friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhscenpase.htm

168 lines
10 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Scenario: Set up Kerberos server in i5/OS PASE" />
<meta name="abstract" content="Understand the goals, objectives, prerequisites, and configuration steps for setting up your Kerberos server." />
<meta name="description" content="Understand the goals, objectives, prerequisites, and configuration steps for setting up your Kerberos server." />
<meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_planningworksheets.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_configurekerberosserver.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_changeencryptionvalues.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_stopandrestartkerberos.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_createhostrwindows.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_createuserprincipals.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_addiseries-aprincipal.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_configurewindows2000andXP.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_configureauthenticationservice.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_createahomedirectory.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_testauthenticationservice.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhscenpase" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Set up Kerberos server in i5/OS PASE</title>
</head>
<body id="rzakhscenpase"><a name="rzakhscenpase"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Set up Kerberos server in i5/OS PASE</h1>
<div><p>Understand the goals, objectives, prerequisites, and configuration
steps for setting up your Kerberos server.</p>
<div class="section" id="rzakhscenpase__situation"><a name="rzakhscenpase__situation"><!-- --></a><h4 class="sectionscenariobar">Situation</h4><p>You
are an administrator that manages security for a medium-sized network for
your company. You want to authenticate users from a central server. You have
decided to create a Kerberos server that will authenticate users to resources
across your entire enterprise. You have researched many options for implementing
a Kerberos solution on your network. You know that Windows<sup>®</sup> 2000 server uses Kerberos to
authenticate users to a Windows domain; however this adds additional
costs to your small IT budget. Instead of using a Windows 2000 domain to authenticate
users, you have decided to configure a Kerberos server on your iSeries™ server
in the i5/OS™ Portable
Application Solutions Environment (PASE). i5/OS PASE provides an integrated runtime
environment for AIX<sup>®</sup> applications.
You want to use the flexibility of i5/OS PASE to configure your own Kerberos
server. You want the Kerberos server in i5/OS PASE to authenticate users in your
network, who use Windows 2000 and Windows XP workstations.</p>
</div>
<div class="section" id="rzakhscenpase__objectives"><a name="rzakhscenpase__objectives"><!-- --></a><h4 class="sectionscenariobar">Objectives</h4><div class="p"> In
this scenario, MyCo, Inc. wants to establish a Kerberos server in i5/OS PASE by
completing the following objectives:<ul><li>To configure a Kerberos server in i5/OS PASE environment</li>
<li>To add network users to a Kerberos server</li>
<li>To configure workstations that run Windows 2000 operating system to participate
in the Kerberos realm configured in i5/OS PASE</li>
<li>To configure network authentication service on iSeries A</li>
<li>To test authentication in your network</li>
</ul>
</div>
</div>
<div class="section" id="rzakhscenpase__details"><a name="rzakhscenpase__details"><!-- --></a><h4 class="sectionscenariobar">Details</h4><p>The
following figure illustrates the network environment for this scenario.</p>
<br /><img src="rzakh510.gif" longdesc="rzakh510_desc.htm" alt="Network diagram depicting network authentication service configured with an OS/400 PASE KDC" /><br /><p><strong>iSeries A</strong></p>
<ul><li>Acts as the Kerberos server (kdc1.myco.com), also known as a key distribution
center (KDC), for the network.</li>
<li><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) or later with the
following options and licensed products installed:<ul><li>i5/OS Host
Servers (5722-SS1 Option 12)</li>
<li>i5/OS PASE
(5722-SS1 Option 33)</li>
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
<li>Network Authentication Enablement (5722-NAE) if you are running V5R4 or
later</li>
<li>Cryptographic Access Provider (5722-AC3) if you are running V5R3</li>
<li>iSeries Access
for Windows (5722-XE1)</li>
</ul>
<img src="./deltaend.gif" alt="End of change" /></li>
<li>Has the fully qualified host name of iseriesa.myco.com.</li>
</ul>
<p><strong>Client PCs</strong></p>
<ul><li><strong>For all PCs in this scenario: </strong><ul><li>Run Windows 2000 and Windows XP operating systems.</li>
<li>Windows 2000
Support Tools (which provides the <span class="cmdname">ksetup</span> command) installed.</li>
</ul>
</li>
<li><strong>For administrator's PC: </strong><ul><li>iSeries Access
for Windows (5722-XE1)
installed.</li>
<li>iSeries Navigator
with Security and Network subcomponents installed.</li>
</ul>
</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />The KDC server name, <strong>kdc1.myco.com</strong>, and the
hostname, <strong>iseriesa.myco.com</strong> are fictitious names used in this scenario.<img src="./deltaend.gif" alt="End of change" /></div>
</div>
<div class="section" id="rzakhscenpase__prereq1"><a name="rzakhscenpase__prereq1"><!-- --></a><h4 class="sectionscenariobar">Prerequisites
and assumptions</h4><div class="p">In this scenario, the following assumptions have
been made to focus the tasks on those that involve configuring a Kerberos
server in i5/OS PASE.<ol><li>All system requirements, including software and operating system installation,
have been verified.<div class="p">To verify that the required licensed programs have been
installed, complete the following:<ol type="a"><li>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Configuration
and Service</span> &gt; <span class="uicontrol">Software</span> &gt; <span class="uicontrol">Installed
Products</span></span>.</li>
<li>Ensure that all the necessary licensed programs are installed.</li>
</ol>
</div>
</li>
<li>All necessary hardware planning and setup have been completed.</li>
<li>TCP/IP connections have been configured and tested on your network.</li>
<li>A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
with Kerberos authentication may result in name resolution errors or other
problems. For more detailed information about how host name resolution works
with Kerberos authentication, see <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a>.</div>
</li>
</ol>
</div>
</div>
<div class="section" id="rzakhscenpase__steps"><a name="rzakhscenpase__steps"><!-- --></a><h4 class="sectionscenariobar">Configuration
steps</h4><p>To configure a Kerberos server in i5/OS PASE and to configure network authentication
service, complete these steps.</p>
</div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzakhpascesenario_planningworksheets.htm">Complete the planning work sheets</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_configurekerberosserver.htm">Configure Kerberos server in i5/OS PASE</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_changeencryptionvalues.htm">Change encryption values on i5/OS PASE Kerberos server</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_stopandrestartkerberos.htm">Stop and restart Kerberos server in i5/OS PASE</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_createhostrwindows.htm">Create host principals for Windows 2000 and Windows XP workstations</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_createuserprincipals.htm">Create user principals on the Kerberos server</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_addiseries-aprincipal.htm">Add iSeries A service principal to the Kerberos server</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_configurewindows2000andXP.htm">Configure Windows 2000 and Windows XP workstations</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_configureauthenticationservice.htm">Configure network authentication service</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_createahomedirectory.htm">Create a home directory for users on iSeries A</a><br />
</li>
<li class="olchildlink"><a href="rzakhpascesenario_testauthenticationservice.htm">Test network authentication service</a><br />
</li>
</ol>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen.htm" title="Use these scenarios to learn about network authentication service.">Scenarios</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink