Plan for principal names in your Kerberos network.
Principals are names of users or services in a Kerberos network. Principal names consist of the user name or service name and the name of the realm in which that user or service belongs. If Mary Jones uses the realm MYCO.COM, her principal name might be jonesm@MYCO.COM. Mary Jones uses this principal name and its associated password to be authenticated by a centralized Kerberos server. All principals are added to the Kerberos server, which maintains a database of all users and services within a realm.
When developing a system for naming principals, you should assign principal names using a consistent naming convention that will accommodate current and future users. Use the following suggestions to establish a naming convention for your principals:
- Use family name and initial of first name
- Use first initial and full family name
- Use first name plus last initial
- Use application or service names with identifying numbers, such as database1.
i5/OS™ principal names
- i5/OS Kerberos Authentication
- When you choose to create a keytab entry for i5/OS Kerberos Authentication, the service
principal is generated in the keytab file in one of these formats: krbsvr400/iSeries
fully qualified domain name@REALM NAME or krbsvr400/iSeries host name@REALM
NAME. For example, a valid service principal for i5/OS Kerberos Authentication might be
krbsvr400/iseriesa.myco.com@MYCO.COM or krbsvr400/iseriesa@MYCO.COM. i5/OS generates
the principal based on the host name that it finds on either the DNS server
or on the iSeries server
depending on how the iSeries is configured to resolve host names.
The service principal is used for several i5/OS interfaces, such as QFileSrv.400, Telnet, Distributed Relational Database Architecture™ (DRDA®), iSeries NetServer™, and IBM®
iSeries Access
for Windows including iSeries Navigator.
Each of these applications may require additional configuration to enable
Kerberos authentication. - LDAP
- In addition to the i5/OS service principal name, you can optionally configure
additional service principals for IBM Directory Server for iSeries (LDAP)
during network authentication service configuration. The LDAP principal name
is ldap/iSeries fully qualified domain name@REALM NAME. For example,
a valid LDAP principal name might be ldap/iseriesa.myco.com@MYCO.COM. This
principal name identifies the directory server located on that iSeries system. Note: In past releases, the network authentication service wizard created an uppercase keytab entry for LDAP service. If you have configured the LDAP principal previously when you reconfigure network authentication service or access the wizard through the Enterprise Identity Mapping (EIM) interface, you will be prompted to change this principal name to its lowercase version.If you plan on using Kerberos authentication with the directory server, you will not only need to configure network authentication service, but also change properties for the directory server to accept Kerberos authentication. When Kerberos authentication is used, directory server associates the server distinguished name (DN) with the Kerberos principal name. You can choose to have the server DN associated with one of the following methods:
- The server can create a DN based on the Kerberos principal name. When you choose this option, a Kerberos identity of the form principal@realm generates a DN of the form ibm-kn=principal@realm. ibm-kn= is equivalent to ibm-kerberosName=.
- The server can search the directory for a distinguished name (DN) that contains an entry for the Kerberos principal and realm. When you choose this option, the server searches the directory for an entry that specifies this Kerberos identity.
See IBM Directory Server for iSeries (LDAP) for details on the configuration Kerberos authentication for the directory server.
- HTTP Server powered by Apache
- In addition to the i5/OS service principal name, you can optionally configure
additional service principals for HTTP Server powered by Apache (HTTP) during
network authentication service configuration. The HTTP principal name is HTTP/iSeries
fully qualified domain name@REALM NAME. This principal name identifies
the HTTP server instances on the iSeries that will be using Kerberos to
authenticate web users. To use Kerberos authentication with an HTTP server
instance, you will also need to complete additional configuration steps that
pertain to HTTP server.
See the HTTP Server: documentation
home page to find information about using Kerberos
authentication with HTTP server. - iSeries NetServer
- For iSeries NetServer,
you can also choose to create several NetServer principals that are automatically
added to the keytab file on the iSeries. Each of these NetServer principals
represent all the potential clients that you might use to connect with iSeries NetServer.
The following table shows the iSeries NetServer principal name and the clients
they represent:
Table 1. iSeries NetServer principal names Client connection iSeries NetServer principal name Windows XP cifs/iSeries fully qualified domain name
cifs/iSeries host name
cifs/QiSeries host name
cifs/qiSeries host name
cifs/IP addressWindows 2000 HOST/iSeries fully qualified domain name
HOST/iSeries host name
HOST/QiSeries host name
HOST/qiSeries host name
HOST/IP addressSee iSeries NetServer for more information about using Kerberos authentication with this application.
| Questions | Answers |
|---|---|
| What is the naming convention that you plan to use for Kerberos principals that represent users in your network? | First initial followed by first five letters of the family name in lowercase Example: mjones |
| What is the naming convention for applications on your network? | Descriptive name followed by number Example: database123 |
| For which i5/OS services do you plan to use Kerberos authentication? |
|
| What are the i5/OS principal names for each of these i5/OS services? |
|