Scenario: Use Kerberos authentication between Management Central servers

Use the following scenario to become familiar with the prerequisites and objectives for using Kerberos authentication between Management Central servers.

Situation

You are a network administrator for a medium-sized parts manufacturer. You currently manage four iSeries™ systems using iSeries Navigator on a client PC. You want your Management Central server jobs to use Kerberos authentication instead of other authentication methods you have used in the past, namely password synchronization.

Objectives

In this scenario, the goal for MyCo, Inc. is to use Kerberos authentication among Management Central servers.

Details

The following graphic shows the details for this scenario.


Use Kerberos authentication between endpoint systems
iSeries A - Model system and central system
  • Start of changeRuns i5/OS™ Version 5 Release 3 (V5R3) or later with the following options and licensed products installed:End of change
    • i5/OS Host Servers (5722-SS1 Option 12)
    • iSeries Access for Windows® (5722-XE1)
    • Start of changeNetwork Authentication Enablement (5722-NAE) if you are using V5R4 or laterEnd of change
    • Start of changeCryptographic Access Provider (5722-AC3) if you are running V5R3End of change
  • i5/OS service principal, krbsvr400/iseriesa.myco.com@MYCO.COM, and associated password have been added to the keytab file.
  • Stores, schedules and runs synchronize setting tasks for each of the endpoint systems.
iSeries B - Endpoint system
  • Start of changeRuns i5/OS Version 5 Release 3 (V5R3) or later with the following options and licensed products installed:
    • i5/OS Host Servers (5722-SS1 Option 12)
    • iSeries Access for Windows (5722-XE1)
    • Network Authentication Enablement (5722-NAE) if you are using V5R4 or later
    • Cryptographic Access Provider (5722-AC3) if you are running V5R3
    End of change
  • i5/OS service principal, krbsvr400/iseriesb.myco.com@MYCO.COM, and associated password have been added to the keytab file.
iSeries C - Endpoint system
  • Start of changeRuns i5/OS Version 5 Release 4 (V5R4) with the following options and licensed products installed:End of change
    • i5/OS Host Servers (5722-SS1 Option 12)
    • iSeries Access for Windows (5722-XE1)
    • Start of changeNetwork Authentication Enablement (5722-NAE)End of change
  • i5/OS service principal, krbsvr400/iseriesc.myco.com@MYCO.COM, and associated password have been added to the keytab file.
iSeries D - Endpoint system
  • Start of changeRuns i5/OS Version 5 Release 3 (V5R3) or later with the following options and licensed products installed:End of change
    • i5/OS Host Servers (5722-SS1 Option 12)
    • iSeries Access for Windows (5722-XE1)
    • Start of changeCryptographic Access Provider (5722-AC3)End of change
  • i5/OS service principal, krbsvr400/iseriesd.myco.com@MYCO.COM, and associated password have been added to the keytab file.
Windows 2000 server
  • Operates as the Kerberos server for these systems.
  • The following i5/OS service principals have been added to the Windows 2000 server:
    • krbsvr400/iseriesa.myco.com@MYCO.COM
    • krbsvr400/iseriesb.myco.com@MYCO.COM
    • krbsvr400/iseriesc.myco.com@MYCO.COM
    • krbsvr400/iseriesd.myco.com@MYCO.COM

Client PC

Note: Start of changeThe KDC server name, kdc1.myco.com, and the hostname, iseriesa.myco.com are fictitious names used in this scenario.End of change

Prerequisites and assumptions

  1. All system requirements, including software and operating system installation, have been verified.
    To verify that the licensed programs have been installed, complete the following:
    1. In iSeries Navigator, expand your iSeries server > Configuration and Service > Software > Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup have been completed.
  3. TCP/IP and basic system security have been configured and tested on each of these servers.
  4. No one has changed the default settings in iSeries Navigator to stop the Task Status window from opening when a task starts. To verify that the default setting has not been changed, follow these steps:
    1. In iSeries Navigator, right-click your central system and select User Preferences.
    2. On the General page, verify that Automatically open a task status window when one of my tasks starts is selected.
  5. This scenario is based on the assumption that network authentication service has been configured on each system using the Synchronize Functions wizard in iSeries Navigator. This wizard propagates network authentication service configuration from a model system to multiple target systems. See Scenario: Propagate network authentication service configuration across multiple systems for details on how to use the Synchronize Functions wizard.

Configuration steps

To configure Kerberos authentication between Management Central servers, perform these steps.

  1. Complete the planning work sheets
  2. Set central system to use Kerberos authentication
  3. Create MyCo2 system group
  4. Collect system values inventory
  5. Compare and update Kerberos settings in iSeries Navigator
  6. Restart Management Central server on the central system and target systems
  7. Add Kerberos service principal to the trusted group file for each endpoint
  8. Verify the Kerberos principals are added to the trusted group file
  9. Allow trusted connections for the central system
  10. Repeat Steps 4 through 6 for target systems
  11. Test authentication on the endpoint systems
Parent topic: Scenarios