The following planning work sheets are tailored to fit this scenario
based on the general single signon planning
worksheets. These planning work sheets demonstrate the information
that you need to gather and the decisions you need to make as you prepare
to configure the single signon implementation described by this scenario.
To ensure a successful implementation, you must be able to answer Yes to all
prerequisite items in the work sheet and you should gather all the information
necessary to complete the work sheets before you perform any configuration
tasks.
Note: You need to thoroughly understand the concepts related to single
signon, which include network authentication service and Enterprise Identity
Mapping (EIM) concepts, before you implement this scenario.
| Prerequisite work sheet | Answers |
|---|---|
| Is your i5/OS™ V5R4 (5722-SS1)? | Yes |
Are the following options and licensed products
installed on iSeries™ A
and iSeries B?
|
Yes |
| Have you installed an application that is
enabled for single signon on each of the PCs that will participate in the
single signon environment? Note: For this scenario, all of the participating
PCs have iSeries Access for Windows (5722-XE1)
installed.
|
Yes |
Is iSeries Navigator installed
on the administrator's PC?
|
Yes |
Have you installed the latest IBM iSeries Access for Windows service
pack? For the latest service pack see iSeries Access
web page . |
Yes |
| Does the single signon administrator have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? | Yes |
Do you have one of the following systems
acting as the Kerberos server (also known as the KDC)? If yes, specify which
system.
|
Yes, Windows 2000 Server |
| Are all your PCs in your network configured in a Windows 2000 domain? | Yes |
| Have you applied the latest program temporary fixes (PTFs)? | Yes |
| Is the iSeries system time within 5 minutes of the system time on the Kerberos server? If not see Synchronize system times. | Yes |
You need this information to configure EIM and network authentication service on iSeries A
| Configuration planning work sheet for iSeries A | Answers |
|---|---|
| Use the following information to complete the EIM Configuration wizard. The information in this work sheet correlates with the information you need to supply for each page in the wizard: | |
How do you want to configure EIM for your system?
|
Create and join a new domain |
| Where do you want to configure the EIM domain? | On the local directory server Note: This will configure
the directory server on the same system on which you are currently configuring
EIM.
|
| Do you want to configure network authentication service? Note: You
must configure network authentication service to configure single signon.
|
Yes |
| The Network Authentication Service wizard launches from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard. | |
| What is the name of the Kerberos default realm to which
your iSeries will belong? Note: A Windows 2000 domain is similar to a Kerberos
realm. Microsoft Windows Active Directory uses Kerberos
authentication as its default security mechanism.
|
MYCO.COM |
| Are you using Microsoft Active Directory? | Yes |
| What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens? | KDC: kdc1.myco.com Note: This is the default
port for the Kerberos server.
|
| Do you want to configure a password server
for this default realm? If yes, answer the following questions: What is name of the password server for this Kerberos server? |
Yes Password server: kdc1.myco.com Note: This is the default
port for the password server.
|
For which services do you want to create keytab entries?
|
i5/OS Kerberos Authentication |
| What is the password for your service principal or principals? | iseriesa123 Note: Any and all passwords
specified in this scenario are for example purposes only. To prevent a compromise
to your system or network security, you should never use these passwords as
part of your own configuration.
|
| Do you want to create a batch file to automate adding the service principals for iSeries A to the Kerberos registry? | Yes |
| Do you want to include passwords with the i5/OS service principals in the batch file? | Yes |
| As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard: | |
| Specify user information that the wizard should use
when configuring the directory server. This is the connection user. You must
specify the port number, administrator distinguished name, and a password
for the administrator. Note: Specify the LDAP administrator's distinguished
name (DN) and password to ensure the wizard has enough authority to administer
the EIM domain and the objects in it.
|
Port: 389 Note: Any and all
passwords specified in this scenario are for example purposes only. To prevent
a compromise to your system or network security, you should never use these
passwords as part of your own configuration.
|
| What is the name of the EIM domain that you want to create? | MyCoEimDomain |
| Do you want to specify a parent DN for the EIM domain? | No |
| Which user registries do you want to add to the EIM domain? | Local i5/OS--ISERIESA.MYCO.COM Note: You should not select Kerberos user
identities are case sensitive when the wizard presents this option.
|
| Which EIM user do you want iSeries A
to use when performing EIM operations? This is the system user. Note: If you
have not configured the directory server prior to configuring single signon,
the only distinguished name (DN) you can provide for the system user is the
LDAP administrator's DN and password.
|
User type: Distinguished name Note: Any and all
passwords specified in this scenario are for example purposes only. To prevent
a compromise to your system or network security, you should never use these
passwords as part of your own configuration.
|
You need this information to allow iSeries B to participate in the EIM domain and to configure network authentication service on iSeries B
| Configuration planning work sheet for iSeries B | Answers |
|---|---|
| Use the following information to complete the EIM Configuration wizard for iSeries B: | |
| How do you want to configure EIM on your system? | Join an existing domain |
| Do you want to configure network authentication service? Note: You
must configure network authentication service to configure single signon.
|
Yes |
| The Network Authentication Service wizard
launches from the EIM Configuration wizard. Use the following information
to complete the Network Authentication Service wizard: Note: You can launch
the Network Authentication Service wizard independently of the EIM Configuration
wizard.
|
|
| What is the name of the Kerberos default
realm to which your iSeries will
belong? Note: A Windows 2000 domain
is equivalent to a Kerberos realm. Microsoft Active Directory uses Kerberos
authentication as its default security mechanism.
|
MYCO.COM |
| Are you using Microsoft Active Directory? | Yes |
| What is the Kerberos server for this Kerberos default realm? What is the port on which the Kerberos server listens? | KDC: kdc1.myco.com Note: This is the default
port for the Kerberos server.
|
| Do you want to configure a password server
for this default realm? If yes, answer the following questions: What is name of the password server for this Kerberos server? |
Yes Password server: kdc1.myco.com Note: This is the default
port for the password server.
|
For which services do you want to create keytab entries?
|
i5/OS Kerberos Authentication |
| What is the password for your i5/OS service principal(s)? | iseriesb123 Note: Any and all passwords specified
in this scenario are for example purposes only. To prevent a compromise to
your system or network security, you should never use these passwords as part
of your own configuration.
|
| Do you want to create a batch file to automate adding the service principals for iSeries B to the Kerberos registry? | Yes |
| Do you want to include passwords with the i5/OS service principals in the batch file? | Yes |
| As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard for iSeries B: | |
| What is the name of the EIM domain controller for the EIM domain that you want to join? | iseriesa.myco.com |
| Do you plan on securing the connection with SSL or TLS? | No |
| What is the port on which the EIM domain controller listens? | 389 |
| Which user do you want to use to connect to the domain
controller? This is the connection user. Note: Specify the LDAP administrator's
distinguished name (DN) and password to ensure the wizard has enough authority
to administer the EIM domain and the objects in it.
|
User type: Distinguished name and password Note: Any and all
passwords specified in this scenario are for example purposes only. To prevent
a compromise to your system or network security, you should never use these
passwords as part of your own configuration.
|
| What is the name of the EIM domain that you want to join? | MyCoEimDomain |
| Do you want to specify a parent DN for the EIM domain? | No |
| What is the name of the user registry that you want to add to the EIM domain? | Local i5/OS--ISERIESB.MYCO.COM |
| Which EIM user do you want iSeries B
to use when performing EIM operations? This is the system user. Note: Earlier
in this scenario, you used the EIM Configuration wizard to configure the directory
server on iSeries A. In doing
so, you created a DN and password for the LDAP administrator. This is currently
the only DN defined for the directory server. Therefore, this is the DN and
password you must supply here.
|
User type: Distinguished name and password Note: Any and all
passwords specified in this scenario are for example purposes only. To prevent
a compromise to your system or network security, you should never use these
passwords as part of your own configuration.
|
| i5/OS user profile name | Password is specified | Special authority (Privilege class) | System |
|---|---|---|---|
| SYSUSERA | No | User | iSeries A |
| SYSUSERB | No | User | iSeries B |
| Identifier name | User registry | User identity | Association type | Identifier description |
|---|---|---|---|---|
| John Day | MYCO.COM | jday | Source | Kerberos (Windows 2000) login user identity |
| John Day | ISERIESA.MYCO.COM | JOHND | Target | i5/OS user profile on iSeries A |
| John Day | ISERIESB.MYCO.COM | DAYJO | Target | i5/OS user profile on iSeries B |
| Sharon Jones | MYCO.COM | sjones | Source | Kerberos (Windows 2000) login user identity |
| Sharon Jones | ISERIESA.MYCO.COM | SHARONJ | Target | i5/OS user profile on iSeries A |
| Sharon Jones | ISERIESB.MYCO.COM | JONESSH | Target | i5/OS user profile on iSeries B |
| Policy association type | Source user registry | Target user registry | User identity | Description |
|---|---|---|---|---|
| Default registry | MYCO.COM | ISERIESA.MYCO.COM | SYSUSERA | Maps authenticated Kerberos user to appropriate i5/OS user profile |
| Default registry | MYCO.COM | ISERIESB.MYCO.COM | SYSUSERB | Maps authenticated Kerberos user to appropriate i5/OS user profile |