakhscencross__prereq1"><!-- --></a><h4 class="sectionscenariobar">Prerequisites
and assumptions</h4><p>In this scenario, the following assumptions have
been made to focus on the tasks that involve establishing a trust relationship
between two pre-existing Kerberos realms. </p>
<div class="p"><strong>iSeries A prerequisites</strong><ol><li>All system requirements, including software and operating system installation,
have been verified.<div class="p">To verify that the required licensed programs have been
installed, complete the following:<ol type="a"><li>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Configuration
and Service</span> &gt; <span class="uicontrol">Software</span> &gt; <span class="uicontrol">Installed
Products</span></span>.</li>
<li>Ensure that all the necessary licensed programs are installed.</li>
</ol>
</div>
</li>
<li>All necessary hardware planning and setup have been completed.</li>
<li>TCP/IP and basic system security have been configured and tested on iSeries A.</li>
<li>Network authentication service has been configured and tested.</li>
<li>A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
with Kerberos authentication may result in name resolution errors or other
problems. For more detailed information about how host name resolution works
with Kerberos authentication, see <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a>.</div>
</li>
</ol>
</div>
<div class="p"><strong>iSeries B
prerequisites</strong><ol><li>All system requirements, including software and operating system installation,
have been verified.<div class="p">To verify that the required licensed programs have been
installed, complete the following:<ol type="a"><li>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Configuration
and Service</span> &gt; <span class="uicontrol">Software</span> &gt; <span class="uicontrol">Installed
Products</span></span>.</li>
<li>Ensure that all the necessary licensed programs are installed.</li>
</ol>
</div>
</li>
<li>All necessary hardware planning and setup have been completed.</li>
<li>TCP/IP and basic system security have been configured and tested on your iSeries server.</li>
<li>Network authentication service has been configured and tested.</li>
</ol>
</div>
<div class="p"><strong>Windows 2000 server prerequisites</strong><ol><li>All necessary hardware planning and setup have been completed.</li>
<li>TCP/IP has been configured and tested on your server.</li>
<li>Microsoft Active
Directory has been configured and tested.</li>
<li>Each user within the Order Department has been defined in Microsoft Active
Directory with a principal name and password. </li>
</ol>
</div>
</div>
<div class="section"><h4 class="sectiontitle">Configuration steps</h4><p>To set up a trust relationship
between two realms, complete these steps.</p>
</div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzakhcrossscenario_completeplanningworksheets.htm">Complete the planning work sheets</a><br />
</li>
<li class="olchildlink"><a href="rzakhcrossscenario_ensurekerberosiseriesbstarted.htm">Ensure that the Kerberos server in i5/OS PASE on iSeries B has started</a><br />
</li>
<li class="olchildlink"><a href="rzakhcrossscenario_createrealmtrustprincipal.htm">Create realm trust principal on the i5/OS PASE Kerberos server</a><br />
</li>
<li class="olchildlink"><a href="rzakhcrossscenario_changeencryptiononserver.htm">Change encryption values on i5/OS PASE Kerberos server</a><br />
</li>
<li class="olchildlink"><a href="rzakhcrossscenario_configurethewindowsservertotrust.htm">Configure the Windows 2000 server to trust SHIPDEPT.MYCO.COM</a><br />
</li>
<li class="olchildlink"><a href="rzakhcrossscenario_addtheshipdepttoiseriesa.htm">Add the SHIPDEPT.MYCO.COM realm to iSeries A</a><br />
</li>
</ol>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen.htm" title="Use these scenarios to learn about network authentication service.">Scenarios</a></div>
</div>
</div>
</body>
</html>