ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzcompletetheplanningworksheets.htm

307 lines
19 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Complete the planning work sheets" />
<meta name="DC.Relation" scheme="URI" content="rzamzenablesso.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveservercncpts.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconcept.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzcompletetheplanningworksheets" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Complete the planning work sheets</title>
</head>
<body id="rzamzcompletetheplanningworksheets"><a name="rzamzcompletetheplanningworksheets"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Complete the planning work sheets</h1>
<div><div class="section">The following planning work sheets are tailored to fit this scenario
based on the general single signon <a href="rzamzssoplanworksheet.htm#rzamzssoplanworksheet">planning worksheets</a>. These planning work sheets demonstrate
the information that you need to gather and the decisions you need to make
to prepare the single signon implementation described by this scenario. To
ensure a successful implementation, you must be able to answer Yes to all
prerequisite items in the work sheet and you should gather all the information
necessary to complete the work sheets before you perform any configuration
tasks.<div class="note"><span class="notetitle">Note:</span> You need to thoroughly understand the concepts related to single
signon which include network authentication service and Enterprise Identity
Mapping (EIM) concepts, before you implement this scenario. </div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Single signon prerequisite work sheet</caption><thead align="left"><tr><th align="left" valign="top" width="61.61616161616161%" id="d0e28"><strong>Prerequisite work sheet</strong></th>
<th align="left" valign="top" width="38.38383838383838%" id="d0e31"><strong>Answers</strong> </th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="61.61616161616161%" headers="d0e28 ">Is your <span class="keyword">i5/OS™</span> V5R4
(5722-SS1)?</td>
<td align="left" valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
<tr><td valign="top" width="61.61616161616161%" headers="d0e28 ">Are the following options and licensed products installed
on <span class="keyword">iSeries™</span> A?<ul><li><span class="keyword">i5/OS</span> Host Servers
(5722-SS1 Option 12)</li>
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
<li><span class="keyword">iSeries Access for Windows<sup>®</sup></span> (5722-XE1)</li>
</ul>
</td>
<td valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="61.61616161616161%" headers="d0e28 ">Have you installed an application that is
enabled for single signon on each of the PCs that will participate in the
single signon environment? <div class="note"><span class="notetitle">Note:</span> For this scenario, all of the participating
PC's have <span class="keyword">iSeries Access for Windows</span> (5722-XE1)
installed.</div>
</td>
<td align="left" valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="61.61616161616161%" headers="d0e28 ">Is <span class="keyword">iSeries Navigator</span> installed
on the administrator's PC?<ul><li>Is the Security subcomponent of <span class="keyword">iSeries Navigator</span> installed
on the administrator's PC?</li>
<li>Is the Network subcomponent of <span class="keyword">iSeries Navigator</span> installed
on the administrator's PC?</li>
</ul>
</td>
<td align="left" valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
<tr><td valign="top" width="61.61616161616161%" headers="d0e28 ">Have you installed the latest <span class="keyword">iSeries Access for Windows</span> service
pack? For the latest service pack see <a href="http://www-1.ibm.com/servers/eserver/iseries/access/casp.htm" target="_blank">iSeries Access</a><img src="www.gif" alt="link outside the Information Center" />.</td>
<td valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="61.61616161616161%" headers="d0e28 ">Do you, the administrator, have *SECADM,
*ALLOBJ, and *IOSYSCFG special authorities?</td>
<td align="left" valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="61.61616161616161%" headers="d0e28 ">Do you have one of the following systems
acting as the Kerberos server (also known as the KDC)? If yes, specify which
system. <ol><li>Windows <sup>(R)</sup> 2000
Server<div class="note"><span class="notetitle">Note:</span> Microsoft<sup>®</sup> <span class="keyword">Windows 2000</span> Server
uses Kerberos authentication as its default security mechanism. </div>
</li>
<li>Windows <sup>(R)</sup> Server
2003</li>
<li><span class="keyword">i5/OS</span> PASE (V5R3 or
later)</li>
<li>AIX<sup>®</sup> server</li>
<li>zSeries<sup>®</sup></li>
</ol>
</td>
<td align="left" valign="top" width="38.38383838383838%" headers="d0e31 ">Yes, <span class="keyword">Windows 2000</span> Server</td>
</tr>
<tr><td align="left" valign="top" width="61.61616161616161%" headers="d0e28 ">Are all your PCs in your network configured
in a <span class="keyword">Windows 2000</span> domain?</td>
<td align="left" valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="61.61616161616161%" headers="d0e28 ">Have you applied the latest program temporary
fixes (PTFs)?</td>
<td align="left" valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="61.61616161616161%" headers="d0e28 ">Is the <span class="keyword">iSeries</span> system
time within 5 minutes of the system time on the Kerberos server? If not see <a href="../rzakh/rzakhsync.htm">Synchronize system
times</a>.</td>
<td align="left" valign="top" width="38.38383838383838%" headers="d0e31 ">Yes</td>
</tr>
</tbody>
</table>
</div>
<p>You need this information to configure EIM and network authentication
service to create a single signon test environment. </p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Single signon configuration planning work sheet for iSeries A</caption><thead align="left"><tr><th align="left" valign="top" width="58.58585858585859%" id="d0e219">Configuration planning work sheet for <span class="keyword">iSeries</span> A</th>
<th align="left" valign="top" width="41.41414141414141%" id="d0e225">Answers</th>
</tr>
</thead>
<tbody><tr><td colspan="2" valign="top" headers="d0e219 d0e225 ">Use the following information to complete
the EIM Configuration wizard. The information in this work sheet correlates
with the information you need to supply for each page in the wizard:</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">How do you want to configure EIM for your system?<ul><li>Join an existing domain</li>
<li>Create and join a new domain</li>
</ul>
</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 ">Create and join a new domain</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Where do you want to configure your EIM domain?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 ">On the local directory server<div class="note"><span class="notetitle">Note:</span> This will configure
the directory server on the same system on which you are currently configuring
EIM.</div>
</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Do you want to configure network authentication service?<div class="note"><span class="notetitle">Note:</span> You
must configure network authentication service to configure single signon.</div>
</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 ">Yes</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e219 d0e225 ">The Network Authentication Service wizard
launches from the EIM Configuration wizard. Use the following information
to complete the Network Authentication Service wizard:<div class="note"><span class="notetitle">Note:</span> You can launch
the Network Authentication Service wizard independently of the EIM Configuration
wizard.</div>
</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What is the name of the Kerberos default realm to which
your <span class="keyword">iSeries</span> will belong?<div class="note"><span class="notetitle">Note:</span> A <span class="keyword">Windows 2000</span> domain is similar to a Kerberos
realm. Microsoft Windows Active Directory uses Kerberos
authentication as its default security mechanism.</div>
</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><tt>MYCO.COM</tt></td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Are you using Microsoft Active Directory?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 ">Yes</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What is the Kerberos server, also known as a key distribution
center (KDC), for this Kerberos default realm? What is the port on which the
Kerberos server listens?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><p><span class="uicontrol">KDC</span>: <tt>kdc1.myco.com</tt> <br />
<span class="uicontrol">Port</span>: <tt>88</tt></p>
<div class="note"><span class="notetitle">Note:</span> This is the default
port for the Kerberos server.</div>
</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Do you want to configure a password server for this
default realm? If yes, answer the following questions: <p>What is name of the password server for this Kerberos server?<br />
What is the port on which the password server listens?</p>
</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 ">Yes <p><span class="uicontrol">Password server</span>: <tt>kdc1.myco.com</tt> <br />
<span class="uicontrol">Port</span>: <tt>464</tt> </p>
<div class="note"><span class="notetitle">Note:</span> This is the default
port for the password server.</div>
</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">For which services do you want to create keytab entries?<ul><li><span class="keyword">i5/OS</span> Kerberos Authentication</li>
<li>LDAP</li>
<li>iSeries IBM<sup>®</sup> HTTP
Server</li>
<li>iSeries NetServer™</li>
</ul>
</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><span class="keyword">i5/OS</span> Kerberos
Authentication</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What is the password for your service principal or principals? </td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><tt>iseriesa123</tt> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified
in this scenario are for example purposes only. To prevent a compromise to
your system or network security, you should never use these passwords as part
of your own configuration.</div>
</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Do you want to create a batch file to automate adding
the service principals for <span class="keyword">iSeries</span> A
to the Kerberos registry?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 ">Yes</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Do you want to include passwords with the <span class="keyword">i5/OS</span> service
principals in the batch file?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 ">Yes</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e219 d0e225 ">As you exit the Network Authentication
Service wizard, you will return to the EIM Configuration wizard. Use the following
information to complete the EIM Configuration wizard:</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Specify user information that the wizard should use
when configuring the directory server. This is the connection user. You must
specify the port number, administrator distinguished name, and a password
for the administrator.<div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's distinguished
name (DN) and password to ensure the wizard has enough authority to administer
the EIM domain and the objects in it.</div>
</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><p><span class="uicontrol">Port</span>: <tt>389</tt><br />
<span class="uicontrol">Distinguished name</span>: <tt>cn=administrator</tt> <br />
<span class="uicontrol">Password</span>: <tt>mycopwd</tt></p>
<div class="note"><span class="notetitle">Note:</span> Any and all
passwords specified in this scenario are for example purposes only. To prevent
a compromise to your system or network security, you should never use these
passwords as part of your own configuration.</div>
</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What is the name of the EIM domain that you want to
create?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><tt>MyCoEimDomain</tt></td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Do you want to specify a parent DN for the EIM domain?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 ">No</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Which user registries do you want to add to the EIM
domain?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><p>Local i5/OS--ISERIESA.MYCO.COM<br />
Kerberos--MYCO.COM</p>
<div class="note"><span class="notetitle">Note:</span> The Kerberos principals stored on the <span class="keyword">Windows 2000</span> server are not case sensitive;
therefore you should not select <span class="uicontrol">Kerberos user identities are case
sensitive</span>.</div>
</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">Which EIM user do you want <span class="keyword">iSeries</span> A
to use when performing EIM operations? This is the system user.<div class="note"><span class="notetitle">Note:</span> If you
have not configured the directory server before configuring single signon,
the only distinguished name (DN) you can provide for the system user is the
LDAP administrator's DN and password.</div>
</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><p><span class="uicontrol">User type</span>: <tt>Distinguished name and password</tt><br />
<span class="uicontrol">User</span>: <tt>cn=administrator</tt><br />
<span class="uicontrol">Password</span>: <tt>mycopwd</tt></p>
<div class="note"><span class="notetitle">Note:</span> Any and all
passwords specified in this scenario are for example purposes only. To prevent
a compromise to your system or network security, you should never use these
passwords as part of your own configuration.</div>
</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e219 d0e225 ">After you complete the EIM Configuration
wizard, use the following information to complete the remaining steps required
for configuring single signon:</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What is the <span class="keyword">i5/OS</span> user
profile name for the user?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><tt>JOHND</tt></td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What is the name of the EIM identifier that you want
to create?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><tt>John Day</tt></td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What kinds of associations do you want to create? </td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><p>Source association: Kerberos principal <tt>jday</tt><br />
Target association: <span class="keyword">i5/OS</span> user profile <tt>JOHND</tt> </p>
</td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What is the name of the user registry that contains
the Kerberos principal for which you are creating the source association?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><tt>MYCO.COM</tt></td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What is the name of the user registry that contains
the <span class="keyword">i5/OS</span> user profile
for which you are creating the target association?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><tt>ISERIESA.MYCO.COM</tt></td>
</tr>
<tr><td valign="top" width="58.58585858585859%" headers="d0e219 ">What information do you need to supply to test EIM identity
mapping?</td>
<td valign="top" width="41.41414141414141%" headers="d0e225 "><p><span class="uicontrol">Source registry</span>: <tt>MYCO.COM</tt><br />
<span class="uicontrol">Source user</span>: <tt>jday</tt><br />
<span class="uicontrol">Target registry</span>: <tt>ISERIESA.MYCO.COM</tt></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzenablesso.htm" title="In this scenario, you want to configure network authentication service and EIM to create a basic single signon test environment. Use this scenario to gain a basic understanding of what configuring a single signon environment involves on a small scale before implementing single signon across an entire enterprise.">Scenario: Create a single signon test environment</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm">Create a basic single signon configuration for iSeries A</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzalv/rzalveservercncpts.htm">Enterprise Identity Mapping (EIM)</a></div>
<div><a href="../rzakh/rzakhconcept.htm">Network authentication service</a></div>
</div>
</div>
</body>
</html>