ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzconfigure.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure" />
<meta name="abstract" content="This information explains how to configure everything you need to implement a single signon environment in your enterprise." />
<meta name="description" content="This information explains how to configure everything you need to implement a single signon environment in your enterprise." />
<meta name="DC.Relation" scheme="URI" content="rzamzsso.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzconfigure" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure</title>
</head>
<body id="rzamzconfigure"><a name="rzamzconfigure"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure</h1>
<div><p>This information explains how to configure everything you need
to implement a single signon environment in your enterprise.</p>
<div class="p"><p>Creating a single signon environment is a matter of appropriately
configuring Enterprise Identity Mapping (EIM) and a compatible authentication
method to work together in such a way that the combined configuration provides
a true single signon environment. In the case of the <span class="keyword">i5/OS™</span> single
signon solutions, the authentication method is network authentication service
(Kerberos).</p>
<p>Because a single signon environment can be complex to configure,
you may find it useful to create a test environment before you implement single
signon across your enterprise. The <a href="rzamzenablesso.htm#rzamzenablesso">Scenario: Create a test single signon environment</a> demonstrates
how to configure such a test environment so that you can learn more about
the planning needs of implementing single signon as well as gain a better
understanding of how an single signon environment can work for you.</p>
<p>After
you work with a test environment, you can use what you learn to plan how to
implement single signon on a larger scale in your enterprise. You may find
it useful to work through the <a href="rzamzenablessoos400.htm">Scenario:
Enable single signon for i5/OS</a> to learn about the more advanced configuration
options that you can employ when you implement an single signon environment.</p>
<p>Once
you have reviewed these and the other single signon scenarios, you can use
the <a href="rzamzssoplanworksheet.htm#rzamzssoplanworksheet">Single
signon planning worksheets</a> to create an informed single signon implementation
plan that fits the needs of your enterprise. With these planning worksheets
in hand, you are ready to continue with the configuration process.</p>
<p>This
information helps you configure a single signon environment using the network
authentication service as your authentication method and using EIM to create
and manage your user profiles and identity mappings. Because single signon
involves a number of detailed configuration steps, this information describes
the high-level configuration tasks for single signon and provides links to
the more detailed configuration information for both EIM and network authentication
service where appropriate.</p>
</div>
<div class="section">Perform these tasks to configure a single signon environment: </div>
<ol><li class="stepexpand"><span>Create your <span class="keyword">Windows<sup>®</sup> 2000</span> domain</span><ol type="a"><li class="substepexpand"><span>Configure the KDC on the Active Directory (AD) Server.</span> <div class="note"><span class="notetitle">Note:</span> You can choose to create and run your KDC on <span class="keyword">i5/OS</span> PASE
rather than create a Windows domain and run the KDC on a
windows server.</div>
</li>
<li class="substepexpand"><span>Add <span class="keyword">i5/OS</span> service
principals to the Kerberos server.</span></li>
<li class="substepexpand"><span>Create a home directory for each Kerberos user who will participate
in your single signon environment.</span></li>
<li class="substepexpand"><span>Verify TCP/IP domain information.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Create an EIM domain by running the both the network authentication
service wizard and the EIM configuration wizard on a server.  </span> When
you have completed these wizards, you have actually accomplished the following
tasks:<ol type="a"><li><span>Configured <span class="keyword">i5/OS</span> interfaces
to accept Kerberos tickets.</span></li>
<li><span>Configured the Directory server on the <span class="keyword">iSeries™</span> to
be the EIM domain controller.</span></li>
<li><span>Created an EIM domain.</span></li>
<li><span>Configured a user identity for <span class="keyword">i5/OS</span> and <span class="keyword">i5/OS</span> applications to use when conducting
EIM operations.</span></li>
<li><span>Added a registry definition to EIM for the local <span class="keyword">i5/OS</span> registry
and the local Kerberos registry (if Kerberos is configured).</span></li>
</ol>
</li>
<li class="stepexpand"><span>For servers running <span class="keyword">i5/OS</span> V5R3
or later, see the <a href="rzamzsynchconfig.htm">Scenario: Propagate network
authentication service and EIM across multiple systems</a> for a detailed
demonstration on how to use the Synchronize Functions wizard in <span class="keyword">iSeries Navigator</span> to
propagate a single signon configuration across multiple servers in a mixed <span class="keyword">i5/OS</span> release environment. </span> Administrators can save time by configuring single signon once and propagating
that configuration to all of their systems instead of configuring each system
individually.</li>
<li class="stepexpand"><span><a href="../rzakh/rzakhconfig.htm">Finish
your configuration for the network authentication service</a></span> Based
on your single signon implementation plan, create a home directory for users
on your servers.</li>
<li class="stepexpand"><span>Based on your implementation plan, customize your EIM environment
by setting up associations for the user identities in your enterprise. Learn
how to <a href="../rzalv/rzalvcnfg.htm">customize
your EIM environment</a> in the <span class="keyword">iSeries Information Center</span></span><ol type="a"><li><span>Configure other servers to participate in the EIM domain.</span></li>
<li><span>Create EIM identifiers and identifier associations as needed.</span></li>
<li><span>Add additional registry definitions as needed.</span></li>
<li><span>Create policy associations as needed.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Test your single signon configuration.</span> <p>To verify
that you have configured the network authentication service and EIM correctly,
sign onto the system with a user ID, and then open <span class="keyword">iSeries Navigator</span>.
If no <span class="keyword">i5/OS</span> signon prompt
displays, EIM successfully mapped the Kerberos principal to an identifier
on the domain. </p>
<div class="note"><span class="notetitle">Note:</span> If you find that your test of your single signon
configuration fails, there may be a problem with your configuration. You can <a href="rzamztroubleshoot.htm#rzamztroubleshoot">troubleshoot
single signon</a> and learn how to recognize and fix common problems with
your single signon configuration.</div>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzsso.htm">Single signon</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="task" />`
			`<meta name="DC.Title" content="Configure" />`
			`<meta name="abstract" content="This information explains how to configure everything you need to implement a single signon environment in your enterprise." />`
			`<meta name="description" content="This information explains how to configure everything you need to implement a single signon environment in your enterprise." />`
			`<meta name="DC.Relation" scheme="URI" content="rzamzsso.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzamzconfigure" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Configure</title>`
			`</head>`
			`<body id="rzamzconfigure"><a name="rzamzconfigure"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Configure</h1>`
			`<div><p>This information explains how to configure everything you need`
			`to implement a single signon environment in your enterprise.</p>`
			`<div class="p"><p>Creating a single signon environment is a matter of appropriately`
			`configuring Enterprise Identity Mapping (EIM) and a compatible authentication`
			`method to work together in such a way that the combined configuration provides`
			`a true single signon environment. In the case of the <span class="keyword">i5/OS™</span> single`
			`signon solutions, the authentication method is network authentication service`
			`(Kerberos).</p>`
			`<p>Because a single signon environment can be complex to configure,`
			`you may find it useful to create a test environment before you implement single`
			`signon across your enterprise. The <a href="rzamzenablesso.htm#rzamzenablesso">Scenario: Create a test single signon environment</a> demonstrates`
			`how to configure such a test environment so that you can learn more about`
			`the planning needs of implementing single signon as well as gain a better`
			`understanding of how an single signon environment can work for you.</p>`
			`<p>After`
			`you work with a test environment, you can use what you learn to plan how to`
			`implement single signon on a larger scale in your enterprise. You may find`
			`it useful to work through the <a href="rzamzenablessoos400.htm">Scenario:`
			`Enable single signon for i5/OS</a> to learn about the more advanced configuration`
			`options that you can employ when you implement an single signon environment.</p>`
			`<p>Once`
			`you have reviewed these and the other single signon scenarios, you can use`
			`the <a href="rzamzssoplanworksheet.htm#rzamzssoplanworksheet">Single`
			`signon planning worksheets</a> to create an informed single signon implementation`
			`plan that fits the needs of your enterprise. With these planning worksheets`
			`in hand, you are ready to continue with the configuration process.</p>`
			`<p>This`
			`information helps you configure a single signon environment using the network`
			`authentication service as your authentication method and using EIM to create`
			`and manage your user profiles and identity mappings. Because single signon`
			`involves a number of detailed configuration steps, this information describes`
			`the high-level configuration tasks for single signon and provides links to`
			`the more detailed configuration information for both EIM and network authentication`
			`service where appropriate.</p>`
			`</div>`
			`<div class="section">Perform these tasks to configure a single signon environment: </div>`
			`<ol><li class="stepexpand"><span>Create your <span class="keyword">Windows<sup>®</sup> 2000</span> domain</span><ol type="a"><li class="substepexpand"><span>Configure the KDC on the Active Directory (AD) Server.</span> <div class="note"><span class="notetitle">Note:</span> You can choose to create and run your KDC on <span class="keyword">i5/OS</span> PASE`
			`rather than create a Windows domain and run the KDC on a`
			`windows server.</div>`
			`</li>`
			`<li class="substepexpand"><span>Add <span class="keyword">i5/OS</span> service`
			`principals to the Kerberos server.</span></li>`
			`<li class="substepexpand"><span>Create a home directory for each Kerberos user who will participate`
			`in your single signon environment.</span></li>`
			`<li class="substepexpand"><span>Verify TCP/IP domain information.</span></li>`
			`</ol>`
			`</li>`
			`<li class="stepexpand"><span>Create an EIM domain by running the both the network authentication`
			`service wizard and the EIM configuration wizard on a server. </span> When`
			`you have completed these wizards, you have actually accomplished the following`
			`tasks:<ol type="a"><li><span>Configured <span class="keyword">i5/OS</span> interfaces`
			`to accept Kerberos tickets.</span></li>`
			`<li><span>Configured the Directory server on the <span class="keyword">iSeries™</span> to`
			`be the EIM domain controller.</span></li>`
			`<li><span>Created an EIM domain.</span></li>`
			`<li><span>Configured a user identity for <span class="keyword">i5/OS</span> and <span class="keyword">i5/OS</span> applications to use when conducting`
			`EIM operations.</span></li>`
			`<li><span>Added a registry definition to EIM for the local <span class="keyword">i5/OS</span> registry`
			`and the local Kerberos registry (if Kerberos is configured).</span></li>`
			`</ol>`
			`</li>`
			`<li class="stepexpand"><span>For servers running <span class="keyword">i5/OS</span> V5R3`
			`or later, see the <a href="rzamzsynchconfig.htm">Scenario: Propagate network`
			`authentication service and EIM across multiple systems</a> for a detailed`
			`demonstration on how to use the Synchronize Functions wizard in <span class="keyword">iSeries Navigator</span> to`
			`propagate a single signon configuration across multiple servers in a mixed <span class="keyword">i5/OS</span> release environment. </span> Administrators can save time by configuring single signon once and propagating`
			`that configuration to all of their systems instead of configuring each system`
			`individually.</li>`
			`<li class="stepexpand"><span><a href="../rzakh/rzakhconfig.htm">Finish`
			`your configuration for the network authentication service</a></span> Based`
			`on your single signon implementation plan, create a home directory for users`
			`on your servers.</li>`
			`<li class="stepexpand"><span>Based on your implementation plan, customize your EIM environment`
			`by setting up associations for the user identities in your enterprise. Learn`
			`how to <a href="../rzalv/rzalvcnfg.htm">customize`
			`your EIM environment</a> in the <span class="keyword">iSeries Information Center</span></span><ol type="a"><li><span>Configure other servers to participate in the EIM domain.</span></li>`
			`<li><span>Create EIM identifiers and identifier associations as needed.</span></li>`
			`<li><span>Add additional registry definitions as needed.</span></li>`
			`<li><span>Create policy associations as needed.</span></li>`
			`</ol>`
			`</li>`
			`<li class="stepexpand"><span>Test your single signon configuration.</span> <p>To verify`
			`that you have configured the network authentication service and EIM correctly,`
			`sign onto the system with a user ID, and then open <span class="keyword">iSeries Navigator</span>.`
			`If no <span class="keyword">i5/OS</span> signon prompt`
			`displays, EIM successfully mapped the Kerberos principal to an identifier`
			`on the domain. </p>`
			`<div class="note"><span class="notetitle">Note:</span> If you find that your test of your single signon`
			`configuration fails, there may be a problem with your configuration. You can <a href="rzamztroubleshoot.htm#rzamztroubleshoot">troubleshoot`
			`single signon</a> and learn how to recognize and fix common problems with`
			`your single signon configuration.</div>`
			`</li>`
			`</ol>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzsso.htm">Single signon</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`