Join an existing domain

This information explains how you can use the Enterprise Identity Mapping (EIM) Configuration wizard on one iSeries™ system to configure a domain controller and create an EIM domain, then use the wizard to configure other iSeries servers to participate in the domain.

After you create an EIM domain and configure a directory server as a domain controller on one system, you can configure all additional iSeries servers (V5R2 or later) to join the existing EIM domain. As you work through the wizard you must supply information about the domain, including connection information to the EIM domain controller. When you use the EIM Configuration wizard to join an existing domain, the wizard still provides you with the option of launching the Network Authentication Service Configuration wizard if you choose to configure Kerberos as part of configuring EIM on the system.

When you complete the EIM Configuration wizard to join an existing domain, you can accomplish these tasks:
  • Configure network authentication service for the system.
  • Create EIM registry definitions for the local i5/OS™ registry and the Kerberos registry.
  • Configure the system to participate in an existing EIM domain.

To configure your system to join an existing EIM domain, you must have all of the following special authorities:

To start and use the EIM Configuration wizard to join an existing EIM domain, complete these steps:

  1. Verify that the directory server on the remote system is active.
  2. In iSeries Navigator, select the system for which you want to configure EIM and expand Network > Enterprise Identity Mapping.
  3. Right-click Configuration and select Configure... to start the EIM Configuration wizard.
    Note: This option is labeled Reconfigure... if EIM has been previously configured on the system.
  4. On the Welcome page of the wizard, select Join an existing domain, and click Next.
    Note: If network authentication service is not currently configured on the iSeries server, or additional network authentication configuration information is needed to configure a single signon environment, the Network Authentication Services Configuration page displays. This page allows you start the Network Authentication Service Configuration wizard so that you can configure network authentication service. Or, you can configure Network Authentication Service at a later time by using the configuration wizard for this service through iSeries Navigator. When you complete network authentication service configuration, the EIM Configuration wizard continues.
  5. To configure network authentication service, complete these steps:
    1. On the Configure Network Authentication Service page, select Yes to start the Network Authentication Service Configuration wizard. With this wizard, you can configure several i5/OS interfaces and services to participate in a Kerberos realm as well as configure a single signon environment that uses both EIM and network authentication service.
    2. On the Specify Realm Information page, specify the name of the default realm in the Default realm field. If you are using Microsoft® Active Directory for Kerberos authentication, select Microsoft Active Directory is used for Kerberos authentication, and click Next.
    3. On the Specify KDC Information page, specify the fully qualified name of the Kerberos server for this realm in the KDC field, specify 88 in the Port field, and click Next.
    4. On the Specify Password Server Information page, select either Yes or No for setting up a password server. The password server allows principals to change passwords on the Kerberos server. If you select Yes, enter the password server name in the Password server field. In the Port field, accept the default value of 464, and click Next.
    5. On the Select Keytab Entries page, select i5/OS Kerberos Authentication, and cllick Next.
      Note: In addition you can also create keytab entries for the IBM® Directory Server for iSeries (LDAP), iSeries NetServer™, and iSeries HTTP server if you want these services to use Kerberos authentication. You may need to perform additional configuration for these services before they can use Kerberos authentication.
    6. On the Create i5/OS Keytab Entry page, enter and confirm a password, and click Next. This is the same password you will use when you add the i5/OS principals to the Kerberos server.
    7. Optional: On the Create Batch File page, select Yes, specify the following information, and click Next:
      • In the Batch file field, update the directory path. Click Browse to locate the appropriate directory path, or edit the path in the Batch file field.
      • In the Include password field, select Yes. This ensures that all passwords associated with the i5/OS service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file. Therefore, it is essential that you delete the batch file from the Kerberos server and from the PC immediately after you use it. If you do not include the password, you will be prompted for the password when you run the batch file.
        Note: You can also manually add the service principals that are generated by the wizard to Microsoft Active Directory. To learn how to do this, see Add i5/OS principals to the Kerberos server
      • On the Summary page, review the network authentication service configuration details, and click Finish to return to the EIM Configuration wizard.
  6. On the Specify Domain Controller page provide the following information:
    Note: The directory server that acts as the domain controller must be active to successfully complete this EIM configuration.
    1. In the Domain controller name field, specify the name of the system that serves as the domain controller for the EIM domain that you want the iSeries server to join.
    2. Click Use secure connection (SSL or TLS) if you want to use a secure connection to the EIM domain controller. When this is selected, the connection uses either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to establish a secure connection to protect EIM data transmission over an untrusted network, such as the Internet.
      Note: You must verify whether the EIM domain controller is configured to use a secure connection. Otherwise, the connection to the domain controller may fail.
    3. In the Port field, specify the TCP/IP port on which the directory server listens. If Use secure connection is selected, the default port is 636; otherwise, the default port is 389.
    4. Click Verify Connection to test that the wizard can use the specified information to successfully establish a connection to the EIM domain controller.
    5. Click Next.
  7. On the Specify User For Connection page, select a User type for the connection. You can select one of the following types of users: Distinguished name and password, Kerberos keytab file and principal, Kerberos principal and password, or User profile and password. The two Kerberos user types are available only if network authentication service is configured for the local iSeries system. The user type that you select determines the other information that you must provide to complete the dialog as follows:
    Note: To ensure that the wizard has enough authority to create the necessary EIM objects in the directory, select Distinguished name and password as the user type and specify the LDAP administrator DN and password as the user.

    You can specify a different user for the connection; however, the user you specify must have the equivalent of LDAP administrator authority for the remote directory server.

    • If you select Distinguished name and password, provide the following information:
      • In the Distinguished name field, specify the LDAP distinguished name (DN) that identifies the user who is authorized to create objects in the local namespace of the LDAP server. If you used this wizard to configure the LDAP server in an earlier step, you should enter the distinguished name of the LDAP administrator that you created in that step.
      • In the Password field, specify the password for the distinguished name.
      • In the Confirm password field, specify the password a second time for validation purposes.
    • If you select Kerberos keytab file and principal, provide the following information:
      • In the Keytab file field, specify the fully qualified path and keytab file name that contains the Kerberos principal for the wizard to use when connecting to the EIM domain. Or, click Browse... to browse through directories in the iSeries integrated file system to select a keytab file.
      • In the Principal field, specify the name of the Kerberos principal to be used to identify the user.
      • In the Realm field, specify the fully qualified Kerberos realm name for which the principal is a member. The name of the principal and realm uniquely identify the Kerberos users in the keytab file. For example, the principal jsmith in the realm ordept.myco.com, is represented in the keytab file as jsmith@ordept.myco.com.
    • If you select Kerberos principal and password, provide the following information:
      • In the Principal field, specify the name of the Kerberos principal for the wizard to use when connecting to the EIM domain.
      • In the Realm field, specify the fully qualified Kerberos realm name for which the principal is a member. The name of the principal and realm uniquely identify the Kerberos users in the keytab file. For example, the principal jsmith in the realm ordept.myco.com is represented in the keytab file as jsmith@ordept.myco.com.
      • In the Password field, specify the password for the Kerberos principal.
      • In the Confirm password field, specify the password a second time for validation purposes.
    • If you select User profile and password, provide the following information:
      • In the User profile field, specify the user profile name for the wizard to use when connecting to the EIM domain.
      • In the Password field, specify the password for the user profile.
      • In the Confirm password field, specify the password a second time for validation purposes.
    • Click Verify Connection to test that the wizard can use the specified user information to successfully establish a connection to the EIM domain controller.
    • Click Next.
  8. On the Specify Domain page, select the name of the domain that you want to join and click Next.
  9. On the Registry Information page, specify whether to add local user registries to the EIM domain as registry definitions. Select one or both of these user registry types:
    • Select Local i5/OS to add a registry definition for the local registry. In the field provide, accept the default value for the registry definition name or specify a different value for the registry definition name. The EIM registry name is an arbitrary string that represents the registry type and specific instance of that registry.
      Note: You do not have to create the local i5/OS registry definition at this time. If you choose to create the i5/OS registry definition later, you need to add the system registry definition and update the EIM configuration properties.
    • Select Kerberos to add a registry definition for a Kerberos registry. In the field provided, accept the default value for the registry definition name or specify a different value for the registry definition name. The default registry definition name is the same as the realm name. By accepting the default name and using the same Kerberos registry name as the realm name, you can increase performance in retrieving information from the registry. Select Kerberos user identities are case sensitive, if necessary.
      Note: If you have used the EIM Configuration wizard on another system to add a registry definition for the Kerberos registry for which this iSeries system has a service principal, then you do not need to add a Kerberos registry definition as part of this configuration. However, you will need to specify the name of that Kerberos registry in the configuration properties for this system after you finish the wizard.
    • Click Next.
  10. On the Specify EIM System User page, select a User type that you want the system to use when performing EIM operations on behalf of operating system functions. These operations include mapping lookup operations and deletion of associations when deleting a local i5/OS user profile. You can select one of the following types of users: Distinguished name and password, Kerberos keytab file and principal, or Kerberos principal and password. Which user types you can select vary based on the current system configuration. For example, if Network Authentication Service is not configured for the system, then Kerberos user types may not be available for selection. The user type that you select determines the other information that you must provide to complete the page as follows:
    Note: You must specify a user that is currently defined in the directory server which is hosting the EIM domain controller. The user that you specify must have privileges to perform mapping lookup and registry administration for the local user registry at a minimum. If the user that you specify does not have these privileges, then certain operating system functions related to the use of single signon and the deletion of user profiles may fail.
    • If you select Distinguished name and password, provide the following information:
      • In the Distinguished name field, specify the LDAP distinguished name that identifies the user for the system to use when performing EIM operations.
      • In the Password field, specify the password for the distinguished name.
      • In the Confirm password field, specify the password a second time for verification purposes.
    • If you select Kerberos principal and password, provide the following information:
      • In the Principal field, specify the Kerberos principal name for the system to use when performing EIM operations
      • In the Realm field, specify the fully qualified Kerberos realm name for which the principal is a member. The name of the principal and realm uniquely identify the Kerberos users in the keytab file. For example, the principal jsmith in the realm ordept.myco.com is represented in the keytab file as jsmith@ordept.myco.com.
      • In the Password field, enter the password for the user.
      • In the Confirm password field, specify the password a second time for verification purposes.
    • If you select Kerberos keytab file and principal, provide the following information:
      • In the Keytab file field, specify the fully qualified path and keytab file name that contains the Kerberos principal for the system to use when performing EIM operations. Or, click Browse... to browse through directories in the iSeries integrated file system to select a keytab file.
      • In the Principal field, specify the Kerberos principal name for the system to use when performing EIM operations.
      • In the Realm field, specify the fully qualified Kerberos realm name for which the principal is a member. The name of the principal and realm uniquely identify the Kerberos users in the keytab file. For example, the principal jsmith in the realm ordept.myco.com is represented in the keytab file as jsmith@ordept.myco.com.
    • Click Verify Connection to ensure that the wizard can use the specified user information to successfully establish a connection to the EIM domain controller.
    • Click Next.
  11. On the Summary page, review the configuration information that you have provided. If all information is correct, click Finish.
Parent topic: Configure Enterprise Identity Mapping

Finalize your EIM configuration for the domain

When the wizard finishes, it adds the domain to the Domain Management folder and you have created a basic EIM configuration for this server. However, you may need to complete these tasks to finalize your EIM configuration for the domain:
  1. Add EIM registry definitions to the EIM domain, if necessary, for other non-iSeries servers and applications that you want to participate in the EIM domain. These registry definitions refer to the actual user registries that must participate in the domain. You can either Add system registry definitions or Add application registry definitions depending on your EIM implementation needs.
  2. Based on your EIM implementation needs, determine whether to:
  3. Use the EIM test a mapping function to test the identity mappings for your EIM configuration.
  4. If the only EIM user you have defined is the DN for the LDAP administrator, then your EIM user has a high level of authority to all data on the directory server. Therefore, you might consider creating one or more DNs as additional users that have more appropriate and limited access control for EIM data. To learn more about creating DNs for the directory server, see Distinguished names in the IBM Directory Server for iSeries (LDAP) topic. The number of additional EIM users that you define depends on your security policy's emphasis on the separation of security duties and responsibilities. Typically, you might create at least the two following types of DNs:
    • A user that has EIM administrator access control

      This EIM administrator DN provides the appropriate level of authority for an administrator who is responsible for managing the EIM domain. This EIM administrator DN could be used to connect to the domain controller when managing all aspects of the EIM domain by means of iSeries Navigator.

    • At least one user that has all of the following access controls:
      • Identifier administrator
      • Registry administrator
      • EIM mapping operations
      This user provides the appropriate level of access control required for the system user that performs EIM operations on behalf of the operating system.
    Note: To use this new DN for the system user instead of the LDAP administrator DN, you must change the EIM configuration properties for the iSeries server. See Manage EIM configuration properties to learn how to change the system user DN.

You might need to perform additional tasks if you created a basic network authentication service configuration, especially if you are implementing a single signon environment. You can find information on these additional steps by reviewing the complete configuration steps demonstrated by the scenario, Enable single signon for i5/OS.