ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzakhplanwrkshts.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Network authentication service planning work sheets" />
<meta name="abstract" content="To successfully configure network authentication service, you must understand the requirements and complete the necessary planning steps." />
<meta name="description" content="To successfully configure network authentication service, you must understand the requirements and complete the necessary planning steps." />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhplanwrkshts" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Network authentication service planning work sheets</title>
</head>
<body id="rzakhplanwrkshts"><a name="rzakhplanwrkshts"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Network authentication service planning work sheets</h1>
<div><p>To successfully configure network authentication service, you must
understand the requirements and complete the necessary planning steps.</p>
<div class="section"><p>This topic provides a prerequisite worksheet and planning work
sheet to ensure all necessary steps are completed. Use the following work
sheets to aid in planning a Kerberos implementation and configuring network
authentication service.</p>
<p><strong>Prerequisite work sheet</strong></p>
<p>Use this
planning work sheet to ensure that all required prerequisites have been completed.
You should be able to answer Yes to all prerequisite items before you perform
any configuration tasks.</p>

<div class="tablenoborder"><a name="rzakhplanwrkshts__prereq"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzakhplanwrkshts__prereq" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Prerequisite work sheet</caption><thead align="left"><tr><th valign="top" width="75%" id="d0e28">Questions</th>
<th valign="top" width="25%" id="d0e30">Answers</th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="75%" headers="d0e28 ">Is your i5/OS™ V5R3 (5722-SS1) or later?</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 "><p><img src="./delta.gif" alt="Start of change" />If you are using i5/OS V5R3, is
Cryptographic Access Provider (5722-AC3) installed on your iSeries™ systems? <img src="./deltaend.gif" alt="End of change" /></p>
<p><img src="./delta.gif" alt="Start of change" />If you are using i5/OS V5R4, is Network Authentication Enablement
(5722-NAE) installed on your systems?<img src="./deltaend.gif" alt="End of change" /></p>
</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">Is iSeries Access for Windows<sup>®</sup> (5722-XE1)
installed on the administrator's PC and on your iSeries systems?</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">Is the Security subcomponent of iSeries Navigator
installed on the administrator's PC?</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">Is the Network subcomponent of iSeries Navigator
installed on the administrator's PC?</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td valign="top" width="75%" headers="d0e28 ">Have you installed the latest IBM<img src="eserver.gif" alt="e(logo) server" /> iSeries Access for Window service pack?
See the <a href="http://www-1.ibm.com/servers/eserver/iseries/access/casp.htm" target="_blank">iSeries Access
web page</a><img src="www.gif" alt="link outside the Information Center" /> for the latest service pack.</td>
<td valign="top" width="25%" headers="d0e30 ">&nbsp;</td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">Do you have *SECADM, *ALLOBJ, and *IOSYSCFG
special authorities?</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">Do you have one of the following installed
on a secure system that will act as a Kerberos server? Which one? <ol><li>Windows 2000
Server</li>
<li>Windows Server
2003</li>
<li>AIX<sup>®</sup> Server</li>
<li>i5/OS PASE
(V5R3 or later)</li>
<li>zSeries<sup>®</sup></li>
</ol>
</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">For Windows 2000 Server and Windows Server
2003, do you have Windows Support Tools (which provides the ktpass
tool) installed on the system being used as the key distribution center?</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">If your Kerberos server is on a Windows 2000
or 2003 server, are all your PCs in your network configured in a Windows domain?</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">Have you applied the latest program temporary
fixes (PTFs)?</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e28 ">Is the iSeries system time within five minutes
of the Kerberos server's system time? If not see <a href="rzakhsync.htm#rzakhsync">Synchronize system times</a>.</td>
<td align="left" valign="top" width="25%" headers="d0e30 "> </td>
</tr>
</tbody>
</table>
</div>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Kerberos server planning work sheet </caption><thead align="left"><tr><th valign="top" id="d0e182">Questions</th>
<th valign="top" id="d0e184">Answers</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e182 ">On which operating system do you plan to configure your
Kerberos server?<ul><li>Windows 2000
Server</li>
<li>Windows Server
2003</li>
<li>AIX Server</li>
<li>i5/OS PASE
(V5R3 or later)</li>
<li>zSeries</li>
</ul>
</td>
<td valign="top" headers="d0e184 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e182 ">What is the fully qualified domain name for the Kerberos
server?</td>
<td valign="top" headers="d0e184 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e182 ">Are times between the PCs and systems that connect to
the Kerberos server synchronized? What is the maximum clock skew?</td>
<td valign="top" headers="d0e184 ">&nbsp;</td>
</tr>
</tbody>
</table>
</div>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 3. Kerberos realm planning work sheet </caption><thead align="left"><tr><th valign="top" id="d0e227">Questions</th>
<th valign="top" id="d0e229">Answers</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e227 ">How many realms do you need?</td>
<td valign="top" headers="d0e229 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e227 ">How do you plan to organize realms?</td>
<td valign="top" headers="d0e229 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e227 ">What will be the naming convention used for realms?</td>
<td valign="top" headers="d0e229 ">&nbsp;</td>
</tr>
</tbody>
</table>
</div>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 4. Principal planning work sheet</caption><thead align="left"><tr><th valign="top" id="d0e252">Questions</th>
<th valign="top" id="d0e254">Answers</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e252 ">What is the naming convention that you plan to use for
Kerberos principals that represent users in your network?</td>
<td valign="top" headers="d0e254 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e252 ">What is the naming convention for applications on your
network?</td>
<td valign="top" headers="d0e254 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e252 ">For which i5/OS services do you plan to use Kerberos
authentication?</td>
<td valign="top" headers="d0e254 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e252 ">What are the i5/OS principal names for each of these i5/OS services?</td>
<td valign="top" headers="d0e254 ">&nbsp;</td>
</tr>
</tbody>
</table>
</div>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 5.  Host name resolution considerations
work sheet</caption><thead align="left"><tr><th valign="top" id="d0e290">Question</th>
<th valign="top" id="d0e292">Answer</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e290 ">Are the PCs and iSeries using the same DNS server to
resolve host names?</td>
<td valign="top" headers="d0e292 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e290 ">Are you using a local host table on the iSeries to
resolve host names?</td>
<td valign="top" headers="d0e292 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e290 ">Do your PC and your iSeries server resolve the same host
name for the iSeries server?
See <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a> for assistance.</td>
<td valign="top" headers="d0e292 ">&nbsp;</td>
</tr>
</tbody>
</table>
</div>
<p>The following planning work sheet illustrates the type of information
you need before you begin configuring the Kerberos server in i5/OS PASE and
network authentication service. All answers on the prerequisite work sheet
should be answered before you proceed with configuring the Kerberos server
in i5/OS PASE.</p>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 6. i5/OS PASE planning work sheet</caption><thead align="left"><tr><th align="left" valign="top" width="75%" id="d0e340">Questions</th>
<th align="left" valign="top" width="25%" id="d0e342">Answers</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="75%" headers="d0e340 ">Do you have PASE installed?</td>
<td valign="top" width="25%" headers="d0e342 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e340 ">What is the name of the default realm?</td>
<td align="left" valign="top" width="25%" headers="d0e342 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e340 ">What is the Kerberos server for this Kerberos
default realm? What is the port on which the Kerberos server listens?</td>
<td align="left" valign="top" width="25%" headers="d0e342 "> </td>
</tr>
<tr><td valign="top" width="75%" headers="d0e340 ">What is the naming convention for your principals that
represent users in your network?</td>
<td valign="top" width="25%" headers="d0e342 "> </td>
</tr>
<tr><td valign="top" width="75%" headers="d0e340 ">What are the principal names for your users in your
network?</td>
<td valign="top" width="25%" headers="d0e342 "> </td>
</tr>
</tbody>
</table>
</div>
<p>Use the following planning work sheet to gather the information
that you need before you begin configuring network authentication service.
All answers on the prerequisite work sheet should be answered before you proceed
with network authentication service configuration.</p>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 7. Network authentication service planning work sheet</caption><thead align="left"><tr><th align="left" valign="top" width="75%" id="d0e380">Questions</th>
<th align="left" valign="top" width="25%" id="d0e382">Answers </th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="75%" headers="d0e380 ">What is the name of the Kerberos default
realm to which your iSeries will belong?<div class="note"><span class="notetitle">Note:</span> A Windows 2000
domain is similar to a Kerberos realm. Microsoft<sup>®</sup> Active Directory uses Kerberos
authentication as its default security mechanism.</div>
</td>
<td align="left" valign="top" width="25%" headers="d0e382 "> </td>
</tr>
<tr><td valign="top" width="75%" headers="d0e380 ">Are you using Microsoft Active Directory?</td>
<td valign="top" width="25%" headers="d0e382 ">&nbsp;</td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e380 ">What is the Kerberos server for this Kerberos
default realm? What is the port on which the Kerberos server listens?</td>
<td align="left" valign="top" width="25%" headers="d0e382 "> </td>
</tr>
<tr><td valign="top" width="75%" headers="d0e380 ">Do you want to configure a password server for this
default realm? If yes, answer the following questions: <p>What is name of the password server for this Kerberos server?<br />
What is the port on which the password server listens?</p>
</td>
<td valign="top" width="25%" headers="d0e382 ">&nbsp;</td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e380 ">For which services do you want to create
keytab entries?<ul><li>i5/OS Kerberos
Authentication</li>
<li>LDAP</li>
<li>iSeries IBM<sup>®</sup> HTTP
Server</li>
<li>iSeries NetServer™</li>
</ul>
</td>
<td align="left" valign="top" width="25%" headers="d0e382 "> </td>
</tr>
<tr><td valign="top" width="75%" headers="d0e380 ">If you plan to create a service principal for i5/OS Kerberos
Authentication, what is its password?</td>
<td valign="top" width="25%" headers="d0e382 "> </td>
</tr>
<tr><td valign="top" width="75%" headers="d0e380 ">If you plan to create a service principal for LDAP,
what is its password?</td>
<td valign="top" width="25%" headers="d0e382 ">&nbsp;</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e380 ">If you plan to create a service principal for HTTP Server,
what is its password?</td>
<td valign="top" width="25%" headers="d0e382 ">&nbsp;</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e380 ">If you plan to create a service principal for NetServer,
what is its password?<div class="note"><span class="notetitle">Note:</span> During the network authentication service wizard,
several principals will be created for iSeries NetServer. Write these down here as
they are displayed in the wizard. They will be needed when you add these principals
to the Kerberos server.</div>
</td>
<td valign="top" width="25%" headers="d0e382 "> </td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e380 ">Do you want to create a batch file to automate
adding the service principals to Microsoft Active Directory?</td>
<td align="left" valign="top" width="25%" headers="d0e382 "> </td>
</tr>
<tr><td valign="top" width="75%" headers="d0e380 ">Do you want to include passwords with the i5/OS service
principals in the batch file?</td>
<td valign="top" width="25%" headers="d0e382 ">&nbsp;</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>

</body>
</html>