<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="task" /> <meta name="DC.Title" content="JKL Toy Company enables single signon for HTTP Server (powered by Apache)" /> <meta name="abstract" content="This scenario discusses how to enable single signon for your HTTP Server (powered by Apache)." /> <meta name="description" content="This scenario discusses how to enable single signon for your HTTP Server (powered by Apache)." /> <meta name="DC.Relation" scheme="URI" content="rzaiescenarios.htm" /> <meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="rzaiejklkerberos" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>JKL Toy Company enables single signon for HTTP Server (powered by Apache)</title> </head> <body id="rzaiejklkerberos"><a name="rzaiejklkerberos"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <h1 class="topictitle1">JKL Toy Company enables single signon for HTTP Server (powered by Apache)</h1> <div><p>This scenario discusses how to enable single signon for your HTTP Server (powered by Apache).</p> <div class="p"><div class="important"><span class="importanttitle">Important:</span> Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div> </div> <div class="section"><p>To learn more about Kerberos and network security on the iSeries™, see <a href="../rzakh/rzakh000.htm">Network authentication service</a>.</p> </div> </div> <div> <div class="familylinks"> <div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiescenarios.htm" title="This topic provides information on how to use the IBM Web Administration for i5/OS interface to set up or manage your HTTP Server, step-by-step. Each task is specific and includes a usable HTTP Server configuration file when completed.">Scenarios for HTTP Server</a></div> </div> </div><div class="nested1" xml:lang="en-us" id="scenariointro"><a name="scenariointro"><!-- --></a><h2 class="topictitle2">Scenario</h2> <div><div class="section"><p>The JKL Web administrator, John Day, wants to enable single signon for the JKL Toy Company network. The network consists of several iSeries systems and a Windows<sup>®</sup> 2000 server, where the users are registered in Microsoft<sup>®</sup> Windows Active Directory. Based on John Day's research, he knows that Microsoft Active Directory uses the Kerberos protocol to authenticate Windows users. John Day also knows that i5/OS™ provides a single signon solution based on an implementation of Kerberos authentication, called network authentication service, in conjunction with Enterprise Identity Mapping (EIM). </p> <p>While excited about the benefits of a single signon environment, John Day wants to thoroughly understand single signon configuration and usage before using it across the entire enterprise. Consequently, John Day decides to configure a test environment first.</p> <p>After considering the various groups in the company, John Day decides to create the test environment for the <var class="varname">MYCO</var> Order Receiving department, a subsidiary of JKL Toys. The employees in the Order Receiving department use multiple applications, including HTTP Server, on one iSeries system to handle incoming customer orders. John Day uses the Order Receiving department as a testing area to create a single signon test environment that can be used to better understand how single signon works and how to plan a single signon implementation across the JKL enterprise.</p> <p><strong>This scenario has the following advantages: </strong> </p> <ul><li>Allows you to see some of the benefits of single signon on a small scale to better understand how you can take full advantage of it before you create a large-scale, single signon environment. </li> <li>Provides you with a better understanding of the planning process required to successfully and quickly implement a single signon environment across your entire enterprise.</li> </ul> <p>As the network administrator at JKL Toy Company, John Day wants to create a small single signon test environment that includes a small number of users and a single iSeries server, <var class="varname">iSeries A</var>. John Day wants to perform thorough testing to ensure that user identities are correctly mapped within the test environment. The first step is to enable a single signon environment for i5/OS and applications on <var class="varname">iSeries A</var>, including the HTTP Server (powered by Apache). After implementing the configuration successfully, John Day eventually wants to expand the test environment to include the other systems and users in the JKL enterprise. </p> <p><strong>The objectives of this scenario are as follows:</strong></p> <ul><li>The iSeries system, known as iSeries A, must be able to use Kerberos within the MYCO.COM realm to authenticate the users and services that are participating in this single signon test environment. To enable the system to use Kerberos, iSeries A must be configured for network authentication service.</li> <li>The directory server on iSeries A must function as the domain controller for the new EIM domain.<blockquote><div class="note"><span class="notetitle">Note:</span> Two types of domains play key roles in the single signon environment: an EIM domain and a Windows 2000 domain. Although both of these terms contain the word <dfn class="term">domain</dfn>, these entities have very different definitions. </div> </blockquote> <p>Use the following descriptions to understand the differences between these two types of domains. For more information about these terms, see the <a href="../rzalv/rzalvmst.htm">EIM</a> and <a href="../rzakh/rzakh000.htm">Network authentication service</a> topics. </p> <dl><dt class="dlterm">EIM domain</dt> <dd>An EIM domain is a collection of data, which includes the EIM identifiers, EIM associations, and EIM user registry definitions that are defined in that domain. This data is stored in a Lightweight Directory Access Protocol (LDAP) server, such as the IBM<sup>®</sup> Directory Server for iSeries, which can run on any system in the network defined in that domain. Administrators can configure systems (EIM clients), such as i5/OS, to participate in the domain so that systems and applications can use domain data for EIM lookup operations and identity mapping. To find out more about an EIM domain, see <a href="../rzalv/rzalvmst.htm">EIM</a>.</dd> </dl> <dl><dt class="dlterm">Windows 2000 domain</dt> <dd>In the context of single signon, a Windows 2000 domain is a Windows network that contains several systems that operate as clients and servers, as well as a variety of services and applications that the systems use. The following are some of the components pertinent to single signon that you may find within a Windows 2000 domain:<ul><li><strong>Realm</strong><p>A realm is a collection of machines and services. The main purpose of a realm is to authenticate clients and services. Each realm uses a single Kerberos server to manage the principals for that particular realm. </p> </li> <li><strong>Kerberos server</strong><div class="p">A Kerberos server, also known as a key distribution center (KDC), is a network service that resides on the Windows 2000 server and provides tickets and temporary session keys for network authentication service. The Kerberos server maintains a database of principals (users and services) and their associated secret keys. It is composed of the authentication server and the ticket granting server. A Kerberos server uses Microsoft Windows Active Directory to store and manage the information in a Kerberos user registry. <div class="note"><span class="notetitle">Note:</span> These servers should be in the same subnet to ensure that the tokens can be validated.</div> </div> </li> <li><strong>Microsoft Windows Active Directory</strong><p>Microsoft Windows Active Directory is an LDAP server that resides on the Windows 2000 server along with the Kerberos server. The Active Directory is used to store and manage the information in a Kerberos user registry. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism. Therefore, if you are using Microsoft Active Directory to manage your users, you are already using Kerberos technology. </p> </li> </ul> </dd> </dl> </li> <li>One user profile on <var class="varname">iSeries A</var> and one Kerberos principal must each be mapped to a single EIM identifier.</li> <li>A Kerberos service principal must be used to authenticate the user to the IBM HTTP Server for iSeries.</li> </ul> </div> </div> </div> <div class="nested1" xml:lang="en-us" id="details"><a name="details"><!-- --></a><h2 class="topictitle2">Details</h2> <div><div class="section"><p>The following figure illustrates the network environment for this scenario:</p> <br /><img src="rzamz501.gif" alt="Single signon test environment diagram" /><br /><p>The figure illustrates the following points relevant to this scenario.</p> <p><strong>EIM domain data defined for the enterprise</strong></p> <ul><li>An EIM domain called <var class="varname">MyCoEimDomain</var>.</li> <li>An EIM registry definition for <var class="varname">iSeries A</var> called <var class="varname">ISERIESA.MYCO.COM</var>. </li> <li>An EIM registry definition for the Kerberos registry called <var class="varname">MYCO.COM</var>. </li> <li>An EIM identifier called John Day. This identifier uniquely identifies John Day, the administrator for <var class="varname">MyCo</var>. </li> <li>A source association for the <var class="varname">jday</var> Kerberos principal on the Windows 2000 server. </li> <li>A target association for the <var class="varname">JOHND</var> user profile on <var class="varname">iSeries A</var> to access HTTP Server.</li> </ul> <p><strong>Windows 2000 server</strong></p> <ul><li>Acts as the Kerberos server (<var class="varname">kdc1.myco.com</var>), also known as a key distribution center (KDC), for the network. </li> <li>The default realm for the Kerberos server is <var class="varname">MYCO.COM</var>. </li> <li>A Kerberos principal of <var class="varname">jday</var> is registered with the Kerberos server on the Windows 2000 server. This principal will be used to create a source association to the EIM identifier, John Day. </li> </ul> <p><strong><var class="varname">iSeries A</var></strong></p> <ul><li>Runs OS/400<sup>®</sup> Version 5 Release 2 (V5R2) with the following options and licensed products installed:<ul><li>IBM HTTP Server for iSeries</li> <li>OS/400 Host Servers</li> <li>Qshell Interpreter</li> <li>iSeries Access for Windows </li> <li>Cryptographic Access Provider</li> </ul> </li> <li>The IBM Directory Server for iSeries (LDAP) on <var class="varname">iSeries A</var> will be configured to be the EIM domain controller for the new EIM domain, <var class="varname">MyCoEimDomain</var>. <var class="varname">iSeries A</var> participates in the EIM domain, <var class="varname">MyCoEimDomain</var>.</li> <li>The principal name for <var class="varname">iSeries A</var> is <var class="varname">krbsvr400/iseriesa.myco.com@MYCO.COM</var>.</li> <li>The principal name for the HTTP Server on <var class="varname">iSeries A</var> is <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var>.</li> <li>The user profile of <var class="varname">JOHND</var> exists on <var class="varname">iSeries A</var>. You will create a target association between this user profile and the EIM identifier, <var class="varname">John Day</var>. </li> <li>The home directory for the i5/OS user profile, <var class="varname">JOHND</var>, (<var class="varname">/home/JOHND</var>) is defined on <var class="varname">iSeries A</var>. </li> </ul> <p><strong>Client PC used for single signon administration</strong></p> <ul><li>Runs Microsoft Windows 2000 operating system. </li> <li>Runs V5R2 iSeries Access for Windows. </li> <li>Runs iSeries Navigator with the following subcomponents installed:<ul><li>Network </li> <li>Security </li> </ul> </li> <li>Serves as the primary logon system for administrator John Day. </li> <li>Configured to be part of the <var class="varname">MYCO.COM</var> realm (Windows domain). </li> </ul> </div> </div> </div> <div class="nested1" xml:lang="en-us" id="prereqs"><a name="prereqs"><!-- --></a><h2 class="topictitle2">Prerequisites</h2> <div><div class="section"><p>Successful implementation of this scenario requires that the following assumptions and prerequisites are met: </p> <ol><li>It is assumed you have read <a href="rzaiescenarios.htm">Scenarios for HTTP Server</a>. </li> <li>All system requirements, including software and operating system installation, have been verified.<div class="p">Ensure that all the necessary licensed programs are installed. To verify that the licensed programs have been installed, complete the following:<ol type="a"><li>In iSeries Navigator, expand your <span class="menucascade"><span class="uicontrol">iSeries server</span> > <span class="uicontrol">Configuration and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed Products</span></span>. </li> </ol> </div> </li> <li>All necessary hardware planning and setup is complete. </li> <li>TCP/IP and basic system security are configured and tested on each system. </li> <li>The directory server and EIM are not previously configured on <var class="varname">iSeries A</var>.<div class="note"><span class="notetitle">Note:</span> Instructions in this scenario are based on the assumption that the directory server has not been previously configured on <var class="varname">iSeries A</var>. However, if you have previously configured the directory server, you can still use these instructions with only slight differences. These differences are noted in the appropriate places within the configuration steps.</div> </li> <li>A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables with Kerberos authentication may result in name resolution errors or other problems.</div> </li> </ol> </div> </div> <div class="nested2" xml:lang="en-us" id="configsteps"><a name="configsteps"><!-- --></a><h3 class="topictitle3">Configuration steps</h3> <div><div class="section"><div class="note"><span class="notetitle">Note:</span> Before you implement this scenario, you need to thoroughly understand the concepts related to single signon, including network authentication service and Enterprise Identity Mapping (EIM). See the following information to learn about the terms and concepts related to single signon:</div> <ul><li><a href="../rzalv/rzalvmst.htm">Enterprise Identity Mapping (EIM) </a> </li> <li><a href="../rzakh/rzakh000.htm">Network authentication service</a> </li> </ul> <p>These are the configuration steps John Day completed. Follow these configuration steps to enable a single signon environment for your iSeries server.</p> <ul class="simple"><li><a href="#plnwrksht">Step 1: Planning work sheet</a></li> <li><a href="#eim">Step 2: Create a basic single signon configuration for iSeries A</a></li> <li><a href="#kerberos">Step 3: Add principal names to the KDC</a></li> <li><a href="#addkerberoskeytab">Step 4: Add Kerberos keytab</a></li> <li><a href="#crthmdirforjohn">Step 5: Create home directory for John Day on iSeries A</a></li> <li><a href="#tstntwrkauthsrvconfig">Step 6: Test network authentication service configuration on iSeries A</a></li> <li><a href="#crteimidforjohnd">Step 7: Create EIM identifier for John Day</a></li> <li><a href="#crtsrcassctntrgtassctneimid">Step 8: Create a source association and target association for the new EIM identifier</a></li> <li><a href="#cnfgiseriesaccess">Step 9: Configure iSeries Access for Windows applications to use Kerberos authentication</a></li> <li><a href="#addtoexistingeim">Step 10: Add iSeries A to and existing EIM domain</a></li> <li><a href="#httpserver">Step 11: Configure HTTP Server for single signon</a></li> <li><a href="#post">Step 12: (Optional) Post configuration considerations</a></li> </ul> </div> </div> </div> <div class="nested2" xml:lang="en-us" id="plnwrksht"><a name="plnwrksht"><!-- --></a><h3 class="topictitle3">Step 1: Planning work sheet</h3> <div><div class="section"><p>The following planning work sheets are tailored to fit this scenario. These planning work sheets demonstrate the information that you need to gather and the decisions you need to make to prepare the single signon implementation described by this scenario. To ensure a successful implementation, you must be able to answer <strong>Yes</strong> to all prerequisite items in the work sheet and be able to gather all the information necessary to complete the work sheets before you perform any configuration tasks.</p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Single signon prerequisite work sheet</caption><thead align="left"><tr><th valign="top" id="d0e437">Prerequisite work sheet</th> <th valign="top" id="d0e439">Answers </th> </tr> </thead> <tbody><tr><td valign="top" headers="d0e437 ">Are you running OS/400 or i5/OS at version V5R2 or higher?</td> <td valign="top" headers="d0e439 ">Yes</td> </tr> <tr><td valign="top" headers="d0e437 ">Are the following options and licensed products installed on <var class="varname">iSeries A</var>?<ul><li>i5/OS Host Servers</li> <li>Qshell Interpreter</li> <li>iSeries Access for Windows</li> <li>Cryptographic Access Provider</li> </ul> </td> <td valign="top" headers="d0e439 ">Yes</td> </tr> <tr><td valign="top" headers="d0e437 ">Have you installed an application that is enabled for single signon on each of the PCs that will participate in the single signon environment? <div class="note"><span class="notetitle">Note:</span> For this scenario, all of the participating PCs have iSeries Access for Windows installed and <var class="varname">iSeries A</var> has the HTTP Server for iSeries installed.</div> </td> <td valign="top" headers="d0e439 ">Yes</td> </tr> <tr><td valign="top" headers="d0e437 ">Is iSeries Navigator installed on the administrator's PC?<ul><li>Is the Security subcomponent of iSeries Navigator installed on the administrator's PC?</li> <li>Is the Network subcomponent of iSeries Navigator installed on the administrator's PC?</li> </ul> </td> <td valign="top" headers="d0e439 ">Yes</td> </tr> <tr><td valign="top" headers="d0e437 ">Have you installed the latest iSeries Access for Windows service pack? See <a href="http://www.ibm.com/servers/eserver/iseries/access/" target="_blank">iSeries Access</a> <img src="www.gif" alt="Link outside Information Center" /> for the latest service pack.</td> <td valign="top" headers="d0e439 ">Yes</td> </tr> <tr><td valign="top" headers="d0e437 ">Do you, the administrator, have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities?</td> <td valign="top" headers="d0e439 ">Yes</td> </tr> <tr><td valign="top" headers="d0e437 ">Do you have one of the following systems in the network acting as the Kerberos server (also known as the KDC)? If yes, specify which system. <ol><li>Windows 2000 Server<div class="note"><span class="notetitle">Note:</span> Microsoft Windows 2000 Server uses Kerberos authentication as its default security mechanism. </div> </li> <li>Windows Server 2003 </li> <li>i5/OS0 PASE</li> <li>AIX<sup>®</sup> server </li> <li>zSeries<sup>®</sup></li> </ol> </td> <td valign="top" headers="d0e439 ">Yes, Windows 2000 Server</td> </tr> <tr><td valign="top" headers="d0e437 ">Are all your PCs in your network configured in a Windows (R) 2000 domain?</td> <td valign="top" headers="d0e439 ">Yes</td> </tr> <tr><td valign="top" headers="d0e437 ">Have you applied the latest program temporary fixes (PTFs)?</td> <td valign="top" headers="d0e439 ">Yes</td> </tr> <tr><td valign="top" headers="d0e437 ">Is the iSeries system time within 5 minutes of the system time on the Kerberos server? If not see <a href="../rzakh/rzakhsync.htm">Synchronize system times</a>.</td> <td valign="top" headers="d0e439 ">Yes</td> </tr> </tbody> </table> </div> <p>You need this information to configure EIM and network authentication service to create a single signon test environment.</p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 2. Single signon configuration planning work sheet for iSeries A. <p>Use the following information to complete the EIM Configuration wizard. The information in this work sheet correlates with the information you need to supply for each page in the wizard:</p> </caption><thead align="left"><tr><th valign="top" id="d0e551">Configuration planning work sheet for iSeries A</th> <th valign="top" id="d0e553">Answers</th> </tr> </thead> <tbody><tr><td valign="top" headers="d0e551 ">How do you want to configure EIM for your system?<ul><li>Join an existing domain </li> <li>Create and join a new domain <div class="note"><span class="notetitle">Note:</span> This option allows you to configure the current system's directory server as the EIM domain controller when the directory server is not already configured as the EIM domain controller.</div> </li> </ul> </td> <td valign="top" headers="d0e553 ">Create and join a new domain<div class="note"><span class="notetitle">Note:</span> This will configure the directory server on the same system on which you are currently configuring EIM.</div> </td> </tr> <tr><td valign="top" headers="d0e551 ">Do you want to configure network authentication service?<div class="note"><span class="notetitle">Note:</span> You must configure network authentication service to configure single signon.</div> </td> <td valign="top" headers="d0e553 ">Yes</td> </tr> <tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">The Network Authentication Service wizard launches from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard:<div class="note"><span class="notetitle">Note:</span> You can launch the Network Authentication Service wizard independently of the EIM Configuration wizard.</div> </td> </tr> <tr><td valign="top" headers="d0e551 ">What is the name of the Kerberos default realm to which your iSeries will belong?<div class="note"><span class="notetitle">Note:</span> A Windows 2000 domain is similar to a Kerberos realm. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism.</div> </td> <td valign="top" headers="d0e553 "><var class="varname">MYCO.COM</var></td> </tr> <tr><td valign="top" headers="d0e551 ">Are you using Microsoft Active Directory?</td> <td valign="top" headers="d0e553 ">Yes</td> </tr> <tr><td valign="top" headers="d0e551 ">What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens?</td> <td valign="top" headers="d0e553 "><ul class="simple"><li><strong>KDC</strong>: <var class="varname">kdc1.myco.com</var></li> <li><strong>Port</strong>:<var class="varname">88</var></li> </ul> <div class="note"><span class="notetitle">Note:</span> This is the default port for the Kerberos server.</div> </td> </tr> <tr><td valign="top" headers="d0e551 ">Do you want to configure a password server for this default realm? If yes, answer the following questions: <p>What is name of the password server for this Kerberos server? What is the port on which the password server listens?</p> </td> <td valign="top" headers="d0e553 ">Yes<ul class="simple"><li><strong>Password</strong> server: <var class="varname">kdc1.myco.com</var></li> <li><strong>Port</strong>: <var class="varname">464</var></li> </ul> <div class="note"><span class="notetitle">Note:</span> This is the default port for the Kerberos server.</div> </td> </tr> <tr><td valign="top" headers="d0e551 ">For which services do you want to create keytab entries?<ul><li>i5/OS Kerberos Authentication </li> <li>LDAP </li> <li>iSeries IBM HTTP Server for iSeries</li> <li>iSeries NetServer™ </li> </ul> </td> <td valign="top" headers="d0e553 ">i5/OS Kerberos Authentication<div class="note"><span class="notetitle">Note:</span> A keytab entry for HTTP Server must be done manually as described later in the configuration steps.</div> </td> </tr> <tr><td valign="top" headers="d0e551 ">What is the password for your service principal or principals? </td> <td valign="top" headers="d0e553 "><var class="varname">iseriesa123 </var><div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.</div> </td> </tr> <tr><td valign="top" headers="d0e551 ">Do you want to create a batch file to automate adding the service principals for iSeries A to the Kerberos registry?</td> <td valign="top" headers="d0e553 ">Yes</td> </tr> <tr><td valign="top" headers="d0e551 ">Do you want to include passwords with the i5/OS service principals in the batch file?</td> <td valign="top" headers="d0e553 ">Yes</td> </tr> <tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard:</td> </tr> <tr><td valign="top" headers="d0e551 ">Specify user information for the wizard to use when configuring the directory server. This is the connection user. You must specify the port number, administrator distinguished name, and a password for the administrator.<div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's distinguished name (DN) and password to ensure the wizard has enough authority to administer the EIM domain and the objects in it.</div> </td> <td valign="top" headers="d0e553 "><ul class="simple"><li><strong>Port</strong>: <var class="varname">389</var></li> <li><strong>Distinguished name</strong>: <var class="varname">cn=administrator </var></li> <li><strong>Password</strong>: <var class="varname">mycopwd</var></li> </ul> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, do not use these passwords as part of your own configuration.</div> </td> </tr> <tr><td valign="top" headers="d0e551 ">What is the name of the EIM domain that you want to create?</td> <td valign="top" headers="d0e553 "><var class="varname">MyCoEimDomain</var></td> </tr> <tr><td valign="top" headers="d0e551 ">Do you want to specify a parent DN for the EIM domain?</td> <td valign="top" headers="d0e553 ">No</td> </tr> <tr><td valign="top" headers="d0e551 ">Which user registries do you want to add to the EIM domain?</td> <td valign="top" headers="d0e553 ">Local i5/OS--<var class="varname">ISERIESA.MYCO.COM</var> Kerberos--<var class="varname">MYCO.COM</var><div class="note"><span class="notetitle">Note:</span> The Kerberos principals stored on the Windows 2000 server are not case sensitive; therefore do not select <strong>Kerberos user identities are case sensitive.</strong></div> </td> </tr> <tr><td valign="top" headers="d0e551 ">Which EIM user do you want iSeries A to use when performing EIM operations? This is the system user<div class="note"><span class="notetitle">Note:</span> If you have not configured the directory server prior to configuring single signon, the only distinguished name (DN) you can provide for the system user is the LDAP administrator's DN and password.</div> </td> <td valign="top" headers="d0e553 "><ul class="simple"><li><strong>User type</strong>: Distinguished name and password </li> <li><strong>User</strong>: <var class="varname">cn=administrator</var></li> <li><strong>Password</strong>: <var class="varname">mycopwd</var></li> </ul> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.</div> </td> </tr> <tr><td colspan="2" valign="top" headers="d0e551 d0e553 ">After you complete the EIM Configuration wizard, use the following information to complete the remaining steps required for configuring single signon:</td> </tr> <tr><td valign="top" headers="d0e551 ">What is the i5/OS user profile name for the user?</td> <td valign="top" headers="d0e553 "><var class="varname">JOHND</var></td> </tr> <tr><td valign="top" headers="d0e551 ">What is the name of the EIM identifier that you want to create?</td> <td valign="top" headers="d0e553 "><var class="varname">John Day</var></td> </tr> <tr><td valign="top" headers="d0e551 ">What kinds of associations do you want to create? </td> <td valign="top" headers="d0e553 "><ul class="simple"><li><strong>Source association</strong>: Kerberos principal <var class="varname">jday</var></li> <li><strong>Target association</strong>: i5/OS user profile <var class="varname">JOHND</var> </li> </ul> </td> </tr> <tr><td valign="top" headers="d0e551 ">What is the name of the user registry that contains the Kerberos principal for which you are creating the source association?</td> <td valign="top" headers="d0e553 "><var class="varname">MYCO.COM</var></td> </tr> <tr><td valign="top" headers="d0e551 ">What is the name of the user registry that contains the i5/OS user profile for which you are creating the target association?</td> <td valign="top" headers="d0e553 "><var class="varname">ISERIESA.MYCO.COM</var></td> </tr> </tbody> </table> </div> </div> </div> </div> </div> <div class="nested1" xml:lang="en-us" id="eim"><a name="eim"><!-- --></a><h2 class="topictitle2">Step 2: Create a basic single signon configuration for <var class="varname">iSeries A</var></h2> <div><div class="section"><p>You need to create a basic single signon configuration using the iSeries Navigator. The EIM configuration wizard will assist in the configuration process. Use the information from your planning work sheets to configure EIM and network authentication service on <var class="varname">iSeries A</var>.</p> <div class="note"><span class="notetitle">Note:</span> For more information about EIM, see the <a href="../rzalv/rzalveservercncpts.htm" target="_blank">EIM concepts</a> topic.</div> </div> <ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li> <li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">Enterprise Identity Mapping</span></span>.</span></li> <li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure</span> to start the EIM Configuration wizard. </span></li> <li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page, select <span class="uicontrol">Create and join a new domain</span>. Click <span class="uicontrol">Next.</span></span></li> <li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM Domain Location</span> page, select <span class="uicontrol">On the local Directory server</span>. </span></li> <li class="stepexpand"><span>Click <span class="uicontrol">Next</span> and the <span class="uicontrol">Network Authentication Service</span> wizard is displayed.</span> <div class="note"><span class="notetitle">Note:</span> The Network Authentication Service wizard only displays when the system determines that you need to enter additional information to configure network authentication service for the single signon implementation.</div> </li> <li class="stepexpand"><span>Complete these tasks to configure network authentication service:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page, select <span class="uicontrol">Yes</span>.</span> <div class="note"><span class="notetitle">Note:</span> This launches the Network Authentication Service wizard. With this wizard, you can configure several i5/OS interfaces and services to participate in the Kerberos realm.</div> </li> <li class="substepexpand"><span>On the Specify Realm Information page, enter <var class="varname">MYCO.COM</var> in the <span class="uicontrol">Default realm</span> field and select <span class="uicontrol">Microsoft Active Directory is used for Kerberos authentication</span>. Click <span class="uicontrol">Next</span>.</span></li> <li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page, enter <var class="varname">kdc1.myco.com</var> in the <span class="uicontrol">KDC</span> field and enter <var class="varname">88</var> in the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li> <li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page, select <span class="uicontrol">Yes</span>. Enter <var class="varname">kdc1.myco.com</var> in the <span class="uicontrol">Password server</span> field and <var class="varname">464</var> in the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li> <li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS Kerberos Authentication</span>. Click <span class="uicontrol">Next</span>.</span></li> <li class="substepexpand"><span>On the <span class="uicontrol">Create OS/400 Keytab Entry</span> page, enter and confirm a password, and click <span class="uicontrol">Next</span>. For example, <var class="varname">iSeries A123</var>. This password will be used when <var class="varname">iSeries A</var> is added to the Kerberos server. </span> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration</div> </li> <li class="substepexpand"><span>On the <span class="uicontrol">Create Batch File</span> page, select <span class="uicontrol">Yes</span>, specify the following information, and click <span class="uicontrol">Next</span>:</span> <ul><li><strong>Batch file</strong>: Add the text <kbd class="userinput">iSeries A</kbd> to the end of the default batch file name. For example, <kbd class="userinput">C:\Documents</kbd> and <kbd class="userinput">Settings\All Users\Documents\IBM\Client Access\NASConfigiSeries A.bat</kbd>. </li> <li><strong>Select Include password</strong>: This ensures that all passwords associated with the i5/OS service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file. Therefore, it is recommended that you delete the batch file from the Kerberos server and from your PC immediately after use.</li> </ul> <div class="note"><span class="notetitle">Note:</span> If you do not include the password, you will be prompted for the password when the batch file is run.</div> <div class="note"><span class="notetitle">Note:</span> You must have <strong>ktpass</strong> and <strong>SETSPN</strong> (set service principal name) installed on your Windows 2000 server before running this bat file. The <strong>ktpass</strong> tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. The <strong>SETSPN</strong> tool is included in the Microsoft Windows 2000 Resource Kit and can be downloaded from the Microsoft website.</div> </li> <li class="substepexpand"><span>On the <span class="uicontrol">Summary</span> page, review the network authentication service configuration details. Click <span class="uicontrol">Finish</span> to complete the Network Authentication Service wizard and return to the EIM Configuration wizard. </span></li> </ol> </li> <li class="stepexpand"><span>On the <span class="uicontrol">Configure Directory Server</span> page, enter the following information, and click <span class="uicontrol">Next</span>:</span> <div class="note"><span class="notetitle">Note:</span> If you configured the directory server before you started this scenario, you will see the <span class="uicontrol">Specify User for Connection</span> page instead of the <span class="uicontrol">Configure Directory Server</span> page. In that case, you must specify the distinguished name and password for the LDAP administrator.</div> <ul><li>Port: <var class="varname">389</var> </li> <li>Distinguished name: <var class="varname">cn=administrator</var> </li> <li>Password: <var class="varname">mycopwd </var></li> </ul> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.</div> </li> <li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain</span> page, enter the name of the domain in the <span class="uicontrol">Domain</span> field, and click <span class="uicontrol">Next</span>. For example, <var class="varname">MyCoEimDomain</var>. </span></li> <li class="stepexpand"><span>On the <span class="uicontrol">Specify Parent DN for Domain</span> page, select <span class="uicontrol">No</span>, and click <span class="uicontrol">Next</span>. </span> <div class="note"><span class="notetitle">Note:</span> If the directory server is active, a message is displayed that indicates you need to end and restart the directory server for the changes to take effect. Click <span class="uicontrol">Yes</span> to restart the directory server.</div> </li> <li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, select <span class="uicontrol">Local OS/400 and Kerberos</span>, and click <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> <ul><li>Registry names must be unique to the domain.</li> <li>You can enter a specific registry definition name for the user registry if you want to use a specific registry definition naming plan. However, for this scenario you can accept the default values. </li> </ul> </div> </li> <li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select the user for the operating system to use when performing EIM operations on behalf of operating system functions, and click <span class="uicontrol">Next</span>:</span> <div class="note"><span class="notetitle">Note:</span> Because you did not configure the directory server prior to performing the steps in this scenario, the only distinguished name (DN) that you can choose is the LDAP administrator's DN.</div> <ul><li>User type: <var class="varname">Distinguished name and password</var></li> <li>Distinguished name: <span class="apiname">cn=administrator</span></li> <li>Password: <var class="varname">mycopwd</var> </li> </ul> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.</div> </li> <li class="stepexpand"><span>On the <span class="uicontrol">Summary</span> page, confirm the EIM configuration information. Click <span class="uicontrol">Finish</span>. </span></li> </ol> </div> </div> <div class="nested1" xml:lang="en-us" id="kerberos"><a name="kerberos"><!-- --></a><h2 class="topictitle2">Step 3: Add principal names to the KDC</h2> <div><div class="section"><p>To add the iSeries system to the Windows 2000 KDC, use the documentation for your KDC that describes the process of adding principals. By convention, the iSeries system name can be used as the username. Add the following principal names to the KDC:</p> <pre>krbsvr400/iSeriesA.ordept.myco.com@ORDEPT.MYCO.COM HTTP/iseriesa.myco.com@MYCO.COM</pre> <p>On a Windows 2000 server, follow these steps: </p> </div> <ol><li class="stepexpand"><span>Use the Active Directory Management tool to create a user account for the iSeries system (select the <span class="uicontrol">Users</span> folder, right-click, select <span class="uicontrol">New</span>, then select <span class="uicontrol">User</span>.) Specify <var class="varname">iSeriesA</var> as the Active Directory user and <var class="varname">HTTPiSeriesA</var> as the service principal for HTTP.</span></li> <li class="stepexpand"><span>Access the properties on the Active Directory user <var class="varname">iSeriesA</var> and the service principal <var class="varname">HTTPiSeriesA</var>. From the <span class="uicontrol">Account</span> tab, select the <span class="uicontrol">Account is trusted for delegation</span>. This will allows the <var class="varname">HTTPiSeriesA</var> service principal to access other services on behalf of a signed-in user. </span></li> <li class="stepexpand"><span>Map the user account to the principal by using the <span class="uicontrol">ktpass</span> command. This needs to be done twice, once for <var class="varname">iSeriesa</var> and once for <var class="varname">HTTPiSeriesA</var>. The <span class="uicontrol">ktpass</span> tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. To map the user account, open the <span class="uicontrol">ktpass</span> command window and enter the following: </span> <pre>ktpass -princ krbsvr400/iSeriesA.ordept.myco.com@ORDEPT.MYCO.COM -mapuser iSeries A -pass iseriesa123 </pre> <p>Then add the HTTP Server to the KDC:</p> <pre>ktpass -princ HTTP/iseriesa.myco.com@MYCO.COM -mapuser iSeries A -pass iseriesa123 </pre> <p>For HTTP, an additional step (setspn - set service principal name) is required after the <span class="uicontrol">ktpass</span> is done:</p> <pre>SETSPN -A HTTP/iseriesA.myco.com@MYCO.COM HTTPiSeriesA</pre> <div class="note"><span class="notetitle">Note:</span> The <strong>SETSPN</strong> tool is included in the Microsoft Windows 2000 Resource Kit and can be downloaded from the Microsoft website.</div> <div class="note"><span class="notetitle">Note:</span> The value <var class="varname">iseriesa123</var> is the password that you specified when you configured network authentication service. Any and all passwords used within this scenario are for example purposes only. Do not use the passwords during an actual configuration.</div> </li> </ol> </div> </div> <div class="nested1" xml:lang="en-us" id="addkerberoskeytab"><a name="addkerberoskeytab"><!-- --></a><h2 class="topictitle2">Step 4: Add Kerberos keytab</h2> <div><div class="section"><p>You need keytab entries for authentication purposes as well as for generating the authorization identity. The network authentication service (the i5/OS implementation of the Kerberos protocol) wizard creates a keytab entry for <var class="varname">iSeriesA</var>, however a keytab for HTTP must be manually created. The wizard is only able to create keytab entries for the system and certain applications that the code is aware are Kerberos-enabled. The network authentication service wizard configures network authentication service (Kerberos) for you. The wizard is called by the EIM wizard if you have not already configure network authentication service on the system or if your network authentication service configuration is not complete. </p> <p>The <span class="cmdname">kinit</span> command is used to initiate Kerberos authentication. A Kerberos ticket-granting ticket (TGT) is obtained and cached for the HTTP Server principal. Use <span class="cmdname">kinit</span> to perform the ticket exchange for the HTTP Server principal. The ticket is cached for reuse.</p> </div> <ol><li class="stepexpand"><span>Start a 5250 session on <var class="varname">iSeries A</var>.</span></li> <li class="stepexpand"><span>Type <kbd class="userinput">QSH</kbd>.</span></li> <li class="stepexpand"><span>Type <kbd class="userinput">keytab add</kbd> <var class="varname">HTTP/iseriesa.myco.com</var>.</span></li> <li class="stepexpand"><span>Type <var class="varname">iseries123</var> for the password.</span></li> <li class="stepexpand"><span>Type <var class="varname">iseries123</var> again to confirm the password.</span></li> <li class="stepexpand"><span>Type <kbd class="userinput">keytab list</kbd>.</span> <div class="note"><span class="notetitle">Note:</span> The <span class="cmdname">keytab list</span> command lists the keytab information on your iSeries server.</div> </li> <li class="stepexpand"><span>Now test the password entered in the keytab to make sure it matches the password used for this service principal on the KDC. Do this with the following command: <kbd class="userinput">kinit -k HTTP/</kbd><var class="varname">iseriesa.myco.com</var> </span> The -k option tells the kinit command not to prompt for a password; only use the password that is in the keytab. If the kinit command fails, it is likely that different passwords were used on either the <kbd class="userinput">ktpass</kbd> command done on the Windows Domain controller or on the keytab command entered in <kbd class="userinput">QSH</kbd>.</li> <li class="stepexpand"><span>Now test the iSeries Kerberos authentication to make sure the keytab password is the same as the password stored in the KDC. Do this with the following command: <kbd class="userinput">kinit -k krbsvr400</kbd><var class="varname">/iseriesa.myco.com</var></span> <div class="note"><span class="notetitle">Note:</span> The Network Authentication Service wizard created this keytab entry.</div> </li> <li class="stepexpand"><span>Type <kbd class="userinput">klist</kbd>.</span> <div class="note"><span class="notetitle">Note:</span> If the kinit command returns without errors, then klist will show your ticket cache.</div> </li> </ol> </div> </div> <div class="nested1" xml:lang="en-us" id="crthmdirforjohn"><a name="crthmdirforjohn"><!-- --></a><h2 class="topictitle2">Step 5: Create home directory for <var class="varname">John Day</var> on <var class="varname">iSeries A</var> </h2> <div><div class="section"><p>You need to create a directory in the <span class="filepath">/home</span> directory to store your Kerberos credentials cache. To create a home directory, complete the following: </p> </div> <ol><li><span>Start a 5250 session on <var class="varname">iSeries A</var>.</span></li> <li><span>Type <kbd class="userinput">QSH</kbd>.</span></li> <li><span>On a command line, enter: <kbd class="userinput">CRTDIR</kbd><var class="varname"> '/home/user profile'</var> where <var class="varname">user profile</var> is your i5/OS user profile name. For example: <var class="varname">CRTDIR '/home/JOHND'</var>. </span></li> </ol> </div> </div> <div class="nested1" xml:lang="en-us" id="tstntwrkauthsrvconfig"><a name="tstntwrkauthsrvconfig"><!-- --></a><h2 class="topictitle2">Step 6: Test network authentication service configuration on <var class="varname">iSeries A</var></h2> <div><div class="section"><p>Now that you have completed the network authentication service configuration tasks for <var class="varname">iSeries A</var>, you need to test that your configuration. You can do this by requesting a ticket-granting ticket for the HTTP principal name, <var class="varname">HTTP/iseriesa.myco.com</var>.</p> <p>To test the network authentication service configuration, complete these steps:</p> <div class="note"><span class="notetitle">Note:</span> Ensure that you have created a home directory for your i5/OS user profile before performing this procedure.</div> </div> <ol><li><span>On a command line, enter <kbd class="userinput">QSH</kbd> to start the Qshell Interpreter. </span></li> <li><span>Enter <kbd class="userinput">keytab list</kbd> to display a list of principals registered in the keytab file. In this scenario, <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var> displays as the principal name for <var class="varname">iSeries A</var>. </span></li> <li><span>Enter <kbd class="userinput">kinit -k HTTP</kbd><var class="varname">/iseriesa.myco.com@MYCO.COM</var>. If this is successful, then the <span class="cmdname">kinit</span> command is displayed without errors. </span></li> <li><span>Enter <kbd class="userinput">klist</kbd> to verify that the default principal is <var class="varname">HTTP/iseriesa.myco.com@MYCO.COM</var>. </span></li> </ol> </div> </div> <div class="nested1" xml:lang="en-us" id="crteimidforjohnd"><a name="crteimidforjohnd"><!-- --></a><h2 class="topictitle2">Step 7: Create EIM identifier for <var class="varname">John Day</var></h2> <div><div class="section"><p>Now that you have performed the initial steps to create a basic single signon configuration, you can begin to add information to this configuration to complete your single signon test environment. You need to create the EIM identifier that you specified in <a href="#plnwrksht">Step 1: Planning work sheet</a>. In this scenario, this EIM identifier is a name that uniquely identifies <var class="varname">John Day</var> in the enterprise.</p> <p>To create an EIM identifier, follow these steps: </p> </div> <ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li> <li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">Enterprise Identity Mapping</span> > <span class="uicontrol">Domain Management</span> > <span class="uicontrol">MyCoEimDomain</span></span></span> <div class="note"><span class="notetitle">Note:</span> If the domain is not listed under Domain Management, you may need to <a href="../rzalv/rzalvadmindomainadd.htm">add the domain</a>. You may be prompted to connect to the domain controller. In that case, the <span class="uicontrol">Connect to EIM Domain Controller</span> dialog is displayed. You must connect to the domain before you can perform actions in it. To connect to the domain controller, provide the following information and click <span class="uicontrol">OK</span>:</div> <ul><li><strong>User type</strong>: Distinguished name</li> <li><strong>Distinguished name</strong>: <var class="varname">cn=administrator</var></li> <li><strong>Password</strong>: <var class="varname">mycopwd</var></li> </ul> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.</div> </li> <li class="stepexpand"><span>Right-click <span class="uicontrol">Identifiers</span> and select <span class="uicontrol">New Identifier.... </span></span></li> <li class="stepexpand"><span>On the <span class="uicontrol">New EIM Identifier</span> dialog, enter a name for the new identifier in the <span class="uicontrol">Identifier</span> field, and click <span class="uicontrol">OK</span>. For example, <var class="varname">John Day</var>. </span></li> </ol> </div> </div> <div class="nested1" xml:lang="en-us" id="crtsrcassctntrgtassctneimid"><a name="crtsrcassctntrgtassctneimid"><!-- --></a><h2 class="topictitle2">Step 8: Create a source association and target association for the new EIM identifier</h2> <div><div class="section"><p>You must create the appropriate associations between the EIM identifier and the user identities that the person represented by the identifier uses. These identifier associations, when properly configured, enable the user to participate in a single signon environment.</p> <p>In this scenario, you need to create two identifier associations for the <var class="varname">John Day</var> identifier:</p> <ul><li>A source association for the <var class="varname">jday</var> Kerberos principal, which is the user identity that <var class="varname">John Day</var>, the person, uses to log in to Windows and the network. The source association allows the Kerberos principal to be mapped to another user identity as defined in a corresponding target association.</li> <li>A target association for the <var class="varname">JOHND</var> i5/OS user profile, which is the user identity that <var class="varname">John Day</var>, the person, uses to log in to iSeries Navigator and other i5/OS applications on <var class="varname">iSeries A</var>. The target association specifies that a mapping lookup operation can map to this user identity from another one as defined in a source association for the same identifier. </li> </ul> <p>Now that you have created the <var class="varname">John Day</var> identifier, you need to create both a source association and a target association for it. </p> <p>To create a source association between the Kerberos principal <var class="varname">jday</var> identifier, follow these steps:</p> </div> <ol><li class="stepexpand"><span>Start iSeries Navigator.</span></li> <li class="stepexpand"><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> > <span class="uicontrol">Enterprise Identity Mapping</span> > <span class="uicontrol">Domain Management</span> > <span class="uicontrol">MyCoEimDomain</span> > <span class="uicontrol">Identifiers</span></span></span></li> <li class="stepexpand"><span>Right-click <var class="varname">John Day</var>, and select <span class="uicontrol">Properties</span>. </span></li> <li class="stepexpand"><span>On the <span class="uicontrol">Associations</span> page, click <span class="uicontrol">Add</span>. </span></li> <li class="stepexpand"><span>In the <span class="uicontrol">Add Association</span> dialog, specify or click <span class="uicontrol">Browse...</span> to select the following information, and click <span class="uicontrol">OK</span>: </span> <ul><li><strong>Registry</strong>: <var class="varname">MYCO.COM</var></li> <li><strong>User</strong>: <var class="varname">jday</var></li> <li><strong>Association type</strong>: <kbd class="userinput">Source</kbd> </li> </ul> </li> <li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Add Association</span> dialog.</span> <p>To create a target association between the i5/OS user profile and the <var class="varname">John Day</var> identifier, follow these steps: </p> </li> <li class="stepexpand"><span>On the <span class="uicontrol">Associations</span> page, click <span class="uicontrol">Add</span>. </span></li> <li class="stepexpand"><span>On the <span class="uicontrol">Add Association</span> dialog, specify or <span class="uicontrol">Browse...</span> to select the following information, and click <span class="uicontrol">OK</span>: </span> <ul><li><strong>Registry</strong>: <var class="varname">iSeriesA.MYCO.COM</var></li> <li><strong>User</strong>: <var class="varname">JOHND</var><div class="note"><span class="notetitle">Note:</span> The default behavior in V5R2 is to create the Kerberos registry as case sensitive. The <span class="uicontrol">user</span> value entered here must be the same case as the user in Active Directory.</div> </li> <li><strong>Association type</strong>: <kbd class="userinput">Target</kbd> </li> </ul> </li> <li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Add Association</span> dialog. </span></li> <li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to close the <span class="uicontrol">Properties</span> dialog.</span></li> </ol> </div> </div> <div class="nested1" xml:lang="en-us" id="cnfgiseriesaccess"><a name="cnfgiseriesaccess"><!-- --></a><h2 class="topictitle2">Step 9: Configure iSeries Access for Windows applications to use Kerberos authentication</h2> <div><div class="section"><p>You must use Kerberos to authenticate before you can use iSeries Navigator to access <var class="varname">iSeries A</var>. Therefore, from your PC, you need to configure iSeries Access for Windows to use Kerberos authentication. Jay Day will use iSeries Access to monitor the status of the iSeries HTTP Server and monitor the other activities on the iSeries.</p> <p>To configure iSeries Access for Windows applications to use Kerberos authentication, complete the following steps:</p> </div> <ol><li><span>Log on to the Windows 2000 domain by logging on to your PC.</span></li> <li><span>In iSeries Navigator on your PC, right-click <var class="varname">iSeries A</var> and select <span class="uicontrol">Properties</span>. </span></li> <li><span>On the <span class="uicontrol">Connection</span> page, select <span class="uicontrol">Use Kerberos principal name, no prompting</span>. This will allow iSeries Access for Windows connections to use the Kerberos principal name and password for authentication. </span></li> <li><span>A message is displayed that indicates you need to close and restart all applications that are currently running for the changes to the connection settings to take effect. Click <span class="uicontrol">OK</span>. Then, end and restart iSeries Navigator. </span></li> </ol> </div> <div class="nested2" xml:lang="en-us" id="addtoexistingeim"><a name="addtoexistingeim"><!-- --></a><h3 class="topictitle3">Step 10: Add <var class="varname">iSeries A</var> to and existing EIM domain</h3> <div><div class="section"><p>The iSeries server does not require mapping, per the EIM configuration, as it is not a signon-type entity. You do, however, have to add the iSeries server to an existing EIM domain.</p> <div class="note"><span class="notetitle">Note:</span> IF EIM resides on the same iSeries server as the HTTP Server, then skip this step.</div> </div> <ol><li><span>Start iSeries Navigator.</span></li> <li><span>Expand <span class="menucascade"><span class="uicontrol">iSeries A</span> > <span class="uicontrol">Enterprise Identity Mapping</span> > <span class="uicontrol"> Configuration</span></span>.</span></li> <li><span>Click <span class="uicontrol">Configure system for EIM</span>.</span></li> <li><span>Click <span class="uicontrol">Join an existing domain</span>. Click <span class="uicontrol">Next</span>.</span></li> <li><span>Type <var class="varname">iseriesa.myco.com</var> in the <span class="uicontrol">Domain controller name</span> field.</span></li> <li><span>Type <var class="varname">389</var> in the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li> <li><span>Select <span class="uicontrol">Distinguished name and password</span> from the <span class="uicontrol">User type</span> field.</span></li> <li><span>Type <var class="varname">cn=administrator</var> in the <span class="uicontrol">Distinguished name</span> field.</span></li> <li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Password</span> field.</span></li> <li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Confirm password</span> field. Click <span class="uicontrol">Next</span>.</span></li> <li><span>Select <var class="varname">MyCoEimDomain</var> from the <span class="uicontrol">Domain</span> column. Click <span class="uicontrol">Next</span>.</span></li> <li><span>Select <var class="varname">iseriesa.myco.com</var> for <span class="uicontrol">Local OS/400</span> and <var class="varname">kdc1.myco.com</var> for <span class="uicontrol">Kerberos</span>.</span></li> <li><span>Select <span class="uicontrol">Kerberos user identities are case sensitive</span>. Click <span class="uicontrol">Next</span>.</span></li> <li><span>Select <span class="uicontrol">Distinguished name and password</span> from the <span class="uicontrol">User type</span> list.</span></li> <li><span>Type <var class="varname">cn=administrator</var> in the <span class="uicontrol">Distinguished name</span> field.</span></li> <li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Password</span> field.</span></li> <li><span>Type <var class="varname">mycopwd</var> in the <span class="uicontrol">Confirm password</span> field. Click <span class="uicontrol">Next</span>.</span></li> <li><span>Review the information and click <span class="uicontrol">Finish</span>.</span></li> </ol> </div> </div> </div> <div class="nested1" xml:lang="en-us" id="httpserver"><a name="httpserver"><!-- --></a><h2 class="topictitle2">Step <span>11</span>: Configure HTTP Server for single signon</h2> <div><div class="section"><p>After the basic test environment is working, John Day configures the HTTP Server to participate in the single signon environment. Once single signon is enabled, John Day can access the HTTP Server without being prompted for a user ID and password after signing on to the Windows environment</p> <p>To set up Kerberos for your HTTP Server, complete the following steps:</p> </div> <ol><li class="stepexpand"><span>Start the <span>IBM Web Administration for i5/OS interface</span>.</span></li> <li class="stepexpand"><span>Click the <span class="uicontrol">Manage</span> tab.</span></li> <li class="stepexpand"><span>Click the <span class="uicontrol">HTTP Servers</span> subtab.</span></li> <li class="stepexpand"><span>Select the HTTP Server (powered by Apache) you want to work with from the <span class="uicontrol">Server</span> list.</span></li> <li class="stepexpand"><span>Select the resource from the server area (a directory or a file) you want to work with from the <span class="uicontrol">Server area</span> list.</span></li> <li class="stepexpand"><span>Expand <span class="uicontrol">Server Properties</span>.</span></li> <li class="stepexpand"><span>Click <span class="uicontrol">Security</span>.</span></li> <li class="stepexpand"><span>Click the <span class="uicontrol">Authentication</span> tab.</span></li> <li class="stepexpand"><span>Select <span class="uicontrol">Kerberos</span> under <span class="uicontrol">User authentication method</span>.</span></li> <li class="stepexpand"><span>Select <span class="uicontrol">enable</span> or <span class="uicontrol">disable</span> to match the source user identity (user ID) associated with the server ticket with an iSeries system profile defined in a target association.</span> If enabled when Kerberos is specified for the AuthType directive, the server will use EIM to attempt to match the user ID associated with the server ticket with an iSeries system profile. If there is no appropriate target association for an iSeries system profile, the HTTP request will fail.</li> <li class="stepexpand"><span>Click <span class="uicontrol">Apply</span>.</span></li> </ol> <div class="section"><p>Restart the HTTP Server (powered by Apache) instance to use your new Kerberos settings.</p> </div> <div class="example"><p>Your configuration file will now include new code for the Kerberos options you selected.</p> <div class="note"><span class="notetitle">Note:</span> These examples are used as reference only. Your configuration file may differ from what is shown.</div> <p>Processing requests using client's authority is <span class="uicontrol">Disable</span>:</p> <pre><Directory /> Order Deny,Allow Deny From all Require valid-user PasswdFile %%KERBEROS%% AuthType Kerberos </Directory></pre> <p>Processing requests using client's authority is <span class="uicontrol">Enabled</span>:</p> <pre><Directory /> Order Deny,Allow Deny From all Require valid-user PasswdFile %%KERBEROS%% UserID %%CLIENT%% AuthType Kerberos </Directory></pre> <div class="note"><span class="notetitle">Note:</span> If your Directory or File server area does not contain any control access restrictions, perform the following steps:<ol><li>Start the <span>IBM Web Administration for i5/OS interface</span>.</li> <li>Click the <span class="uicontrol">Manage</span> tab.</li> <li>Click the <span class="uicontrol">HTTP Servers</span> subtab.</li> <li>Select your HTTP Server (powered by Apache) from the <span class="uicontrol">Server</span> list.</li> <li>Select the server area you want to work with from the <span class="uicontrol">Server area</span> list.</li> <li>Expand <span class="uicontrol">Server Properties</span>.</li> <li>Click <span class="uicontrol">Security</span>.</li> <li>Click the <span class="uicontrol">Control Access</span> tab.</li> <li>Select <span class="uicontrol">Deny then allow</span> from the <span class="uicontrol">Order for evaluating access</span> list.</li> <li>Select <span class="uicontrol">Deny access to all, except the following</span>.</li> <li>Click <span class="uicontrol">Add</span> under the <span class="uicontrol">Specific allowed client hosts</span> table.</li> <li>Type <var class="varname">*.jkl.com</var> under the <span class="uicontrol">Domain name or IP address</span> column to allow clients in the JKL domain to access the resource.<div class="note"><span class="notetitle">Note:</span> You should type the domain name or IP address of your server. If you do not, no client is allowed access to the resources.</div> </li> <li>Click <span class="uicontrol">Continue</span>.</li> <li>Click <span class="uicontrol">OK</span>.</li> </ol> </div> </div> </div> <div class="nested2" xml:lang="en-us" id="post"><a name="post"><!-- --></a><h3 class="topictitle3">Step <span>12</span>: (Optional) Post configuration considerations </h3> <div><div class="section"><p>Now that you finished this scenario, the only EIM user you have defined that EIM can use is the Distinguished Name (DN) for the LDAP administrator. The LDAP administrator DN that you specified for the system user on <var class="varname">iSeries A</var> has a high level of authority to all data on the directory server. Therefore, you might consider creating one or more DNs as additional users that have more appropriate and limited access control for EIM data. The number of additional EIM users that you define depends on your security policy's emphasis on the separation of security duties and responsibilities. Typically, you might create at least the two following types of DNs:</p> <ul><li>A user that has EIM administrator access control<p>This EIM administrator DN provides the appropriate level of authority for an administrator who is responsible for managing the EIM domain. This EIM administrator DN could be used to connect to the domain controller when managing all aspects of the EIM domain by means of iSeries Navigator. </p> </li> <li>At least one user that has all of the following access controls:<ul><li>Identifier administrator</li> <li>Registry administrator</li> <li>EIM mapping operations </li> </ul> <p>This user provides the appropriate level of access control required for the system user that performs EIM operations on behalf of the operating system. </p> </li> </ul> <div class="note"><span class="notetitle">Note:</span> To use the new DN for the system user instead of the LDAP administrator DN, you must change the EIM configuration properties for the system user on each system.</div> <p>To use Microsoft Internet Explorer to access a Kerberos protected resource, the Integrated Windows Authentication option must be enabled. To enable it, from Internet Explorer go to <span class="uicontrol">Tools > Internet options > Advanced tab and Enable Integrated Windows Authentication</span>.</p> </div> </div> </div> </div> </body> </html>