Configure iSeries B to participate in the EIM domain and configure iSeries B for network authentication service

After you have created a new domain and configured network authentication service on iSeries™ A, you need to configure iSeries B to participate in the EIM domain and configure network authentication service on iSeries B. Use the information from your work sheets to complete this step.
  1. In iSeries Navigator, expand iSeries B > Network > Enterprise Identity Mapping.
  2. Right-click Configuration and select Configure to start the configuration wizard.
  3. On the Welcome page, select Join an existing domain. Click Next.
  4. Complete these tasks to configure network authentication service.
    1. On the Configure Network Authentication Service page, select Yes.
      Note: This starts the Network Authentication Service wizard. This wizard allows you to configure several i5/OS™ interfaces and services to participate in a Kerberos network.
    2. On the Specify Realm Information page, enter MYCO.COM in the Default realm field and select Microsoft Active Directory is used for Kerberos authentication. Click Next.
    3. On the Specify KDC Information page, enter kdc1.myco.com for the name of the Kerberos server in the KDC field and enter 88 in the Port field. Click Next.
    4. On the Specify Password Server Information page, select Yes. Enter kdc1.myco.com in the Password server field and 464 in the Port field. Click Next.
    5. On the Select Keytab Entries page, select i5/OS Kerberos Authentication. Click Next.
    6. On the Create i5/OS Keytab Entry page, enter and confirm a password, and click Next. For example, iseriesa123. This password will be used when the iSeries A service principal is added to the Kerberos server.
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
    7. Optional: On the Create Batch File page, select Yes, specify the following information, and click Next:
      • Batch file: Add the text iseriesb to the end of the default batch file name. For example, C:\Documents and Settings\All Users\Documents\IBM\Client Access\NASConfigiseriesb.bat.
      • Select Include password. This ensures that all passwords associated with the i5/OS service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file. Therefore, it is recommended that you delete the batch file from the Kerberos server and from your PC immediately after use.
        Note: If you do not include the password, you will be prompted for the password when the batch file is run.
    8. On the Summary page, review the network authentication service configuration details. Click Finish.
  5. On the Specify Domain Controller page, specify the following information, and click Next:
    • Domain controller name: iseriesa.myco.com
    • Port: 389
  6. On the Specify User for Connection page, specify the following information, and click Next:
    Note: Specify the LDAP administrator's DN and password that you created earlier in this scenario on iSeries A.
    1. User type: Distinguished name and password
    2. Distinguished name: cn=administrator
    3. Password: mycopwd
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
  7. On the Specify Domain page, select the name of the domain that you want to join. Click Next. For example, MyCoEimDomain.
  8. On the Registry Information page, select Local i5/OS and deselect Kerberos registry. (The Kerberos registry was created when you created the MyCoEimDomain domain.) Click Next. Write down the registry names. You will need these registry names when you create associations to EIM identifiers.
    Note:
    • Registry names must be unique to the domain.
    • You can enter a specific registry definition name for the user registry if you want to use a specific registry definition naming plan. However, for this scenario you can accept the default values.
  9. On the Specify EIM System User page, select the user the operating system uses when performing EIM operations on behalf of operating system functions, and click Next:
    Note: Specify the LDAP administrator's DN and password that you created earlier in this scenario on iSeries A.
    1. User type: Distinguished name and password
    2. Distinguished name: cn=administrator
    3. Password: mycopwd
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
  10. On the Summary page, confirm the EIM configuration. Click Finish.
Parent topic: Scenario: Enable single signon for i5/OS
Previous topic: Create a basic single signon configuration for iSeries A
Next topic: Add both i5/OS service principals to the Kerberos server