Scenario: Set up Kerberos server in i5/OS PASE

Understand the goals, objectives, prerequisites, and configuration steps for setting up your Kerberos server.

Situation

You are an administrator that manages security for a medium-sized network for your company. You want to authenticate users from a central server. You have decided to create a Kerberos server that will authenticate users to resources across your entire enterprise. You have researched many options for implementing a Kerberos solution on your network. You know that Windows^® 2000 server uses Kerberos to authenticate users to a Windows domain; however this adds additional costs to your small IT budget. Instead of using a Windows 2000 domain to authenticate users, you have decided to configure a Kerberos server on your iSeries™ server in the i5/OS™ Portable Application Solutions Environment (PASE). i5/OS PASE provides an integrated runtime environment for AIX^® applications. You want to use the flexibility of i5/OS PASE to configure your own Kerberos server. You want the Kerberos server in i5/OS PASE to authenticate users in your network, who use Windows 2000 and Windows XP workstations.

Objectives

In this scenario, MyCo, Inc. wants to establish a Kerberos server in i5/OS PASE by completing the following objectives:

To configure a Kerberos server in i5/OS PASE environment
To add network users to a Kerberos server
To configure workstations that run Windows 2000 operating system to participate in the Kerberos realm configured in i5/OS PASE
To configure network authentication service on iSeries A
To test authentication in your network

Details

The following figure illustrates the network environment for this scenario.

Network diagram depicting network authentication service configured with an OS/400 PASE KDC

iSeries A

Acts as the Kerberos server (kdc1.myco.com), also known as a key distribution center (KDC), for the network.
Runs i5/OS Version 5 Release 3 (V5R3) or later with the following options and licensed products installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- i5/OS PASE (5722-SS1 Option 33)
- Qshell Interpreter (5722-SS1 Option 30)
- Network Authentication Enablement (5722-NAE) if you are running V5R4 or later
- Cryptographic Access Provider (5722-AC3) if you are running V5R3
- iSeries Access for Windows (5722-XE1)
Has the fully qualified host name of iseriesa.myco.com.

Client PCs

For all PCs in this scenario:
- Run Windows 2000 and Windows XP operating systems.
- Windows 2000 Support Tools (which provides the ksetup command) installed.
For administrator's PC:
- iSeries Access for Windows (5722-XE1) installed.
- iSeries Navigator with Security and Network subcomponents installed.

Note:

The KDC server name, kdc1.myco.com, and the hostname, iseriesa.myco.com are fictitious names used in this scenario. End of change

Prerequisites and assumptions

In this scenario, the following assumptions have been made to focus the tasks on those that involve configuring a Kerberos server in i5/OS PASE.

All system requirements, including software and operating system installation, have been verified.
To verify that the required licensed programs have been installed, complete the following:
1. In iSeries Navigator, expand your iSeries server > Configuration and Service > Software > Installed Products.
2. Ensure that all the necessary licensed programs are installed.
All necessary hardware planning and setup have been completed.
TCP/IP connections have been configured and tested on your network.
A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.
Note: The use of host tables with Kerberos authentication may result in name resolution errors or other problems. For more detailed information about how host name resolution works with Kerberos authentication, see Host name resolution considerations.

Configuration steps

To configure a Kerberos server in i5/OS PASE and to configure network authentication service, complete these steps.