82 lines
4.9 KiB
HTML
82 lines
4.9 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2005" />
|
||
|
<meta name="DC.rights.owner" content="(C) Copyright IBM Corporation 2005" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Enable Kerberos" />
|
||
|
<meta name="abstract" content="Pegasus on iSeries supports both Kerberos and Enterprise Identity Mapping (EIM). To enable Kerberos, use the cimconfig commands to set the httpAuthType configuration option to Kerberos (this is the default value)." />
|
||
|
<meta name="description" content="Pegasus on iSeries supports both Kerberos and Enterprise Identity Mapping (EIM). To enable Kerberos, use the cimconfig commands to set the httpAuthType configuration option to Kerberos (this is the default value)." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzatlsecure.htm" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="supporteim" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Enable Kerberos</title>
|
||
|
</head>
|
||
|
<body id="supporteim"><a name="supporteim"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Enable Kerberos</h1>
|
||
|
<div><p>Pegasus on iSeries™ supports both Kerberos and Enterprise Identity
|
||
|
Mapping (EIM). To enable Kerberos, use the cimconfig commands to set the httpAuthType
|
||
|
configuration option to Kerberos (this is the default value). </p>
|
||
|
<div class="section"><p>For all IBM<sup>®</sup> server platforms, the Kerberos default server name
|
||
|
is <span class="uicontrol">cimom</span>. For <span class="keyword">i5/OS™</span>,
|
||
|
you can also use the service name <span class="uicontrol">krbsvr400</span>. See the
|
||
|
Network Authentication Service topic for more information about Kerberos on <span class="keyword">i5/OS</span>. For information about resolving
|
||
|
the host name for Kerberos, follow the instructions in the Hostname resolutions
|
||
|
considerations information in the Network Authentication Service topic collection.</p>
|
||
|
<p>For
|
||
|
example, one method for setting the CIMOM service principal would be to enter
|
||
|
the following commands:</p>
|
||
|
</div>
|
||
|
<ol><li class="stepexpand"><span>On the <span class="keyword">i5/OS</span> system
|
||
|
where the KDC is running, add the service principal cimom with the following
|
||
|
command:</span> <pre> addprinc cimom/<host>@<realm> </pre>
|
||
|
<p>You
|
||
|
will be prompted for the password to the KDC.</p>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>On each <span class="keyword">i5/OS</span> where
|
||
|
the CIMOM server will need to run, add the service principal cimom with the
|
||
|
following command:</span> <pre> keytab add cimom/<host>@<realm></pre>
|
||
|
<p>You
|
||
|
will be prompted for the password to the keytab file.</p>
|
||
|
</li>
|
||
|
</ol>
|
||
|
<div class="section"><p>This example makes the following assumptions:</p>
|
||
|
<ul><li>The password in the KDC and keytab file must match.</li>
|
||
|
<li>The host is in the case as determined by following the instructions in
|
||
|
the Hostname resolutions considerations.</li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> <ul><li>Refer to the Keytab command information in the Network Authentication
|
||
|
Service topic.</li>
|
||
|
<li>If Kerberos authentication is enabled, only CIM clients that support Kerberos
|
||
|
authentication can connect to the CIM server.</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<p>If EIM is not enabled, the Kerberos principal will be directly
|
||
|
used as the user identity on the system where CIMOM is running. The administrator
|
||
|
must set up matching user identities on all their systems. For example, if
|
||
|
a customer chooses not to configure and enable EIM, then the administrator
|
||
|
must be aware that a Kerberos principal <kbd class="userinput">john</kbd> is always
|
||
|
mapped to <kbd class="userinput">john</kbd> as the local user identity.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzatlsecure.htm" title="Use this topic to find out about the options that are available for ensuring that the CIM server is secure.">Secure Pegasus</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|