506 lines
30 KiB
HTML
506 lines
30 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Complete the planning work sheets" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzakhscen2.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createassoconfiguration.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="rzakhssoscenario_completeplanningworksheets" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Complete the planning work sheets</title>
|
|||
|
</head>
|
|||
|
<body id="rzakhssoscenario_completeplanningworksheets"><a name="rzakhssoscenario_completeplanningworksheets"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Complete the planning work sheets</h1>
|
|||
|
<div><p>The following planning work sheets are tailored to fit this scenario based
|
|||
|
on the general single signon <a href="../rzamz/rzamzssoplanworksheet.htm">planning worksheets</a>. These planning work sheets demonstrate
|
|||
|
the information that you need to gather and the decisions you need to make
|
|||
|
as you prepare to configure the single signon function described by this scenario.
|
|||
|
To ensure a successful implementation, you must be able to answer Yes to all
|
|||
|
prerequisite items in the work sheet and you should gather all the information
|
|||
|
necessary to complete the work sheets before you perform any configuration
|
|||
|
tasks.</p>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Single signon prerequisite work
|
|||
|
sheet</caption><thead align="left"><tr><th valign="top" width="60%" id="d0e23">Prerequisite work sheet</th>
|
|||
|
<th valign="top" width="40%" id="d0e25">Answers </th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td align="left" valign="top" width="60%" headers="d0e23 ">Is your i5/OS™ V5R3 (5722-SS1) or later?</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e23 ">Are the following options and licensed products
|
|||
|
installed on iSeries™ A
|
|||
|
and iSeries B?<ul><li>i5/OS Host
|
|||
|
Servers (5722-SS1 Option 12)</li>
|
|||
|
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
|
|||
|
<li>iSeries Access
|
|||
|
for Windows<sup>®</sup> (5722-XE1)</li>
|
|||
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
|
|||
|
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
|
|||
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
|
|||
|
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e23 ">Have you installed an application that is
|
|||
|
enabled for single signon on each of the PCs that will participate in the
|
|||
|
single signon environment? <div class="note"><span class="notetitle">Note:</span> For this scenario, all of the participating
|
|||
|
PCs have iSeries Access
|
|||
|
for Windows (5722-XE1)
|
|||
|
installed.</div>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e23 ">Is iSeries Navigator installed on the administrator's
|
|||
|
PC?<ul><li>Is the Network subcomponent of iSeries Navigator installed on the PC
|
|||
|
used to administer single signon?</li>
|
|||
|
<li>Is the Security subcomponent of iSeries Navigator installed on the PC
|
|||
|
used to administer single signon?</li>
|
|||
|
<li>Is the Users and Groups subcomponent of iSeries Navigator installed on the PC
|
|||
|
used to administer single signon?</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="60%" headers="d0e23 ">Have you installed the latest IBM<img src="eserver.gif" alt="e(logo) server" /> iSeries Access for Window service pack?
|
|||
|
See the <a href="http://www-1.ibm.com/servers/eserver/iseries/access/casp.htm" target="_blank">iSeries Access
|
|||
|
web page</a><img src="www.gif" alt="link outside the Information Center" /> for the latest service pack.</td>
|
|||
|
<td valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e23 ">Does the single signon administrator have
|
|||
|
*SECADM, *ALLOBJ, and *IOSYSCFG special authorities?</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e23 ">Do you have one of the following systems
|
|||
|
acting as the Kerberos server (also known as the KDC)? If yes, specify which
|
|||
|
system.<ol><li>Microsoft<sup>®</sup> Windows 2000
|
|||
|
Server<div class="note"><span class="notetitle">Note:</span> Microsoft Windows 2000 Server uses Kerberos authentication
|
|||
|
as its default security mechanism. </div>
|
|||
|
</li>
|
|||
|
<li>Windows Server
|
|||
|
2003</li>
|
|||
|
<li>i5/OS PASE
|
|||
|
(V5R3 or later)</li>
|
|||
|
<li>AIX<sup>®</sup> server</li>
|
|||
|
<li>zSeries<sup>®</sup></li>
|
|||
|
</ol>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes, Windows 2000 Server</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e23 ">Are all your PCs in your network configured
|
|||
|
in a Windows 2000
|
|||
|
domain?</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e23 ">Have you applied the latest program temporary
|
|||
|
fixes (PTFs)?</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="60%" headers="d0e23 ">Is the iSeries system time within 5 minutes
|
|||
|
of the system time on the Kerberos server? If not see <a href="rzakhsync.htm#rzakhsync">Synchronize system times</a>.</td>
|
|||
|
<td align="left" valign="top" width="40%" headers="d0e25 ">Yes</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
<p>You need this information to configure EIM and network authentication service
|
|||
|
on iSeries A</p>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Single signon configuration planning
|
|||
|
work sheet for iSeries A</caption><thead align="left"><tr><th align="left" valign="top" width="58.58585858585859%" id="d0e202">Configuration planning work sheet for iSeries A</th>
|
|||
|
<th align="left" valign="top" width="41.41414141414141%" id="d0e207">Answers</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td colspan="2" valign="top" headers="d0e202 d0e207 ">Use the following information to complete
|
|||
|
the EIM Configuration wizard. The information in this work sheet correlates
|
|||
|
with the information you need to supply for each page in the wizard:</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">How do you want to configure EIM for your system?<ul><li>Join an existing domain</li>
|
|||
|
<li>Create and join a new domain</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 ">Create and join a new domain</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">Where do you want to configure the EIM domain?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 ">On the local directory server<div class="note"><span class="notetitle">Note:</span> This will configure
|
|||
|
the directory server on the same system on which you are currently configuring
|
|||
|
EIM.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">Do you want to configure network authentication service?<div class="note"><span class="notetitle">Note:</span> You
|
|||
|
must configure network authentication service to configure single signon.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="2" valign="top" headers="d0e202 d0e207 ">The Network Authentication Service wizard
|
|||
|
starts from the EIM Configuration wizard. Use the following information to
|
|||
|
complete the Network Authentication Service wizard.</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">What is the name of the Kerberos default realm to which
|
|||
|
your iSeries will
|
|||
|
belong?<div class="note"><span class="notetitle">Note:</span> A Windows 2000 domain is similar to a Kerberos realm. Microsoft Windows Active
|
|||
|
Directory uses Kerberos authentication as its default security mechanism.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 "><tt>MYCO.COM</tt></td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">Are you using Microsoft Active Directory?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e202 ">What is the Kerberos server, also known as
|
|||
|
a key distribution center (KDC), for this Kerberos default realm? What is
|
|||
|
the port on which the Kerberos server listens?</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e207 "><p><span class="uicontrol">KDC:</span> <tt>kdc1.myco.com</tt><br />
|
|||
|
<span class="uicontrol">Port:</span> <tt>88</tt> </p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> This is the default
|
|||
|
port for the Kerberos server.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e202 ">Do you want to configure a password server
|
|||
|
for this default realm? If yes, answer the following questions: <p>What is name of the password server for this Kerberos server?<br />
|
|||
|
What is the port on which the password server listens?</p>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e207 ">Yes <p><span class="uicontrol">Password server:</span> <tt>kdc1.myco.com</tt> <br />
|
|||
|
<span class="uicontrol">Port:</span> <tt>464</tt> </p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> This is the default
|
|||
|
port for the password server.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">For which services do you want to create keytab entries?<ul><li>i5/OS Kerberos
|
|||
|
Authentication</li>
|
|||
|
<li>LDAP</li>
|
|||
|
<li>iSeries IBM<sup>®</sup> HTTP
|
|||
|
Server</li>
|
|||
|
<li>iSeries NetServer™</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 ">i5/OS Kerberos Authentication</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e202 ">What is the password for your service principal
|
|||
|
or principals? </td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e207 "><tt>iseriesa123 </tt> <div class="note"><span class="notetitle">Note:</span> Any and all passwords
|
|||
|
specified in this scenario are for example purposes only. To prevent a compromise
|
|||
|
to your system or network security, you should never use these passwords as
|
|||
|
part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="58.58585858585859%" headers="d0e202 ">Do you want to create a batch file to automate
|
|||
|
adding the service principals for iSeries A to the Kerberos registry?</td>
|
|||
|
<td align="left" valign="top" width="41.41414141414141%" headers="d0e207 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">Do you want to include passwords with the i5/OS service
|
|||
|
principals in the batch file?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="2" valign="top" headers="d0e202 d0e207 ">As you exit the Network Authentication
|
|||
|
Service wizard, you will return to the EIM Configuration wizard. Use the following
|
|||
|
information to complete the EIM Configuration wizard:</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">Specify user information that the wizard should use
|
|||
|
when configuring the directory server. This is the connection user. You must
|
|||
|
specify the port number, administrator distinguished name, and a password
|
|||
|
for the administrator. <div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's distinguished
|
|||
|
name (DN) and password to ensure the wizard has enough authority to administer
|
|||
|
the EIM domain and the objects in it.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 "><p><span class="uicontrol">Port:</span> <tt>389</tt><br />
|
|||
|
<span class="uicontrol">Distinguished name:</span> <tt>cn=administrator</tt> <br />
|
|||
|
<span class="uicontrol">Password:</span> <tt>mycopwd</tt> </p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Any and all
|
|||
|
passwords specified in this scenario are for example purposes only. To prevent
|
|||
|
a compromise to your system or network security, you should never use these
|
|||
|
passwords as part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">What is the name of the EIM domain that you want to
|
|||
|
create?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 "><tt>MyCoEimDomain</tt></td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">Do you want to specify a parent DN for the EIM domain?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 ">No</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">Which user registries do you want to add to the EIM
|
|||
|
domain?</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 "><p>Local i5/OS--ISERIESA.MYCO.COM<br />
|
|||
|
Kerberos--KDC1.MYCO.COM</p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> You should not select <span class="uicontrol">Kerberos
|
|||
|
user identities are case sensitive</span> when the wizard presents this
|
|||
|
option.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="58.58585858585859%" headers="d0e202 ">Which EIM user do you want iSeries A to use when performing EIM
|
|||
|
operations? This is the system user.<div class="note"><span class="notetitle">Note:</span> If you have not configured the directory
|
|||
|
server before configuring single signon, the only distinguished name (DN)
|
|||
|
you can provide for the system user is the LDAP administrator's DN and password.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="41.41414141414141%" headers="d0e207 "><p><span class="uicontrol">User type:</span> <tt>Distinguished name</tt><br />
|
|||
|
<span class="uicontrol">Distinguished name:</span> <tt>cn=administrator</tt><br />
|
|||
|
<span class="uicontrol">Password:</span> <tt>mycopwd</tt></p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Any and all
|
|||
|
passwords specified in this scenario are for example purposes only. To prevent
|
|||
|
a compromise to your system or network security, you should never use these
|
|||
|
passwords as part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
<p> You need this information to allow iSeries B to participate in the EIM domain
|
|||
|
and to configure network authentication service on iSeries B</p>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 3. Single signon configuration planning
|
|||
|
work sheet for iSeries B</caption><thead align="left"><tr><th align="left" valign="top" width="57.73195876288659%" id="d0e464">Configuration planning work sheet for iSeries B</th>
|
|||
|
<th align="left" valign="top" width="42.2680412371134%" id="d0e469">Answers</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td colspan="2" valign="top" headers="d0e464 d0e469 ">Use the following information to complete
|
|||
|
the EIM Configuration wizard for iSeries B:</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">How do you want to configure EIM on your system?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">Join an existing domain</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">Do you want to configure network authentication service?<div class="note"><span class="notetitle">Note:</span> You
|
|||
|
must configure network authentication service to configure single signon.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="2" valign="top" headers="d0e464 d0e469 ">The Network Authentication Service wizard
|
|||
|
starts from the EIM Configuration wizard. Use the following information to
|
|||
|
complete the Network Authentication Service wizard:<div class="note"><span class="notetitle">Note:</span> You can start the
|
|||
|
Network Authentication Service wizard independently of the EIM Configuration
|
|||
|
wizard.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="57.73195876288659%" headers="d0e464 ">What is the name of the Kerberos default
|
|||
|
realm to which your iSeries will belong?<div class="note"><span class="notetitle">Note:</span> A Windows 2000
|
|||
|
domain is equivalent to a Kerberos realm. Microsoft Active Directory uses Kerberos
|
|||
|
authentication as its default security mechanism.</div>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="42.2680412371134%" headers="d0e469 "><tt>MYCO.COM</tt></td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">Are you using Microsoft Active Directory?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="57.73195876288659%" headers="d0e464 ">What is the Kerberos server for this Kerberos
|
|||
|
default realm? What is the port on which the Kerberos server listens?</td>
|
|||
|
<td align="left" valign="top" width="42.2680412371134%" headers="d0e469 "><p><span class="uicontrol">KDC:</span> <tt>kdc1.myco.com</tt><br />
|
|||
|
<span class="uicontrol">Port:</span> <tt>88</tt></p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> This is the default
|
|||
|
port for the Kerberos server.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="57.73195876288659%" headers="d0e464 ">Do you want to configure a password server
|
|||
|
for this default realm? If yes, answer the following questions: <p>What is name of the password server for this Kerberos server?<br />
|
|||
|
What is the port on which the password server listens?</p>
|
|||
|
</td>
|
|||
|
<td align="left" valign="top" width="42.2680412371134%" headers="d0e469 ">Yes <p><span class="uicontrol">Password server:</span> <tt>kdc1.myco.com</tt> <br />
|
|||
|
<span class="uicontrol">Port:</span> <tt>464</tt> </p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> This is the default
|
|||
|
port for the password server.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">For which services do you want to create keytab entries?<ul><li>i5/OS Kerberos
|
|||
|
Authentication</li>
|
|||
|
<li>LDAP</li>
|
|||
|
<li>iSeries IBM HTTP
|
|||
|
Server</li>
|
|||
|
<li>iSeries NetServer</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">i5/OS Kerberos Authentication</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="57.73195876288659%" headers="d0e464 ">What is the password for your i5/OS service
|
|||
|
principal(s)? </td>
|
|||
|
<td align="left" valign="top" width="42.2680412371134%" headers="d0e469 ">iseriesb123 <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified
|
|||
|
in this scenario are for example purposes only. To prevent a compromise to
|
|||
|
your system or network security, you should never use these passwords as part
|
|||
|
of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="57.73195876288659%" headers="d0e464 ">Do you want to create a batch file to automate
|
|||
|
adding the service principals for iSeries B to the Kerberos registry?</td>
|
|||
|
<td align="left" valign="top" width="42.2680412371134%" headers="d0e469 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">Do you want to include passwords with the i5/OS service
|
|||
|
principals in the batch file?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="2" valign="top" headers="d0e464 d0e469 ">As you exit the Network Authentication
|
|||
|
Service wizard, you will return to the EIM Configuration wizard. Use the following
|
|||
|
information to complete the EIM Configuration wizard for iSeries B:</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">What is the name of the EIM domain controller for the
|
|||
|
EIM domain that you want to join?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">iseriesa.myco.com</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">Do you plan on securing the connection with SSL or TLS?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">No</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">What is the port on which the EIM domain controller
|
|||
|
listens?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">389</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">Which user do you want to use to connect to the domain
|
|||
|
controller? This is the connection user.<div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's
|
|||
|
distinguished name (DN) and password to ensure the wizard has enough authority
|
|||
|
to administer the EIM domain and the objects in it.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 "><p><span class="uicontrol">User type:</span> <tt>Distinguished name and password</tt><br />
|
|||
|
<span class="uicontrol">Distinguished name:</span> <tt>cn=administrator</tt><br />
|
|||
|
<span class="uicontrol">Password:</span> <tt>mycopwd</tt></p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Any and all
|
|||
|
passwords specified in this scenario are for example purposes only. To prevent
|
|||
|
a compromise to your system or network security, you should never use these
|
|||
|
passwords as part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">What is the name of the EIM domain that you want to
|
|||
|
join?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 "><tt>MyCoEimDomain</tt></td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">Do you want to specify a parent DN for the EIM domain?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">No</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">What is the name of the user registry that you want
|
|||
|
to add to the EIM domain?</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 ">Local i5/OS--ISERIESB.MYCO.COM</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="57.73195876288659%" headers="d0e464 ">Which EIM user do you want iSeries B to use when performing EIM
|
|||
|
operations? This is the system user.<div class="note"><span class="notetitle">Note:</span> Earlier in this scenario, you used
|
|||
|
the EIM Configuration wizard to configure the directory server on iSeries A.
|
|||
|
In doing so, you created a DN and password for the LDAP administrator. This
|
|||
|
is currently the only DN defined for the directory server. Therefore, this
|
|||
|
is the DN and password you must supply here.</div>
|
|||
|
</td>
|
|||
|
<td valign="top" width="42.2680412371134%" headers="d0e469 "><p><span class="uicontrol">User type:</span> <tt>Distinguished name and password</tt><br />
|
|||
|
<span class="uicontrol">Distinguished name:</span> <tt>cn=administrator</tt><br />
|
|||
|
<span class="uicontrol">Password:</span> <tt>mycopwd</tt></p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Any and all
|
|||
|
passwords specified in this scenario are for example purposes only. To prevent
|
|||
|
a compromise to your system or network security, you should never use these
|
|||
|
passwords as part of your own configuration.</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 4. Single signon configuration planning work sheet - user profiles</caption><thead align="left"><tr><th valign="top" id="d0e720">i5/OS user
|
|||
|
profile name</th>
|
|||
|
<th valign="top" id="d0e724">Password is specified</th>
|
|||
|
<th valign="top" id="d0e726">Special authority (Privilege class)</th>
|
|||
|
<th valign="top" id="d0e728">System</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td valign="top" headers="d0e720 ">SYSUSERA</td>
|
|||
|
<td valign="top" headers="d0e724 ">No</td>
|
|||
|
<td valign="top" headers="d0e726 ">User</td>
|
|||
|
<td valign="top" headers="d0e728 ">iSeries A</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e720 ">SYSUSERB</td>
|
|||
|
<td valign="top" headers="d0e724 ">No</td>
|
|||
|
<td valign="top" headers="d0e726 ">User</td>
|
|||
|
<td valign="top" headers="d0e728 ">iSeries B</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 5. Single signon configuration planning work sheet - EIM domain
|
|||
|
data</caption><thead align="left"><tr><th valign="top" width="19.542619542619544%" id="d0e764">Identifier name</th>
|
|||
|
<th valign="top" width="29.10602910602911%" id="d0e766">User registry</th>
|
|||
|
<th valign="top" width="16.008316008316008%" id="d0e768">User identity</th>
|
|||
|
<th valign="top" width="15.384615384615385%" id="d0e770">Association type</th>
|
|||
|
<th valign="top" width="19.95841995841996%" id="d0e772">Identifier description</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td valign="top" width="19.542619542619544%" headers="d0e764 ">John Day</td>
|
|||
|
<td valign="top" width="29.10602910602911%" headers="d0e766 ">MYCO.COM</td>
|
|||
|
<td valign="top" width="16.008316008316008%" headers="d0e768 ">jday</td>
|
|||
|
<td valign="top" width="15.384615384615385%" headers="d0e770 ">Source</td>
|
|||
|
<td valign="top" width="19.95841995841996%" headers="d0e772 ">Kerberos (Windows 2000) login user identity</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.542619542619544%" headers="d0e764 ">John Day</td>
|
|||
|
<td valign="top" width="29.10602910602911%" headers="d0e766 ">ISERIESA.MYCO.COM</td>
|
|||
|
<td valign="top" width="16.008316008316008%" headers="d0e768 ">JOHND</td>
|
|||
|
<td valign="top" width="15.384615384615385%" headers="d0e770 ">Target</td>
|
|||
|
<td valign="top" width="19.95841995841996%" headers="d0e772 ">i5/OS user profile on iSeries A</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.542619542619544%" headers="d0e764 ">John Day</td>
|
|||
|
<td valign="top" width="29.10602910602911%" headers="d0e766 ">ISERIESB.MYCO.COM</td>
|
|||
|
<td valign="top" width="16.008316008316008%" headers="d0e768 ">DAYJO</td>
|
|||
|
<td valign="top" width="15.384615384615385%" headers="d0e770 ">Target</td>
|
|||
|
<td valign="top" width="19.95841995841996%" headers="d0e772 ">i5/OS user profile on iSeries B</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.542619542619544%" headers="d0e764 ">Sharon Jones</td>
|
|||
|
<td valign="top" width="29.10602910602911%" headers="d0e766 ">MYCO.COM</td>
|
|||
|
<td valign="top" width="16.008316008316008%" headers="d0e768 ">sjones</td>
|
|||
|
<td valign="top" width="15.384615384615385%" headers="d0e770 ">Source</td>
|
|||
|
<td valign="top" width="19.95841995841996%" headers="d0e772 ">Kerberos (Windows 2000) login user identity</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.542619542619544%" headers="d0e764 ">Sharon Jones</td>
|
|||
|
<td valign="top" width="29.10602910602911%" headers="d0e766 ">ISERIESA.MYCO.COM</td>
|
|||
|
<td valign="top" width="16.008316008316008%" headers="d0e768 ">SHARONJ</td>
|
|||
|
<td valign="top" width="15.384615384615385%" headers="d0e770 ">Target</td>
|
|||
|
<td valign="top" width="19.95841995841996%" headers="d0e772 ">i5/OS user profile on iSeries A</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.542619542619544%" headers="d0e764 ">Sharon Jones</td>
|
|||
|
<td valign="top" width="29.10602910602911%" headers="d0e766 ">ISERIESB.MYCO.COM</td>
|
|||
|
<td valign="top" width="16.008316008316008%" headers="d0e768 ">JONESSH</td>
|
|||
|
<td valign="top" width="15.384615384615385%" headers="d0e770 ">Target</td>
|
|||
|
<td valign="top" width="19.95841995841996%" headers="d0e772 ">i5/OS user profile on iSeries B</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 6. Single signon configuration planning work sheet - EIM domain
|
|||
|
data - policy associations</caption><thead align="left"><tr><th valign="top" width="19.715447154471544%" id="d0e878">Policy association type</th>
|
|||
|
<th valign="top" width="16.056910569105693%" id="d0e880">Source user registry</th>
|
|||
|
<th valign="top" width="28.252032520325205%" id="d0e882">Target user registry</th>
|
|||
|
<th valign="top" width="18.089430894308943%" id="d0e884">User identity</th>
|
|||
|
<th valign="top" width="17.88617886178862%" id="d0e886">Description</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td valign="top" width="19.715447154471544%" headers="d0e878 ">Default registry</td>
|
|||
|
<td valign="top" width="16.056910569105693%" headers="d0e880 ">MYCO.COM</td>
|
|||
|
<td valign="top" width="28.252032520325205%" headers="d0e882 ">ISERIESA.MYCO.COM</td>
|
|||
|
<td valign="top" width="18.089430894308943%" headers="d0e884 ">SYSUSERA</td>
|
|||
|
<td valign="top" width="17.88617886178862%" headers="d0e886 ">Maps authenticated Kerberos user to appropriate i5/OS user
|
|||
|
profile</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="19.715447154471544%" headers="d0e878 ">Default registry</td>
|
|||
|
<td valign="top" width="16.056910569105693%" headers="d0e880 ">MYCO.COM</td>
|
|||
|
<td valign="top" width="28.252032520325205%" headers="d0e882 ">ISERIESB.MYCO.COM</td>
|
|||
|
<td valign="top" width="18.089430894308943%" headers="d0e884 ">SYSUSERB</td>
|
|||
|
<td valign="top" width="17.88617886178862%" headers="d0e886 ">Maps authenticated Kerberos user to appropriate i5/OS user
|
|||
|
profile</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen2.htm" title="Use the following scenario to become familiar with the prerequisites and objectives for enabling single signon for i5/OS.">Scenario: Enable single signon for i5/OS</a></div>
|
|||
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhssoscenario_createassoconfiguration.htm">Create a basic single signon configuration for iSeries A</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|