ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzakhpkdc.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Plan a Kerberos server" />
<meta name="abstract" content="Plan for a Kerberos server based on your operating system." />
<meta name="description" content="Plan for a Kerberos server based on your operating system." />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhpkdc" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Plan a Kerberos server</title>
</head>
<body id="rzakhpkdc"><a name="rzakhpkdc"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Plan a Kerberos server</h1>
<div><p>Plan for a Kerberos server based on your operating system.</p>
<div class="p">A Kerberos server or key distribution center (KDC) maintains a database
of principals and their associated passwords. It is composed of the authentication
server and the ticket-granting server. When a principal logs into a Kerberos
network, the authentication server validates the principal and sends them
a ticket-granting ticket. When planning to use Kerberos authentication you
need to decide what system you want to configure as a Kerberos server. <div class="note"><span class="notetitle">Note:</span> The
network authentication service information focuses on Kerberos servers that
run in either i5/OS™ PASE
or Windows<sup>®</sup> 2000
server. Most scenarios and examples assume that a Windows 2000 server has been configured
as a Kerberos server, unless explicitly mentioned otherwise. If you are using
any of these other operating systems or third-party applications for Kerberos
authentication, see the corresponding documentation.</div>
The following list
provides details on Kerberos server support on three key operating systems:</div>
<div class="p"><dl class="dlexpand"><dt class="dltermexpand">Microsoft<sup>®</sup> Windows 2000
and Windows Server
2003</dt>
<dd>Both Microsoft Windows 2000 and Windows Server
20003 operating systems support Kerberos authentication as their default security
mechanism. When administrators add users and services though Microsoft Windows Active
Directory, they are in effect creating Kerberos principals for those users
and services. If you have a Windows 2000 or 2003 server in your
network, you have a Kerberos server built into those operating systems. For
information how Kerberos authentication is used on Microsoft Windows servers, see <a href="http://www.microsoft.com/windows2000/en/server/help/" target="_blank">Microsoft Windows Help</a><img src="www.gif" alt="Link outside the Information center" />.</dd>
<dt class="dltermexpand">AIX<sup>®</sup> and i5/OS PASE</dt>
<dd>Both AIX and i5/OS PASE
supports a Kerberos server through the kadmin command. Administrators need
to enter the PASE environment (by entering <tt>call QP2TERM</tt>) to configure
and manage the PASE Kerberos server. i5/OS PASE support for a Kerberos server
is new for V5R3. i5/OS PASE
provides a run-time environment for AIX applications, such as a Kerberos server.
The following documentation can help you configure and manage a Kerberos server
in AIX.<ul><li><cite>IBM<sup>®</sup> Network
Authentication Service AIX, Linux<sup>®</sup>, and Solaris Administrator's and User's Guide</cite>.</li>
<li><cite>IBM Network
Authentication Service AIX, Linux, and Solaris Application Development Reference</cite>.<div class="note"><span class="notetitle">Note:</span> You
can find this documentation in the <a href="http://www-1.ibm.com/servers/aix/products/bonuspack/aix5l/details.html" target="_blank">AIX
5L™ Expansion Pack and Bonus Pack</a> CD. <img src="www.gif" alt="Link outside the Information center" /></div>
</li>
</ul>
</dd>
<dt class="dltermexpand">z/OS<sup>®</sup></dt>
<dd>Security Server Network Authentication Service for z/OS is the IBM z/OS program based on Kerberos Version
5. Network Authentication Service for z/OS provides Kerberos security services
without requiring that you purchase or use a middleware program. These services
support for a native Kerberos server. See <a href="http://publibz.boulder.ibm.com/epubs/pdf/euvb3a20.pdf" target="_blank">z/OS Security Server Network Authentication Service
Administration</a> <img src="www.gif" alt="Link outside the Information center" /> for details on configuring and managing a z/OS Kerberos server.</dd>
</dl>
</div>
<p>No matter what operating system provides the Kerberos server, you need
to determine the server ports for the Kerberos server, secure access to the
Kerberos server and ensure that time between clients and the Kerberos server
are synchronized.</p>
<div class="p"><dl><dt class="dlterm">Determining server ports </dt>
<dd>Network authentication service uses port 88 as the default for the Kerberos
server. However, other ports can be specified in the configuration files of
the Kerberos server. You should verify the port number in the Kerberos configuration
files located on the Kerberos server. </dd>
<dt class="dlterm">Securing access to the Kerberos server</dt>
<dd>The Kerberos server should be located on a secure, dedicated system, to
help ensure that the database of principals and passwords is not compromised.
Users should have limited access to the Kerberos server. If the system on
which the Kerberos server resides is also used for some other purpose, such
as a Web server or an FTP server, someone might take advantage security flaws
within these applications and gain access to the database stored on the Kerberos
server. For a Kerberos server in Microsoft Windows Active Directory, you can optionally
configure a password server that principals can use to manage and update their
own passwords stored on the Kerberos server. If you have configured a Kerberos
server in i5/OS PASE
and you are unable to dedicate the iSeries™ to Kerberos authentication, you
should ensure that only your administrator has access to the Kerberos configuration.</dd>
<dt class="dlterm">Synchronizing system times</dt>
<dd>Kerberos authentication requires that system time is synchronized. Kerberos
will reject any authentication requests from a system or client whose time
is not within the specified maximum clock skew of the Kerberos server. Since
each ticket is imbedded with the time it was sent to a principal, hackers
cannot resend the same ticket at a later time to attempt to be authenticated
to the network. The iSeries system will also reject tickets from a Kerberos
server if its clock is not within the maximum clock skew set during network
authentication service configuration. The default value is 300 seconds (five
minutes) for the maximum clock skew. During network authentication service
configuration the maximum clock skew is set to this default; however, if necessary
you can change this value. It is not recommended to raise the value over 300
seconds. See <a href="rzakhsync.htm">Synchronize system times</a> for
details on how to work with system times.</dd>
</dl>
</div>
<div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Example planning work sheet for Kerberos server. This planning work sheet provides an example of how an administrator
planned the Kerberos server for a network</caption><thead align="left"><tr><th valign="top" id="d0e214">Questions</th>
<th valign="top" id="d0e216">Answers</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e214 ">On which operating system do you plan to configure your
Kerberos server?<ul><li>Windows 2000
Server</li>
<li>Windows Server
2003</li>
<li>AIX Server</li>
<li>i5/OS PASE
(V5R3 or later)</li>
<li>zSeries<sup>®</sup></li>
</ul>
</td>
<td valign="top" headers="d0e216 ">i5/OS Portable Application Solutions Environment (PASE)</td>
</tr>
<tr><td valign="top" headers="d0e214 ">What is the fully qualified domain name for the Kerberos
server?</td>
<td valign="top" headers="d0e216 ">iseriesa.myco.com</td>
</tr>
<tr><td valign="top" headers="d0e214 ">Are times between the PCs and systems that connect to
the Kerberos server synchronized? What is the maximum clock skew?</td>
<td valign="top" headers="d0e216 ">Yes, 300 seconds</td>
</tr>
<tr><td valign="top" headers="d0e214 "><p><img src="./delta.gif" alt="Start of change" />Should I install the Network Authentication
Enablement (5722-NAE) product?<img src="./deltaend.gif" alt="End of change" /></p>
</td>
<td valign="top" headers="d0e216 ">Yes, if you plan to configure a Kerberos server in i5/OS PASE
on a V5R4 system. In V5R4, the network authentication server ships as a separate
product, <dfn class="term">Network Authentication Enablement</dfn> (5722-NAE). <p><img src="./delta.gif" alt="Start of change" />If
you are using i5/OS V5R3,
you need to install Cryptographic Access Provider (5722-AC3) instead to configure
a Kerberos server in i5/OS PASE.<img src="./deltaend.gif" alt="End of change" /></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="Plan a Kerberos server" />`
			`<meta name="abstract" content="Plan for a Kerberos server based on your operating system." />`
			`<meta name="description" content="Plan for a Kerberos server based on your operating system." />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzakhpkdc" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Plan a Kerberos server</title>`
			`</head>`
			`<body id="rzakhpkdc"><a name="rzakhpkdc"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Plan a Kerberos server</h1>`
			`<div><p>Plan for a Kerberos server based on your operating system.</p>`
			`<div class="p">A Kerberos server or key distribution center (KDC) maintains a database`
			`of principals and their associated passwords. It is composed of the authentication`
			`server and the ticket-granting server. When a principal logs into a Kerberos`
			`network, the authentication server validates the principal and sends them`
			`a ticket-granting ticket. When planning to use Kerberos authentication you`
			`need to decide what system you want to configure as a Kerberos server. <div class="note"><span class="notetitle">Note:</span> The`
			`network authentication service information focuses on Kerberos servers that`
			`run in either i5/OS™ PASE`
			`or Windows<sup>®</sup> 2000`
			`server. Most scenarios and examples assume that a Windows 2000 server has been configured`
			`as a Kerberos server, unless explicitly mentioned otherwise. If you are using`
			`any of these other operating systems or third-party applications for Kerberos`
			`authentication, see the corresponding documentation.</div>`
			`The following list`
			`provides details on Kerberos server support on three key operating systems:</div>`
			`<div class="p"><dl class="dlexpand"><dt class="dltermexpand">Microsoft<sup>®</sup> Windows 2000`
			`and Windows Server`
			`2003</dt>`
			`<dd>Both Microsoft Windows 2000 and Windows Server`
			`20003 operating systems support Kerberos authentication as their default security`
			`mechanism. When administrators add users and services though Microsoft Windows Active`
			`Directory, they are in effect creating Kerberos principals for those users`
			`and services. If you have a Windows 2000 or 2003 server in your`
			`network, you have a Kerberos server built into those operating systems. For`
			`information how Kerberos authentication is used on Microsoft Windows servers, see <a href="http://www.microsoft.com/windows2000/en/server/help/" target="_blank">Microsoft Windows Help</a><img src="www.gif" alt="Link outside the Information center" />.</dd>`
			`<dt class="dltermexpand">AIX<sup>®</sup> and i5/OS PASE</dt>`
			`<dd>Both AIX and i5/OS PASE`
			`supports a Kerberos server through the kadmin command. Administrators need`
			`to enter the PASE environment (by entering <tt>call QP2TERM</tt>) to configure`
			`and manage the PASE Kerberos server. i5/OS PASE support for a Kerberos server`
			`is new for V5R3. i5/OS PASE`
			`provides a run-time environment for AIX applications, such as a Kerberos server.`
			`The following documentation can help you configure and manage a Kerberos server`
			`in AIX.<ul><li><cite>IBM<sup>®</sup> Network`
			`Authentication Service AIX, Linux<sup>®</sup>, and Solaris Administrator's and User's Guide</cite>.</li>`
			`<li><cite>IBM Network`
			`Authentication Service AIX, Linux, and Solaris Application Development Reference</cite>.<div class="note"><span class="notetitle">Note:</span> You`
			`can find this documentation in the <a href="http://www-1.ibm.com/servers/aix/products/bonuspack/aix5l/details.html" target="_blank">AIX`
			`5L™ Expansion Pack and Bonus Pack</a> CD. <img src="www.gif" alt="Link outside the Information center" /></div>`
			`</li>`
			`</ul>`
			`</dd>`
			`<dt class="dltermexpand">z/OS<sup>®</sup></dt>`
			`<dd>Security Server Network Authentication Service for z/OS is the IBM z/OS program based on Kerberos Version`
			`5. Network Authentication Service for z/OS provides Kerberos security services`
			`without requiring that you purchase or use a middleware program. These services`
			`support for a native Kerberos server. See <a href="http://publibz.boulder.ibm.com/epubs/pdf/euvb3a20.pdf" target="_blank">z/OS Security Server Network Authentication Service`
			`Administration</a> <img src="www.gif" alt="Link outside the Information center" /> for details on configuring and managing a z/OS Kerberos server.</dd>`
			`</dl>`
			`</div>`
			`<p>No matter what operating system provides the Kerberos server, you need`
			`to determine the server ports for the Kerberos server, secure access to the`
			`Kerberos server and ensure that time between clients and the Kerberos server`
			`are synchronized.</p>`
			`<div class="p"><dl><dt class="dlterm">Determining server ports </dt>`
			`<dd>Network authentication service uses port 88 as the default for the Kerberos`
			`server. However, other ports can be specified in the configuration files of`
			`the Kerberos server. You should verify the port number in the Kerberos configuration`
			`files located on the Kerberos server. </dd>`
			`<dt class="dlterm">Securing access to the Kerberos server</dt>`
			`<dd>The Kerberos server should be located on a secure, dedicated system, to`
			`help ensure that the database of principals and passwords is not compromised.`
			`Users should have limited access to the Kerberos server. If the system on`
			`which the Kerberos server resides is also used for some other purpose, such`
			`as a Web server or an FTP server, someone might take advantage security flaws`
			`within these applications and gain access to the database stored on the Kerberos`
			`server. For a Kerberos server in Microsoft Windows Active Directory, you can optionally`
			`configure a password server that principals can use to manage and update their`
			`own passwords stored on the Kerberos server. If you have configured a Kerberos`
			`server in i5/OS PASE`
			`and you are unable to dedicate the iSeries™ to Kerberos authentication, you`
			`should ensure that only your administrator has access to the Kerberos configuration.</dd>`
			`<dt class="dlterm">Synchronizing system times</dt>`
			`<dd>Kerberos authentication requires that system time is synchronized. Kerberos`
			`will reject any authentication requests from a system or client whose time`
			`is not within the specified maximum clock skew of the Kerberos server. Since`
			`each ticket is imbedded with the time it was sent to a principal, hackers`
			`cannot resend the same ticket at a later time to attempt to be authenticated`
			`to the network. The iSeries system will also reject tickets from a Kerberos`
			`server if its clock is not within the maximum clock skew set during network`
			`authentication service configuration. The default value is 300 seconds (five`
			`minutes) for the maximum clock skew. During network authentication service`
			`configuration the maximum clock skew is set to this default; however, if necessary`
			`you can change this value. It is not recommended to raise the value over 300`
			`seconds. See <a href="rzakhsync.htm">Synchronize system times</a> for`
			`details on how to work with system times.</dd>`
			`</dl>`
			`</div>`
			`<div class="p">`
			`<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Example planning work sheet for Kerberos server. This planning work sheet provides an example of how an administrator`
			`planned the Kerberos server for a network</caption><thead align="left"><tr><th valign="top" id="d0e214">Questions</th>`
			`<th valign="top" id="d0e216">Answers</th>`
			`</tr>`
			`</thead>`
			`<tbody><tr><td valign="top" headers="d0e214 ">On which operating system do you plan to configure your`
			`Kerberos server?<ul><li>Windows 2000`
			`Server</li>`
			`<li>Windows Server`
			`2003</li>`
			`<li>AIX Server</li>`
			`<li>i5/OS PASE`
			`(V5R3 or later)</li>`
			`<li>zSeries<sup>®</sup></li>`
			`</ul>`
			`</td>`
			`<td valign="top" headers="d0e216 ">i5/OS Portable Application Solutions Environment (PASE)</td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e214 ">What is the fully qualified domain name for the Kerberos`
			`server?</td>`
			`<td valign="top" headers="d0e216 ">iseriesa.myco.com</td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e214 ">Are times between the PCs and systems that connect to`
			`the Kerberos server synchronized? What is the maximum clock skew?</td>`
			`<td valign="top" headers="d0e216 ">Yes, 300 seconds</td>`
			`</tr>`
			`<tr><td valign="top" headers="d0e214 "><p><img src="./delta.gif" alt="Start of change" />Should I install the Network Authentication`
			`Enablement (5722-NAE) product?<img src="./deltaend.gif" alt="End of change" /></p>`
			`</td>`
			`<td valign="top" headers="d0e216 ">Yes, if you plan to configure a Kerberos server in i5/OS PASE`
			`on a V5R4 system. In V5R4, the network authentication server ships as a separate`
			`product, <dfn class="term">Network Authentication Enablement</dfn> (5722-NAE). <p><img src="./delta.gif" alt="Start of change" />If`
			`you are using i5/OS V5R3,`
			`you need to install Cryptographic Access Provider (5722-AC3) instead to configure`
			`a Kerberos server in i5/OS PASE.<img src="./deltaend.gif" alt="End of change" /></p>`
			`</td>`
			`</tr>`
			`</tbody>`
			`</table>`
			`</div>`
			`</div>`
			`</div>`

			`</body>`
			`</html>`