Scenario: Propagate network authentication service and EIM across multiple systems

This scenario demonstrates how to use the Synchronize Functions wizard in iSeries™ Navigator to propagate a single signon configuration across multiple systems in a mixed OS/400® release environment. Administrators can save time by configuring single signon once and propagating that configuration to all of their systems, instead of configuring each system individually.

Situation

You are a network administrator for a large auto parts manufacturer. You manage five systems with iSeries™ Navigator. One system operates as the central system, which stores data and manages the endpoint systems. You have read about the benefits of single signon and you want to configure a single signon environment for your enterprise. You have just completed the process of setting up a test environment on one system and you want to extend your single signon environment throughout the enterprise. You have four other servers to configure and you want to find a way to configure them as efficiently as possible.

You know that iSeries Navigator provides the Synchronize Functions wizard that allows you to copy the single signon configuration from one system and apply it to other i5/OS™ V5R3 or later systems. This eliminates the need to configure each system separately.

However, one of your systems runs OS/400^® Version 5 Release 2 (V5R2). OS/400 V5R2 does not support the Synchronize Functions wizard, which means that you must separately configure this system to match the current network authentication service and EIM configurations on your model system.

This scenario has the following advantages:

Simplifies the task of configuring network authentication service and EIM on multiple systems to create a single signon environment.
Saves you time and effort as you use a single wizard to copy and apply one manual configuration to a number of other servers.

Objectives

As the network administrator for MyCo, Inc., you want to create a single signon environment for your enterprise in which all your servers will participate and you want to configure your servers as quickly and easily as possible.

The objectives of this scenario are as follows:

iSeries A has existing network authentication service and EIM configurations from when it was set up to create a test environment. Consequently, iSeries A must be used as the model system for propagating these configurations to the end point systems of iSeries B and iSeries C.
All of the systems will be configured to join the same EIM domain and must use the same Kerberos server and the same domain controller.
Note: Refer to Domains to learn how two types of domains, an EIM domain and a Windows^® 2000 domain, both fit into the single signon environment.
iSeries D, the OS/400 V5R2 system, must be configured manually for network authentication service and EIM.

Details

The following figure illustrates the network environment for this scenario.

Propagate single signon across multiple systems diagram

The figure illustrates the following points relevant to this scenario.

Windows 2000 server

Acts as the Kerberos server, also known as the key distribution center (KDC), for the network.
All users are registered with the Kerberos server on the Windows 2000 server.

iSeries MC1 - Central system

Runs on i5/OS Version 5 Release 4 (V5R3) or later with the following options and licensed products installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows (5722-XE1)
Stores, schedules, and runs synchronize functions tasks for each of the endpoint systems.
Is configured for network authentication service and EIM.

iSeries A - Model system

Note: The model system should be configured similarly to the system identified as iSeries A in the Scenario: Create a single signon test environment scenario. Refer to this scenario to ensure that all of the single signon configuration tasks on the model system are completed and verified.

Runs i5/OS Version 5 Release 4 (V5R4) with the following options and licensed products installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows (5722-XE1)
Is configured for network authentication service and EIM.
Is the model system from which the network authentication service and EIM configurations are propagated to the target systems.

iSeries B

Runs i5/OS Version 5 Release 4 (V5R4) with the following options and licensed products installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows (5722-XE1)
Is one of the target systems for the propagation of network authentication service and EIM configurations.

iSeries C

Runs i5/OS Version 5 Release 4 (V5R4) with the following options and licensed products installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows (5722-XE1)
Is one of the target systems for the propagation of network authentication service and EIM configurations.

iSeries D

Runs OS/400 Version 5 Release 2 (V5R2) with the following options and licensed products installed:
- OS/400 Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows (5722-XE1)
- Cryptographic Access Provider (5722-AC3)
Has the following V5R2 PTFs (program temporary fixes) applied:
- SI08977
- SI08979
Requires separate, manual configuration of network authentication service and EIM using the appropriate wizards in iSeries Navigator.

Administrator's PC

Runs i5/OS V5R4 iSeries Access for Windows (5722-XE1).
Runs i5/OS V5R4 iSeries Navigator with the following subcomponents:
Note: Only required for PC used to administer network authentication service.
- Network
- Security

Prerequisites and assumptions

Successful implementation of this scenario requires that the following assumptions and prerequisites are met:

iSeries MC1 - Central system prerequisites

All system requirements, including software and operating system installation, have been verified.
To verify that these licensed programs have been installed, complete the following:
1. In iSeries Navigator, expand your iSeries server > Configuration and Service > Software > Installed Products.
2. Ensure that all the necessary licensed programs are installed.
All necessary hardware planning and setup is complete.
TCP/IP and basic system security are configured and tested.
Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these servers.
Note: When you propagate network configuration service configuration among servers, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your Local Area Network (LAN). See Scenario: Secure all connections to your Management Central server with SSL for details.

iSeries A - Model system prerequisites

Note: This scenario assumes that iSeries A is properly configured for single signon. Refer to the Scenario: Create a single signon test environment scenario to ensure that all of the single signon configuration tasks on the model system are completed and verified.

All system requirements, including software and operating system installation, have been verified.
To verify that these licensed programs have been installed, complete the following:
1. In iSeries Navigator, expand your iSeries server > Configuration and Service > Software > Installed Products.
2. Ensure that all the necessary licensed programs are installed.
All necessary hardware planning and setup is complete.
TCP/IP and basic system security are configured and tested.
Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these servers.
Note: When you propagate network configuration service configuration among servers, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your Local Area Network (LAN). See Scenario: Secure all connections to your Management Central server with SSL for details.

iSeries B, iSeries C, and iSeries D - Endpoint systems prerequisites

All system requirements, including software and operating system installation, have been verified.
To verify that these licensed programs have been installed, complete the following:
1. In iSeries Navigator, expand your iSeries server > Configuration and Service > Software > Installed Products.
2. Ensure that all the necessary licensed programs are installed.
All necessary hardware planning and setup is complete.
TCP/IP and basic system security are configured and tested.
Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these servers.
Note: When you propagate network configuration service configuration among servers, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your Local Area Network (LAN). See Scenario: Secure all connections to your Management Central server with SSL for details.

Windows 2000 server prerequisites

All necessary hardware planning and setup have been completed.
TCP/IP has been configured and tested on the server.
Windows 2000 domain has been configured and tested.
All users within your network have been added to the Kerberos server.

Configuration steps

To propagate the network authentication service and EIM configurations from the model system, iSeries A to the endpoint systems, iSeries B and iSeries C, you must complete the following tasks:

Note: You need to understand the concepts related to single signon, which include network authentication service and Enterprise Identity Mapping (EIM) concepts, before you implement this scenario. See the following information to learn about the terms and concepts related to single signon: