<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="reference" /> <meta name="DC.Title" content="Scenario: Set up cross realm trust" /> <meta name="abstract" content="Use the following scenario to become familiar with the prerequisites and objectives of setting up cross realm trust on your network." /> <meta name="description" content="Use the following scenario to become familiar with the prerequisites and objectives of setting up cross realm trust on your network." /> <meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" /> <meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_completeplanningworksheets.htm" /> <meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_ensurekerberosiseriesbstarted.htm" /> <meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_createrealmtrustprincipal.htm" /> <meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_changeencryptiononserver.htm" /> <meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_configurethewindowsservertotrust.htm" /> <meta name="DC.Relation" scheme="URI" content="rzakhcrossscenario_addtheshipdepttoiseriesa.htm" /> <meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="rzakhscencross" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>Scenario: Set up cross realm trust</title> </head> <body id="rzakhscencross"><a name="rzakhscencross"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <h1 class="topictitle1">Scenario: Set up cross realm trust</h1> <div><p>Use the following scenario to become familiar with the prerequisites and objectives of setting up cross realm trust on your network.</p> <div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are a security administrator for a large wholesale company. Currently you manage security for systems used by employees of the Order Receiving Department and the Shipping Department. You have configured a Kerberos server for the Order Receiving Department. You have configured network authentication service on the iSeries™ system in that department to point to that Kerberos server. The Shipping Department consists of an iSeries system that has a Kerberos server configured in i5/OS™ PASE. You have also configured network authentication service on this iSeries system to point to the Kerberos server in i5/OS PASE.</p> <p>Since users in both realms need to use services stored on iSeries systems located in each department, you want both of the Kerberos servers in each department to authenticate users regardless of which Kerberos realm they are located in.</p> </div> <div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this scenario, MyCo, Inc. wants to establish a trust relationship between two already existing Kerberos realms. One realm consists of a Windows<sup>®</sup> 2000 server acting as the Kerberos server for the Order Receiving Department. This server authenticates users within that department to services located on an iSeries server. The other realm consists of a Kerberos server configured in i5/OS PASE on one iSeries, which provides services for the users within the Shipping Department. Your users need to be authenticated to services in both departments.</p> <div class="p">The objectives of this scenario are as follows: <ul><li>To give clients and hosts on each network access to the other's network</li> <li>To simplify authentication across networks</li> <li>To allow ticket delegation for users and services in both networks</li> </ul> </div> </div> <div class="section"><h4 class="sectionscenariobar">Details</h4><p>Detailed description of the environment that this scenario describes, including a figure that shows the topology and all major elements of that environment and how they relate to each other.</p> <br /><img src="rzakh509.gif" longdesc="rzakh509desc.htm" alt="Cross realm trust diagram" /><br /><p><strong>Order Receiving Department</strong></p> <p><strong>iSeries A</strong></p> <ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) or later with the following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host Servers (5722-SS1 Option 12)</li> <li>iSeries Access for Windows (5722-XE1)</li> <li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li> <li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running V5R3<img src="./deltaend.gif" alt="End of change" /></li> </ul> </li> <li>Has network authentication service configured to participate in the realm ORDEPT.MYCO.COM. The i5/OS principal, krbsrv400/iseriesa.ordept.myco.com@ORDEPT.MYCO.COM, has been added to the Windows 2000 domain.</li> <li>iSeries A has the fully qualified host name of iseriesa.ordept.myco.com.</li> </ul> <p><strong>Windows 2000 server</strong></p> <ul><li>Acts as the Kerberos server for the realm, ORDEPT.MYCO.COM.</li> <li>Has the DNS host name of kdc1.ordept.myco.com.</li> <li>Each user within the Order Department has been defined in Microsoft<sup>®</sup> Active Directory on the Windows 2000 server with a principal name and password. </li> </ul> <p><strong>Client PCs</strong></p> <ul><li>Run Windows 2000 operating system.</li> <li>PC used to administer network authentication service has the following products installed:<ul><li>iSeries Access for Windows (5722-XE1)</li> <li>iSeries Navigator and the following subcomponents:<ul><li>Security</li> <li>Network</li> </ul> </li> </ul> </li> </ul> <p><strong>Shipping Department</strong></p> <p><strong>iSeries B</strong></p> <ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) with the following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS PASE (5722 SS1 Option 33)</li> <li>Cryptographic Access Provider (5722-AC3)</li> <li>iSeries Access for Windows (5722-XE1)</li> </ul> </li> <li>Has a Kerberos server configured in i5/OS PASE with the realm of SHIPDEPT.MYCO.COM.</li> <li>Has network authentication service configured to participate in the realm SHIPDEPT.MYCO.COM. The i5/OS principal, krbsrv400/iseriesb.shipdept.myco.com@SHIPDEPT.MYCO.COM, has been added to the i5/OS PASE Kerberos server.</li> <li>Both iSeries B and the i5/OS PASE Kerberos server share the fully qualified host name iseriesb.shipdept.myco.com.</li> <li>Each user within the Shipping Department has been defined in the i5/OS PASE Kerberos server with a principal name and password.</li> </ul> <p><strong>Client PCs</strong></p> <ul><li>Run Windows 2000 operating system.</li> <li>PC used to administer network authentication service has the following products installed:<ul><li>iSeries Access for Windows (5722-XE1)</li> <li>iSeries Navigator and the following subcomponents:<ul><li>Security</li> <li>Network</li> </ul> </li> </ul> </li> </ul> <div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />The KDC server name, <strong>kdc1.myco.com</strong>, and the hostname, <strong>iseriesa.myco.com</strong> are fictitious names used in this scenario.<img src="./deltaend.gif" alt="End of change" /></div> </div> <div class="section" id="rzakhscencross__prereq1"><a name="rzakhscencross__prereq1"><!-- --></a><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><p>In this scenario, the following assumptions have been made to focus on the tasks that involve establishing a trust relationship between two pre-existing Kerberos realms. </p> <div class="p"><strong>iSeries A prerequisites</strong><ol><li>All system requirements, including software and operating system installation, have been verified.<div class="p">To verify that the required licensed programs have been installed, complete the following:<ol type="a"><li>In iSeries Navigator, expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Configuration and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed Products</span></span>.</li> <li>Ensure that all the necessary licensed programs are installed.</li> </ol> </div> </li> <li>All necessary hardware planning and setup have been completed.</li> <li>TCP/IP and basic system security have been configured and tested on iSeries A.</li> <li>Network authentication service has been configured and tested.</li> <li>A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables with Kerberos authentication may result in name resolution errors or other problems. For more detailed information about how host name resolution works with Kerberos authentication, see <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a>.</div> </li> </ol> </div> <div class="p"><strong>iSeries B prerequisites</strong><ol><li>All system requirements, including software and operating system installation, have been verified.<div class="p">To verify that the required licensed programs have been installed, complete the following:<ol type="a"><li>In iSeries Navigator, expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Configuration and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed Products</span></span>.</li> <li>Ensure that all the necessary licensed programs are installed.</li> </ol> </div> </li> <li>All necessary hardware planning and setup have been completed.</li> <li>TCP/IP and basic system security have been configured and tested on your iSeries server.</li> <li>Network authentication service has been configured and tested.</li> </ol> </div> <div class="p"><strong>Windows 2000 server prerequisites</strong><ol><li>All necessary hardware planning and setup have been completed.</li> <li>TCP/IP has been configured and tested on your server.</li> <li>Microsoft Active Directory has been configured and tested.</li> <li>Each user within the Order Department has been defined in Microsoft Active Directory with a principal name and password. </li> </ol> </div> </div> <div class="section"><h4 class="sectiontitle">Configuration steps</h4><p>To set up a trust relationship between two realms, complete these steps.</p> </div> </div> <div> <ol> <li class="olchildlink"><a href="rzakhcrossscenario_completeplanningworksheets.htm">Complete the planning work sheets</a><br /> </li> <li class="olchildlink"><a href="rzakhcrossscenario_ensurekerberosiseriesbstarted.htm">Ensure that the Kerberos server in i5/OS PASE on iSeries B has started</a><br /> </li> <li class="olchildlink"><a href="rzakhcrossscenario_createrealmtrustprincipal.htm">Create realm trust principal on the i5/OS PASE Kerberos server</a><br /> </li> <li class="olchildlink"><a href="rzakhcrossscenario_changeencryptiononserver.htm">Change encryption values on i5/OS PASE Kerberos server</a><br /> </li> <li class="olchildlink"><a href="rzakhcrossscenario_configurethewindowsservertotrust.htm">Configure the Windows 2000 server to trust SHIPDEPT.MYCO.COM</a><br /> </li> <li class="olchildlink"><a href="rzakhcrossscenario_addtheshipdepttoiseriesa.htm">Add the SHIPDEPT.MYCO.COM realm to iSeries A</a><br /> </li> </ol> <div class="familylinks"> <div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen.htm" title="Use these scenarios to learn about network authentication service.">Scenarios</a></div> </div> </div> </body> </html>