ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakh000.htm

109 lines
8.1 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Network authentication service" />
<meta name="abstract" content="Network authentication service allows the iSeries server and several iSeries services, such as iSeries eServer Access for Windows, to use a Kerberos ticket as an optional replacement for a user name and password for authentication." />
<meta name="description" content="Network authentication service allows the iSeries server and several iSeries services, such as iSeries eServer Access for Windows, to use a Kerberos ticket as an optional replacement for a user name and password for authentication." />
<meta name="DC.Relation" scheme="URI" content="rzakhwhatnew.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhprt.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhconcept.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhplan.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhconfigparent.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhmanage.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhtrouble.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhnascommands.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhwrelated.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhlegal.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakh000" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Network authentication service</title>
</head>
<body id="rzakh000"><a name="rzakh000"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Network authentication service</h1>
<div><p>Network authentication service allows the iSeries™ server and several iSeries services,
such as iSeries eServer™ Access
for Windows<sup>®</sup>,
to use a Kerberos ticket as an optional replacement for a user name and password
for authentication.</p>
<div class="p">The Kerberos protocol, developed by Massachusetts Institute of Technology,
allows a principal (a user or service) to prove its identity to another service
within an unsecure network. Authentication of principals is completed through
a centralized server called a Kerberos server or key distribution center (KDC). <div class="note"><span class="notetitle">Note:</span> Throughout
this documentation the generic term <span class="q">"Kerberos server"</span> is used.</div>
</div>
<p>A user authenticates with a principal and a password that is stored in
the Kerberos server. Once a principal is authenticated, the Kerberos server
issues a ticket-granting ticket (TGT) to the user. When a user needs access
to an application or service on the network, the Kerberos client application
on the user's PC sends the TGT back to the Kerberos server to obtain a service
ticket for the target service or application. The Kerberos client application
then sends the service ticket to the service or application for authentication.
Once the service or application accepts the ticket a security context is established
and the user's application can then exchange data with a target service. Applications
can authenticate a user and securely forward his or her identity to other
services on the network. Once a user is known, separate functions are needed
to verify the user's authorization to use the network resources.</p>
<p>Network authentication service implements the following specifications:</p>
<ul><li>Kerberos Version 5 protocol Request for Comment (RFC) 1510</li>
<li>Many of the de facto standard Kerberos protocol application programming
interfaces (APIs) prevalent in the industry today</li>
<li>Generic Security Service (GSS) APIs as defined by RFCs 1509, 1964, and
2743</li>
</ul>
<p>i5/OS™ implementation
of network authentication service operates with authentication, delegation,
and data confidentiality services compliant with these RFCs and Microsoft's Windows 2000
Security Service Provider Interface (SSPI) APIs. Microsoft<sup>®</sup> Windows Active Directory uses Kerberos
as its default security mechanism. When users are added to Microsoft Windows Active
Directory, their Windows identification is equivalent to a Kerberos
principal. Network authentication service provides for interoperability with Microsoft Windows Active
Directory and its implementation of the Kerberos protocol.</p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzakhwhatnew.htm">What's new for V5R4</a></strong><br />
This topic highlights changes to network authentication service for V5R4.</li>
<li class="ulchildlink"><strong><a href="rzakhprt.htm">Printable PDF</a></strong><br />
Use this to view and print a PDF of this information.</li>
<li class="ulchildlink"><strong><a href="rzakhconcept.htm">Concepts</a></strong><br />
Network authentication service supports Kerberos protocols and Generic Security Service (GSS) APIs that provide user authentication in a network.</li>
<li class="ulchildlink"><strong><a href="rzakhscen.htm">Scenarios</a></strong><br />
Use these scenarios to learn about network authentication service.</li>
<li class="ulchildlink"><strong><a href="rzakhplan.htm">Plan network authentication service</a></strong><br />
Before implementing network authentication service or a Kerberos solution on your network it is essential to complete the necessary planning tasks.</li>
<li class="ulchildlink"><strong><a href="rzakhconfigparent.htm">Configure network authentication service</a></strong><br />
Network authentication service allows the iSeries server to participate in an existing
Kerberos network. As such, network authentication service assumes you have
a Kerberos server configured on a secure system in your network.</li>
<li class="ulchildlink"><strong><a href="rzakhmanage.htm">Manage network authentication service</a></strong><br />
Manage network authentication service by requesting tickets, working with key table files, and administering host name resolution. You can also work with credentials files and back up configuration files.</li>
<li class="ulchildlink"><strong><a href="rzakhtrouble.htm">Troubleshoot</a></strong><br />
This section provides links to troubleshooting information about common problems for network authentication service, Enterprise Identity Mapping (EIM), and IBM-supplied applications that support Kerberos authentication.</li>
<li class="ulchildlink"><strong><a href="rzakhnascommands.htm">Network authentication service commands</a></strong><br />
Use these commands to configure and use network authentication service.</li>
<li class="ulchildlink"><strong><a href="rzakhwrelated.htm">Related information for network authentication service</a></strong><br />
Listed below are several related Information Center topics as well as external web sites that relate to network authentication service.</li>
<li class="ulchildlink"><strong><a href="rzakhlegal.htm">Special terms and conditions</a></strong><br />
This information contains special terms, conditions, and trademarks applicable to network authentication service.</li>
</ul>
</div>
</body>
</html>