Enable Kerberos

Pegasus on iSeries™ supports both Kerberos and Enterprise Identity Mapping (EIM). To enable Kerberos, use the cimconfig commands to set the httpAuthType configuration option to Kerberos (this is the default value).

For all IBM^® server platforms, the Kerberos default server name is cimom. For i5/OS™, you can also use the service name krbsvr400. See the Network Authentication Service topic for more information about Kerberos on i5/OS. For information about resolving the host name for Kerberos, follow the instructions in the Hostname resolutions considerations information in the Network Authentication Service topic collection.

For example, one method for setting the CIMOM service principal would be to enter the following commands:

On the i5/OS system where the KDC is running, add the service principal cimom with the following command:
```
          addprinc cimom/<host>@<realm>          
```
You will be prompted for the password to the KDC.
On each i5/OS where the CIMOM server will need to run, add the service principal cimom with the following command:
```
          keytab add cimom/<host>@<realm>
```
You will be prompted for the password to the keytab file.

This example makes the following assumptions:

The password in the KDC and keytab file must match.
The host is in the case as determined by following the instructions in the Hostname resolutions considerations.

Note:

Refer to the Keytab command information in the Network Authentication Service topic.
If Kerberos authentication is enabled, only CIM clients that support Kerberos authentication can connect to the CIM server.

If EIM is not enabled, the Kerberos principal will be directly used as the user identity on the system where CIMOM is running. The administrator must set up matching user identities on all their systems. For example, if a customer chooses not to configure and enable EIM, then the administrator must be aware that a Kerberos principal john is always mapped to john as the local user identity.