Configure secondary Kerberos server

Configure a secondary Kerberos server to use as a backup server.

After you have configured the primary Kerberos server in i5/OS™ PASE, you can optionally configure a secondary Kerberos server to use as a backup server in case your primary Kerberos server goes down or is too busy to handle requests.

For example, you currently use iSeries™ A as your Kerberos server. Now you want to configure iSeries B to be your secondary (backup) Kerberos server.

Note: A Kerberos server is also known as a key distribution center (KDC).

The following figure illustrates the iSeries servers described in the following instructions.
Configure a secondary Kerberos server

Details

To configure iSeries B to be a secondary Kerberos server in i5/OS PASE, follow these steps:

  1. Configure iSeries B as a client.
    1. In a character-based interface on iSeries B, type call QP2TERM. This command opens an interactive shell environment that allows you to work with i5/OS PASE applications.
    2. At the command line, enter:

      export PATH=$PATH:/usr/krb5/sbin

      This command points to the Kerberos scripts that are necessary to run the executable files.

    3. At the command line, enter: Start of change

      config.krb5 -E -d rchland.ibm.com -r MYCO.COM -s lp16b1b.rchland.ibm.com

      End of change
    4. Start of changeEnter the administrator password; for example: secretEnd of change

    Start of changeThe config.krb5 command configures the client, primary server, and secondary server. The -C flag configures the client on iSeries C. The -s flag configures the primary Kerberos server on iSeries A. The -E flag configures the secondary Kerberos server on iSeries B.End of change

  2. Add an i5/OS principal for iSeries A and iSeries B to the Kerberos server on iSeries A.
    1. In a character-based interface on iSeries A, enter call QP2TERM. This command opens an interactive shell environment that allows you to work with i5/OS PASE applications.
    2. At the command line, enter:

      export PATH=$PATH:/usr/krb5/sbin

      This command points to the Kerberos scripts that are necessary to run the executable files.

    3. At the command line, enter kadmin -p admin/admin.
    4. Sign in with administrator's password. For example, secret.
    5. At the command line, enter:

      addprinc -randkey -clearpolicy host/iseriesa.myco.com

    6. At the command line, enter:

      addprinc -randkey -clearpolicy host/iseriesb.myco.com

  3. Start of changePropagate the master database from the primary Kerberos server to the secondary Kerberos server.
    1. In a character-based interface on iSeries A, enter call QP2TERM. This command opens an interactive shell environment that allows you to work with i5/OS PASE applications.
    2. At the command line, enter:

      export PATH=$PATH:/usr/krb5/sbin

      This command points to the Kerberos scripts that are necessary to run the executable files.

    3. At the command line, enter:

      /usr/krb5/sbin/config.krb5 -P -r MYCO.COM -d rchland.ibm.com -e rchasrc2.rchland.ibm.com

      Tip: You can cut and paste the command in the message on the primary Kerberos system.

      The -P flag propagates the master database from the primary Kerberos server to the secondary Kerberos server. The -r flag specifies the realm name. The -d flag specifies the name of the DNS domain. The -e flag specifies the host name of the secondary Kerberos server.

    End of change
  4. Start of changeOn the secondary Kerberos server, verify that the master database has been propagated successfully.
    1. On the secondary Kerberos server, answer Y to the following prompt: Have you successfully run the above command?
    2. Enter the database master password; for example: pasepwd. This command picks up the master key.
    End of change
Parent topic: Configure a Kerberos server in i5/OS PASE
Previous topic: Configure Windows 2000 and Windows XP workstations