ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzenablesso.htm

236 lines
16 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Create a single signon test environment" />
<meta name="abstract" content="In this scenario, you want to configure network authentication service and EIM to create a basic single signon test environment. Use this scenario to gain a basic understanding of what configuring a single signon environment involves on a small scale before implementing single signon across an entire enterprise." />
<meta name="description" content="In this scenario, you want to configure network authentication service and EIM to create a basic single signon test environment. Use this scenario to gain a basic understanding of what configuring a single signon environment involves on a small scale before implementing single signon across an entire enterprise." />
<meta name="DC.Relation" scheme="URI" content="rzamzscenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcompletetheplanningworksheets.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzaddiseriesaserviceprincipaltothekerberosserver.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreatehomedirectoryforjohndayoniseriesa.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamztestnetworkauthenticationserviceconfigurationoniseriesa.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateeimidentifierforjohnday.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreatesourceassociationandtargetassociationfortheneweimidentifier.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamztesteimidentitymappings.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzconfigureiseriesaccess.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzverifynetworkauthenticationserviceandeimconfiguration.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzoptionalpostconfigurationconsiderations.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhpdns.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveservercncpts.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconcept.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzenablesso" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Create a single signon test environment</title>
</head>
<body id="rzamzenablesso"><a name="rzamzenablesso"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Create a single signon test environment</h1>
<div><p>In this scenario, you want to configure network authentication
service and EIM to create a basic single signon test environment. Use this
scenario to gain a basic understanding of what configuring a single signon
environment involves on a small scale before implementing single signon across
an entire enterprise.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You,
John Day, are a network administrator for a large wholesale company. Currently
you spend much of your time troubleshooting password and user identity problems,
such as forgotten passwords. Your network is comprised of several <span class="keyword">iSeries™</span> systems and a <span class="keyword">Windows<sup>®</sup> 2000</span> server,
where your users are registered in Microsoft<sup>®</sup> Windows Active Directory. Based on your
research, you know that Microsoft Active Directory uses the
Kerberos protocol to authenticate Windows users. You also know that the <span class="keyword">iSeries</span> provides a single signon solution
based on an implementation of Kerberos authentication, called network authentication
service, in conjunction with EIM. </p>
<p>You are excited about the benefits
of using single signon. However, you want to thoroughly understand single
signon configuration and usage before you begin using it across your entire
enterprise. Consequently, you decide to configure a test environment first.</p>
<p>After
considering the various groups in your company, you decide to create the test
environment for the Order Receiving department. The employees in the Order
Receiving department use multiple applications on one <span class="keyword">iSeries</span> system
to handle incoming customer orders. Consequently, the Order Receiving department
provides an excellent opportunity for you to create a single signon test environment
that you can use to better understand how single signon works and how to plan
a single signon implementation across your enterprise.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Scenario advantages</h4><ul><li>Allows you to see some of the benefits of single signon on a small scale
to better understand how you can take full advantage of it before you create
a large-scale, single signon environment.</li>
<li>Provides you with a better understanding of the planning process you need
to use to successfully and to more quickly implement single signon across
your entire enterprise.</li>
<li>Minimizes the learning curve of implementing single signon across your
enterprise.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>As the
network administrator at MyCo, Inc., you want to create a small single signon
environment for testing that includes a small number of users and a single <span class="keyword">iSeries</span> system. You want to perform
thorough testing to ensure that user identities are correctly mapped within
your test environment. Based on this configuration, you eventually want to
expand the test environment to include the other systems and users in your
enterprise.</p>
<p>The objectives of this scenario are as follows:</p>
<ul><li>The <span class="keyword">iSeries</span> system, known
as <span class="keyword">iSeries</span> A, must be able
to use Kerberos within the MYCO.COM realm to authenticate the users and services
that are participating in this single signon test environment. To enable the
system to use Kerberos, <span class="keyword">iSeries</span> A
must be configured for network authentication service.</li>
<li>The directory server on <span class="keyword">iSeries</span> A
must function as the domain controller for the new EIM domain.<div class="note"><span class="notetitle">Note:</span> Refer
to <a href="rzamzdomains.htm">Domains</a> to learn how an EIM
domain and a <span class="keyword">Windows 2000</span> domain
both fit into the single signon environment.</div>
</li>
<li>One user profile on <span class="keyword">iSeries</span> A
and one Kerberos principal must each be mapped to a single EIM identifier.</li>
<li>A Kerberos service principal must be used to authenticate the user to
the <span class="keyword">iSeries Access for Windows</span> applications.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
figure illustrates the network environment for this scenario.</p>
<p><br /><img src="rzamz501.gif" alt=" Single signon test environment diagram" /><br /></p>
<p>The figure illustrates the following points relevant to this
scenario.</p>
<p><span class="uicontrol">EIM domain data defined for the enterprise</span></p>
<ul><li>An EIM registry definition for <span class="keyword">iSeries</span> A
called ISERIESA.MYCO.COM.</li>
<li>An EIM registry definition for the Kerberos registry called MYCO.COM.</li>
<li>An EIM identifier called John Day. This identifier uniquely identifies
John Day, the administrator for MyCo.</li>
<li>A source association for the jday Kerberos principal on the <span class="keyword">Windows 2000</span> server.</li>
<li>A target association for the JOHND user profile on <span class="keyword">iSeries</span> A.</li>
</ul>
<p><strong><span class="keyword">Windows 2000</span> server</strong></p>
<ul><li>Acts as the Kerberos server (kdc1.myco.com), also known as a key distribution
center (KDC), for the network.</li>
<li>The default realm for the Kerberos server is <tt>MYCO.COM</tt>.</li>
<li>A Kerberos principal of jday is registered with the Kerberos server on
the <span class="keyword">Windows 2000</span> server. This principal
will be used to create a source association to the EIM identifier, John Day.</li>
</ul>
<p><strong><span class="keyword">iSeries</span> A</strong></p>
<ul><li>Runs <span class="keyword">i5/OS™</span> Version
5 Release 4 (V5R4) with the following options and licensed products installed:<ul><li><span class="keyword">i5/OS</span> Host Servers
(5722-SS1 Option 12)</li>
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
<li><span class="keyword">iSeries Access for Windows</span> (5722-XE1)</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> You can implement this scenario using a server that runs <span class="keyword">OS/400<sup>®</sup></span> V5R2 or <span class="keyword">i5/OS</span> V5R3.
However, some of the configuration steps will be slightly different due to <span class="keyword">i5/OS</span> V5R4 enhancements. </div>
</li>
<li>The IBM<sup>®</sup> Directory
Server for <span class="keyword">iSeries</span> (LDAP) on <span class="keyword">iSeries</span> A will be configured to be the
EIM domain controller for the new EIM domain, MyCoEimDomain.</li>
<li><span class="keyword">iSeries</span> A participates
in the EIM domain, MyCoEimDomain.</li>
<li>The principal name for <span class="keyword">iSeries</span> A
is <tt>krbsvr400/iseriesa.myco.com@MYCO.COM</tt>.</li>
<li>The user profile of JOHND exists on <span class="keyword">iSeries</span> A.
You will create a target association between this user profile and the EIM
identifier, John Day.</li>
<li>The home directory for the <span class="keyword">i5/OS</span> user
profile, JOHND, (/home/JOHND) is defined on <span class="keyword">iSeries</span> A.</li>
</ul>
<p><span class="uicontrol">Client PC used for single signon administration</span></p>
<ul><li>Runs Microsoft <span class="keyword">Windows 2000</span> operating
system.</li>
<li>Runs <span class="keyword">i5/OS</span> V5R4 iSeries Access
for Windows (5722-XE1).</li>
<li>Runs <span class="keyword">iSeries Navigator</span> with the
following subcomponents installed:<ul><li>Network</li>
<li>Security</li>
</ul>
</li>
<li>Serves as the primary logon system for administrator John Day.</li>
<li>Configured to be part of the MYCO.COM realm (Windows domain).</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><p>Successful
implementation of this scenario requires that the following assumptions and
prerequisites are met:</p>
<ol><li>All system requirements, including software and operating system installation,
have been verified.<div class="p">To verify that the licensed programs have been installed,
complete the following:<ol type="a"><li>In <span class="keyword">iSeries Navigator</span>, expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Configuration and Service</span> &gt; <span class="uicontrol">Software</span> &gt; <span class="uicontrol">Installed Products</span></span>.</li>
<li>Ensure that all the necessary licensed programs are installed.</li>
</ol>
</div>
</li>
<li>All necessary hardware planning and setup is complete.</li>
<li>TCP/IP and basic system security are configured and tested on each system.</li>
<li>The directory server and EIM should not be previously configured on <span class="keyword">iSeries</span> A.<div class="note"><span class="notetitle">Note:</span> Instructions in this
scenario are based on the assumption that the directory server has not been
previously configured on <span class="keyword">iSeries</span> A.
However, if you already configured the directory server, you can still use
these instructions with only slight differences. These differences are noted
in the appropriate places within the configuration steps.</div>
</li>
<li>A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
with Kerberos authentication may result in name resolution errors or other
problems..</div>
</li>
</ol>
</div>
<div class="section"><h4 class="sectionscenariobar">Configuration steps</h4><div class="note"><span class="notetitle">Note:</span> You
need to thoroughly understand the concepts related to single signon which
include network authentication service and Enterprise Identity Mapping (EIM)
concepts, before you implement this scenario. If you are ready to continue
with this scenario complete the following steps: </div>
</div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzamzcompletetheplanningworksheets.htm">Complete the planning work sheets</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm">Create a basic single signon configuration for iSeries A</a><br />
</li>
<li class="olchildlink"><a href="rzamzaddiseriesaserviceprincipaltothekerberosserver.htm">Add iSeries A service principal to the Kerberos server</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreatehomedirectoryforjohndayoniseriesa.htm">Create home directory for John Day on iSeries A</a><br />
</li>
<li class="olchildlink"><a href="rzamztestnetworkauthenticationserviceconfigurationoniseriesa.htm">Test network authentication service configuration on iSeries A</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreateeimidentifierforjohnday.htm">Create EIM identifier for John Day</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreatesourceassociationandtargetassociationfortheneweimidentifier.htm">Create source association and target association for the new EIM identifier</a><br />
</li>
<li class="olchildlink"><a href="rzamztesteimidentitymappings.htm">Test EIM identity mappings</a><br />
</li>
<li class="olchildlink"><a href="rzamzconfigureiseriesaccess.htm">Configure iSeries Access for Windows applications to use Kerberos authentication</a><br />
</li>
<li class="olchildlink"><a href="rzamzverifynetworkauthenticationserviceandeimconfiguration.htm">Verify network authentication service and EIM configuration</a><br />
</li>
<li class="olchildlink"><a href="rzamzoptionalpostconfigurationconsiderations.htm">(Optional) Post configuration considerations</a><br />
</li>
</ol>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzscenarios.htm" title="Use this information to review scenarios that illustrate typical single signon implementation situations to help you plan your own certificate implementation as part of your server security policy.">Scenarios</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzakh/rzakhpdns.htm">Host name resolution considerations</a></div>
<div><a href="../rzalv/rzalveservercncpts.htm">Enterprise Identity Mapping (EIM)</a></div>
<div><a href="../rzakh/rzakhconcept.htm">Network authentication service</a></div>
</div>
</div>
</body>
</html>