224 lines
13 KiB
HTML
224 lines
13 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="reference" />
|
||
|
<meta name="DC.Title" content="Scenario: Set up cross realm trust" />
|
||
|
<meta name="abstract" content="Use the following scenario to become familiar with the prerequisites and objectives of setting up cross realm trust on your network." />
|
||
|
<meta name="description" content="Use the following scenario to become familiar with the prerequisites and objectives of setting up cross realm trust on your network." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_completeplanningworksheets.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_ensurekerberosiseriesbstarted.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_createrealmtrustprincipal.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_changeencryptiononserver.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_configurethewindowsservertotrust.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_addtheshipdepttoiseriesa.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzakhscencross" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Scenario: Set up cross realm trust</title>
|
||
|
</head>
|
||
|
<body id="rzakhscencross"><a name="rzakhscencross"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Scenario: Set up cross realm trust</h1>
|
||
|
<div><p>Use the following scenario to become familiar with the prerequisites
|
||
|
and objectives of setting up cross realm trust on your network.</p>
|
||
|
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are
|
||
|
a security administrator for a large wholesale company. Currently you manage
|
||
|
security for systems used by employees of the Order Receiving Department and
|
||
|
the Shipping Department. You have configured a Kerberos server for the Order
|
||
|
Receiving Department. You have configured network authentication service on
|
||
|
the iSeries™ system
|
||
|
in that department to point to that Kerberos server. The Shipping Department
|
||
|
consists of an iSeries system
|
||
|
that has a Kerberos server configured in i5/OS™ PASE. You have also configured network
|
||
|
authentication service on this iSeries system to point to the Kerberos
|
||
|
server in i5/OS PASE.</p>
|
||
|
<p>Since
|
||
|
users in both realms need to use services stored on iSeries systems located in each department,
|
||
|
you want both of the Kerberos servers in each department to authenticate users
|
||
|
regardless of which Kerberos realm they are located in.</p>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
|
||
|
scenario, MyCo, Inc. wants to establish a trust relationship between two already
|
||
|
existing Kerberos realms. One realm consists of a Windows<sup>®</sup> 2000 server acting as the Kerberos
|
||
|
server for the Order Receiving Department. This server authenticates users
|
||
|
within that department to services located on an iSeries server. The other realm consists
|
||
|
of a Kerberos server configured in i5/OS PASE on one iSeries, which provides services for
|
||
|
the users within the Shipping Department. Your users need to be authenticated
|
||
|
to services in both departments.</p>
|
||
|
<div class="p">The objectives of this scenario are
|
||
|
as follows: <ul><li>To give clients and hosts on each network access to the other's network</li>
|
||
|
<li>To simplify authentication across networks</li>
|
||
|
<li>To allow ticket delegation for users and services in both networks</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>Detailed
|
||
|
description of the environment that this scenario describes, including a figure
|
||
|
that shows the topology and all major elements of that environment and how
|
||
|
they relate to each other.</p>
|
||
|
<br /><img src="rzakh509.gif" longdesc="rzakh509desc.htm" alt="Cross realm trust diagram" /><br /><p><strong>Order Receiving
|
||
|
Department</strong></p>
|
||
|
<p><strong>iSeries A</strong></p>
|
||
|
<ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) or later with the
|
||
|
following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host
|
||
|
Servers (5722-SS1 Option 12)</li>
|
||
|
<li>iSeries Access
|
||
|
for Windows (5722-XE1)</li>
|
||
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
|
||
|
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
|
||
|
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li>Has network authentication service configured to participate in the realm
|
||
|
ORDEPT.MYCO.COM. The i5/OS principal, krbsrv400/iseriesa.ordept.myco.com@ORDEPT.MYCO.COM,
|
||
|
has been added to the Windows 2000 domain.</li>
|
||
|
<li>iSeries A
|
||
|
has the fully qualified host name of iseriesa.ordept.myco.com.</li>
|
||
|
</ul>
|
||
|
<p><strong>Windows 2000 server</strong></p>
|
||
|
<ul><li>Acts as the Kerberos server for the realm, ORDEPT.MYCO.COM.</li>
|
||
|
<li>Has the DNS host name of kdc1.ordept.myco.com.</li>
|
||
|
<li>Each user within the Order Department has been defined in Microsoft<sup>®</sup> Active
|
||
|
Directory on the Windows 2000 server with a principal name and password. </li>
|
||
|
</ul>
|
||
|
<p><strong>Client PCs</strong></p>
|
||
|
<ul><li>Run Windows 2000 operating system.</li>
|
||
|
<li>PC used to administer network authentication service has the following
|
||
|
products installed:<ul><li>iSeries Access
|
||
|
for Windows (5722-XE1)</li>
|
||
|
<li>iSeries Navigator
|
||
|
and the following subcomponents:<ul><li>Security</li>
|
||
|
<li>Network</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
</ul>
|
||
|
<p><strong>Shipping Department</strong></p>
|
||
|
<p><strong>iSeries B</strong></p>
|
||
|
<ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) with the following
|
||
|
options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS PASE
|
||
|
(5722 SS1 Option 33)</li>
|
||
|
<li>Cryptographic Access Provider (5722-AC3)</li>
|
||
|
<li>iSeries Access
|
||
|
for Windows (5722-XE1)</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
<li>Has a Kerberos server configured in i5/OS PASE with the realm of SHIPDEPT.MYCO.COM.</li>
|
||
|
<li>Has network authentication service configured to participate in the realm
|
||
|
SHIPDEPT.MYCO.COM. The i5/OS principal, krbsrv400/iseriesb.shipdept.myco.com@SHIPDEPT.MYCO.COM,
|
||
|
has been added to the i5/OS PASE Kerberos server.</li>
|
||
|
<li>Both iSeries B
|
||
|
and the i5/OS PASE
|
||
|
Kerberos server share the fully qualified host name iseriesb.shipdept.myco.com.</li>
|
||
|
<li>Each user within the Shipping Department has been defined in the i5/OS PASE Kerberos
|
||
|
server with a principal name and password.</li>
|
||
|
</ul>
|
||
|
<p><strong>Client PCs</strong></p>
|
||
|
<ul><li>Run Windows 2000 operating system.</li>
|
||
|
<li>PC used to administer network authentication service has the following
|
||
|
products installed:<ul><li>iSeries Access
|
||
|
for Windows (5722-XE1)</li>
|
||
|
<li>iSeries Navigator
|
||
|
and the following subcomponents:<ul><li>Security</li>
|
||
|
<li>Network</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
</ul>
|
||
|
</li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />The KDC server name, <strong>kdc1.myco.com</strong>, and the
|
||
|
hostname, <strong>iseriesa.myco.com</strong> are fictitious names used in this scenario.<img src="./deltaend.gif" alt="End of change" /></div>
|
||
|
</div>
|
||
|
<div class="section" id="rzakhscencross__prereq1"><a name="rzakhscencross__prereq1"><!-- --></a><h4 class="sectionscenariobar">Prerequisites
|
||
|
and assumptions</h4><p>In this scenario, the following assumptions have
|
||
|
been made to focus on the tasks that involve establishing a trust relationship
|
||
|
between two pre-existing Kerberos realms. </p>
|
||
|
<div class="p"><strong>iSeries A prerequisites</strong><ol><li>All system requirements, including software and operating system installation,
|
||
|
have been verified.<div class="p">To verify that the required licensed programs have been
|
||
|
installed, complete the following:<ol type="a"><li>In iSeries Navigator,
|
||
|
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Configuration
|
||
|
and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed
|
||
|
Products</span></span>.</li>
|
||
|
<li>Ensure that all the necessary licensed programs are installed.</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</li>
|
||
|
<li>All necessary hardware planning and setup have been completed.</li>
|
||
|
<li>TCP/IP and basic system security have been configured and tested on iSeries A.</li>
|
||
|
<li>Network authentication service has been configured and tested.</li>
|
||
|
<li>A single DNS server is used for host name resolution for the network.
|
||
|
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
|
||
|
with Kerberos authentication may result in name resolution errors or other
|
||
|
problems. For more detailed information about how host name resolution works
|
||
|
with Kerberos authentication, see <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a>.</div>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div class="p"><strong>iSeries B
|
||
|
prerequisites</strong><ol><li>All system requirements, including software and operating system installation,
|
||
|
have been verified.<div class="p">To verify that the required licensed programs have been
|
||
|
installed, complete the following:<ol type="a"><li>In iSeries Navigator,
|
||
|
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Configuration
|
||
|
and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed
|
||
|
Products</span></span>.</li>
|
||
|
<li>Ensure that all the necessary licensed programs are installed.</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</li>
|
||
|
<li>All necessary hardware planning and setup have been completed.</li>
|
||
|
<li>TCP/IP and basic system security have been configured and tested on your iSeries server.</li>
|
||
|
<li>Network authentication service has been configured and tested.</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div class="p"><strong>Windows 2000 server prerequisites</strong><ol><li>All necessary hardware planning and setup have been completed.</li>
|
||
|
<li>TCP/IP has been configured and tested on your server.</li>
|
||
|
<li>Microsoft Active
|
||
|
Directory has been configured and tested.</li>
|
||
|
<li>Each user within the Order Department has been defined in Microsoft Active
|
||
|
Directory with a principal name and password. </li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Configuration steps</h4><p>To set up a trust relationship
|
||
|
between two realms, complete these steps.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<ol>
|
||
|
<li class="olchildlink"><a href="rzakhcrossscenario_completeplanningworksheets.htm">Complete the planning work sheets</a><br />
|
||
|
</li>
|
||
|
<li class="olchildlink"><a href="rzakhcrossscenario_ensurekerberosiseriesbstarted.htm">Ensure that the Kerberos server in i5/OS PASE on iSeries B has started</a><br />
|
||
|
</li>
|
||
|
<li class="olchildlink"><a href="rzakhcrossscenario_createrealmtrustprincipal.htm">Create realm trust principal on the i5/OS PASE Kerberos server</a><br />
|
||
|
</li>
|
||
|
<li class="olchildlink"><a href="rzakhcrossscenario_changeencryptiononserver.htm">Change encryption values on i5/OS PASE Kerberos server</a><br />
|
||
|
</li>
|
||
|
<li class="olchildlink"><a href="rzakhcrossscenario_configurethewindowsservertotrust.htm">Configure the Windows 2000 server to trust SHIPDEPT.MYCO.COM</a><br />
|
||
|
</li>
|
||
|
<li class="olchildlink"><a href="rzakhcrossscenario_addtheshipdepttoiseriesa.htm">Add the SHIPDEPT.MYCO.COM realm to iSeries A</a><br />
|
||
|
</li>
|
||
|
</ol>
|
||
|
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen.htm" title="Use these scenarios to learn about network authentication service.">Scenarios</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|