Single signon planning worksheets

Use these worksheets to ensure that you have met all of the prerequisites for single signon and that you have considered all of the aspects of your particular system and its security requirements.

Before you use these configuration planning worksheets, you need to plan your overall single signon implementation. Use these configuration planning worksheets to ensure that you have met all of the prerequisites, and that you have taken into consideration all of the aspects of your particular iSeries™ system.

Single signon prerequisite worksheet

This detailed work sheet is provided to help you ensure that you meet all hardware and software prerequisites for implementing single signon. To ensure a successful implementation, you must be able to answer Yes to all prerequisite items in the work sheet and you should gather all the information necessary to complete the work sheets before you perform any configuration tasks.

Table 1. Single signon prerequisite work sheet
Prerequisite work sheet Answers
Is your i5/OS™ V5R4 (5722-SS1)?  
Are the following options and licensed products installed on your server?
  • i5/OS Host Servers (5722-SS1 Option 12)
  • Qshell Interpreter (5722-SS1 Option 30)
  • iSeries Access for Windows® (5722-XE1)
 
Have you installed an application that is enabled for single signon on each of the PCs that will participate in the single signon environment?
Note: For the scenarios in this information, all of the PCs have iSeries Access for Windows (5722-XE1) installed.
 
Is iSeries Navigator installed on the administrator's PC?
  • Is the Security subcomponent of iSeries Navigator installed on the administrator's PC?
  • Is the Network subcomponent of iSeries Navigator installed on the administrator's PC?
 
Have you installed the latest iSeries Access for Windows service pack? For the latest service pack see iSeries Accesslink outside the Information Center.  
Do you, the administrator, have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities?  
Do you have one of the following systems acting as the Kerberos server (also known as the KDC)? If yes, specify which system.
  1. Windows 2000 Server
    Note: Microsoft® Windows 2000 uses Kerberos authentication as its default security mechanism.
  2. Windows (R) Server 2003
  3. i5/OS PASE (V5R3 or later)
  4. AIX® server
  5. zSeries®
 
Are all your PCs in your network configured in a Windows 2000 domain?  
Have you applied the latest program temporary fixes (PTFs)?  
Is the iSeries system time within 5 minutes of the system time on the Kerberos server? If not see Synchronize system times.  

Single signon configuration planning worksheet

This is a configuration planning worksheets, designed to ensure that you have met all of the hardware and software prerequisites for single signon. Additionally, this worksheet ensures that you have completed those Enterprise Identity Mapping (EIM) and network authentication service configuration tasks that are required for a successful single signon environment.

Note: The single signon configuration planning worksheet is designed to assist you with the implementation of a single signon environment based on Enterprise Identity Mapping (EIM) and network authentication services. If you intend to use a different authentication mechanism, such as IBM® Directory Server for iSeries (LDAP) or digital certificates, you may need to adapt portions of this work sheet to better suit your needs.
Table 2. Single signon configuration planning work sheet
Configuration planning work sheet Answers
Use the following information to complete the EIM Configuration wizard:
How do you want to configure EIM for your system?
  • Join an existing domain
  • Create and join a new domain
 
Where do you want to configure your EIM domain?  
Do you want to configure network authentication service?  
The Network Authentication Service wizard launches from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard:
Note: The Network Authentication Service wizard can also be launched independently of the EIM Configuration wizard.
What is the name of the Kerberos default realm to which your iSeries will belong?
Note: A Windows 2000 domain is similar to a Kerberos realm. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism.
 
Are you using Microsoft Active Directory?  
What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens?
Do you want to configure a password server for this default realm? If yes, answer the following questions:

What is name of the password server for this Kerberos server?
What is the port on which the password server listens?

 
For which services do you want to create keytab entries?
  • i5/OS Kerberos Authentication
  • LDAP
  • IBM HTTP Server for i5/OS
  • iSeries NetServer™
 
What is the password for your service principal or principals?  
Do you want to create a batch file to automate adding the service principals for iSeries A to the Kerberos registry?  
Do you want to include passwords with the i5/OS service principals in the batch file?  
As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard:
Specify user information that the wizard should use when configuring the directory server. This is the connection user. You must specify the port number, administrator distinguished name, and a password for the administrator.
What is the name of the EIM domain that you want to create?  
Do you want to specify a parent DN for the EIM domain?  
Which user registries do you want to add to the EIM domain?  
Which EIM user do you want iSeries A to use when performing EIM operations? This is the system user.
After you complete the EIM Configuration wizard, use the following information to complete the remaining steps required for configuring single signon:
What is the i5/OS user profile name for the user?  
What is the name of the EIM identifier that you want to create?  
What kinds of associations do you want to create?  
What is the name of the user registry that contains the Kerberos principal for which you are creating the source association?  
What is the name of the user registry that contains the i5/OS user profile for which you are creating the target association?  
What information do you need to supply to test EIM identity mapping?