Configure a Kerberos server in i5/OS PASE

Configure and manage a Kerberos server from your iSeries™ system to provide an integrated runtime environment for AIX® applications.

i5/OS™ supports a Kerberos server in i5/OS Portable Application Solutions Environment (PASE). i5/OS PASE provides an integrated runtime environment for AIX applications. You can configure and manage a Kerberos server from your iSeries system. To configure a Kerberos server in i5/OS PASE, complete the following tasks:
  1. In a character-based interface, type call QP2TERM at the command prompt. This command opens an interactive shell environment that allows you to work with i5/OS PASE applications.
  2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin. This command points to the Kerberos scripts that are necessary to run the executable files.
  3. At the command line, enter config.krb5 -S -d iseriesa.myco.com -r MYCO.COM, where -d is the DNS of your network and -r is the realm name. (In this example, myco.com is the DNS name and MYCO.COM is the realm name.) This command updates the krb5.config file with the domain name and realm for the Kerberos server, creates the Kerberos database within the integrated file system, and configures the Kerberos server in i5/OS PASE. You will be prompted to add a database Master Password and a password for the admin/admin principal which is used to administer the Kerberos server.
    Note: Start of changeFor V5R3 and V5R4, only the existing database is supported for storing Kerberos principals. The LDAP directory plug-in is not currently supported.End of change
  4. Optional: If you want the Kerberos server and the administration server to automatically start during an IPL, you need to perform two additional steps. You must create a job description and add an autostart job entry. To configure i5/OS to automatically start the Kerberos server and administration server during an IPL, follow these steps:
    1. Create a job description.

      At an i5/OS command line, type the following where xxxxxx is the i5/OS user profile with *ALLOBJ user authority:

      CRTJOBD JOBD(QGPL/KRB5PASE) JOBQ(QSYS/QSYSNOMAX) TEXT('Start KDC and admin server in PASE') USER(xxxxxx) RQSDTA('QSYS/CALL PGM(QSYS/QP2SHELL) PARM(''/usr/krb5/sbin/start.krb5'')') SYNTAX(*NOCHK) INLLIBL(*SYSVAL) ENDSEV( 30)

    2. Add an autostart job entry. At the command line, type:

      ADDAJE SBSD(QSYS/QSYSWRK) JOB(KRB5PASE) JOBD(QGPL/KRB5PASE).

    Note: As an alternative to starting the servers during an IPL, you can manually start the servers after the IPL by following these steps:
    1. In a character-based interface, type call QP2TERM to open the i5/OS PASE interactive shell environment.
    2. At the command line, enter /usr/krb5/sbin/start.krb5 to start the servers.

What do I do next?

If you are using Windows® 2000 or Windows XP workstations with a Kerberos server that is not configured through Windows 2000 Active Directory, (such as a Kerberos server in i5/OS PASE), you must perform several configuration steps on both the Kerberos server and the workstation to ensure that Kerberos authentication works properly.

  1. Change encryption values on Kerberos server
    To operate with Windows workstations, the Kerberos server default encryption settings need to be changed so that clients can be authenticated to the i5/OS PASE Kerberos server.
  2. Stop and restart the Kerberos server
    You must stop and restart the Kerberos server in i5/OS PASE to update the encryption values that you just changed.
  3. Create host, user, and service principals
    Create host principals for your Windows 2000 and Windows XP workstations. Create user and service principals on your Kerberos server.
  4. Configure Windows 2000 and Windows XP workstations
    Configure your client workstations by setting the Kerberos realm and the Kerberos server.
  5. Configure secondary Kerberos server
    Configure a secondary Kerberos server to use as a backup server.
Parent topic: Configure network authentication service