217 lines
15 KiB
HTML
217 lines
15 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Scenario: Configure the Management Central servers for single signon" />
|
|
<meta name="abstract" content="View this scenario to learn how to configure your Management Central servers to participate in a single signon environment. After administrators complete the scenario for propagating a single signon configuration across multiple systems, they can do the necessary configuration so that their Management Central servers can participate in the single signon environment." />
|
|
<meta name="description" content="View this scenario to learn how to configure your Management Central servers to participate in a single signon environment. After administrators complete the scenario for propagating a single signon configuration across multiple systems, they can do the necessary configuration so that their Management Central servers can participate in the single signon environment." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzscenarios.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzverifythatthedomainappears.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzcreateeimidentifiers.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzcreateidentifierassociations.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzconfigurethemanagementcentral.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzconfigurethemanagementcentralserverstouseeim.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzamzconfigssomgtcentral" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Scenario: Configure the Management Central servers for single signon</title>
|
|
</head>
|
|
<body id="rzamzconfigssomgtcentral"><a name="rzamzconfigssomgtcentral"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Scenario: Configure the Management Central servers for single signon</h1>
|
|
<div><p>View this scenario to learn how to configure your Management Central
|
|
servers to participate in a single signon environment. After administrators
|
|
complete the scenario for propagating a single signon configuration across
|
|
multiple systems, they can do the necessary configuration so that their Management
|
|
Central servers can participate in the single signon environment.</p>
|
|
<div class="section" id="rzamzconfigssomgtcentral__situation"><a name="rzamzconfigssomgtcentral__situation"><!-- --></a><h4 class="sectionscenariobar">Situation</h4><p>You
|
|
are a system administrator for a medium-sized parts manufacturer. You have
|
|
been using the <span class="keyword">iSeries™ Navigator</span> Management
|
|
Central server to manage a central server and three endpoint servers for the
|
|
last three years. Your responsibilities include applying PTFs, creating new
|
|
users on the network and other administrative duties. You have always liked
|
|
having the ability to send and install PTFs to multiple systems from your
|
|
central server; this saves you time. Your company has just upgraded to V5R4,
|
|
and your company's security administrator has implemented a new security policy
|
|
for your company, which requires user passwords to be different on each system
|
|
in the network. Previously, the Management Central servers required that user
|
|
profiles and passwords be identical across the network. You've learned that
|
|
in <span class="keyword">i5/OS™</span> V5R4 that if you
|
|
enable the Management Central servers for single signon, you no longer need
|
|
to have matching user profiles and passwords on each endpoint system to use
|
|
the Management Central server's functions. This limits the need to manage
|
|
passwords on your <span class="keyword">i5/OS</span> systems.</p>
|
|
<p>You
|
|
completed the <a href="rzamzenablessoos400.htm">Scenario: Enable single
|
|
signon for i5/OS</a> for
|
|
one of your new systems, and then you completed the <a href="rzamzsynchconfig.htm#rzamzsynchconfig">Scenario: Propagate network authentication service and EIM across
|
|
multiple systems</a>. Now you want to want to configure all of your Management
|
|
Central servers to participate in this single signon environment.</p>
|
|
<div class="p">This
|
|
scenario has the following advantages:<ul><li>Reduces administration of user profiles on central and endpoint systems.</li>
|
|
<li>Reduces administrative password management for users on central and endpoint
|
|
systems.</li>
|
|
<li>Complies with the new company security policy, mandating that user passwords
|
|
be unique on each system.</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="section" id="rzamzconfigssomgtcentral__objective"><a name="rzamzconfigssomgtcentral__objective"><!-- --></a><h4 class="sectionscenariobar">Objectives</h4><p>You
|
|
are one of three system administrators that work for your company. You and
|
|
the other two administrators, Amanda and George, want to create a small single
|
|
signon environment that decreases your administrative expense and simplifies
|
|
your access to centrally managed applications and network assets.</p>
|
|
<div class="p">The
|
|
objectives of this scenario are as follows:<ul><li>To comply with your company's new security policy by enabling the <span class="keyword">i5/OS</span> V5R4 Management Central servers
|
|
for single signon.</li>
|
|
<li>To simplify password management by eliminating the need to have the same
|
|
user profile and password on every endpoint system that is managed by the
|
|
Management Central server.</li>
|
|
<li>To allow all endpoint systems managed by the Management Central server
|
|
to participate in a single signon environment.</li>
|
|
<li>To ensure asset security within the enterprise by mapping users to EIM
|
|
identifiers instead of using policy associations.</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="section" id="rzamzconfigssomgtcentral__details"><a name="rzamzconfigssomgtcentral__details"><!-- --></a><h4 class="sectionscenariobar">Details</h4><p>The
|
|
following figure illustrates the network environment for this scenario:</p>
|
|
<img src="rzamz503.gif" alt="This figure shows the relationship of the Central system, iSeriesMC1 (also designated as the model system for this scenario), to three Endpoint systems: iSeries A, iSeries B, and iSeries C. Additionally, the PC used by the administrator to manage the network is displayed. " /><div class="p">The figure illustrates the following points
|
|
relevant to this scenario.<ul><li><strong>Central system iSeriesMC1 (also specified as the model system):</strong><ul><li>Runs <span class="keyword">i5/OS</span> Version
|
|
5 Release 4 (V5R4) with the following options and licensed products installed:<ul><li><span class="keyword">i5/OS</span> Host Servers
|
|
(5722-SS1 Option 12)</li>
|
|
<li><span class="keyword">i5/OS</span> Access for Windows<sup>®</sup> (5722-XE1)</li>
|
|
</ul>
|
|
</li>
|
|
<li>Stores, schedules, and runs synchronize settings tasks for each of the
|
|
endpoint systems.</li>
|
|
<li>Configured for network authentication service and EIM.</li>
|
|
<li>Selected model system from which the network authentication service and
|
|
EIM configurations are propagated to the target systems.<div class="note"><span class="notetitle">Note:</span> The model system
|
|
should be configured similarly to the system identified as <span class="keyword">iSeries</span> A
|
|
in the <a href="rzamzenablesso.htm#rzamzenablesso">Scenario:
|
|
Create a single signon test environment</a>. Refer to this scenario to
|
|
ensure that all of the single signon configuration tasks on the model system
|
|
are completed and verified.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li><strong>Endpoint systems <span class="keyword">iSeries</span> A, <span class="keyword">iSeries</span> B, and <span class="keyword">iSeries</span> C:</strong><ul><li>Runs <span class="keyword">i5/OS</span> Version
|
|
5 Release 4 (V5R4) with the following options and licensed products installed:<ul><li><span class="keyword">i5/OS</span> Host Servers
|
|
(5722-SS1 Option 12)</li>
|
|
<li><span class="keyword">iSeries Access for Windows</span> (5722-XE1)</li>
|
|
</ul>
|
|
</li>
|
|
<li>Configured for network authentication service and EIM.</li>
|
|
</ul>
|
|
</li>
|
|
<li><strong>Administrator's PC:</strong><ul><li>Runs <span class="keyword">iSeries Access for Windows</span> (5722-XE1).</li>
|
|
<li>Runs <span class="keyword">iSeries Navigator</span> with the
|
|
following subcomponents:<ul><li>Network</li>
|
|
<li>Security</li>
|
|
</ul>
|
|
<div class="note"><span class="notetitle">Note:</span> Only required for PC used to administer network authentication
|
|
service.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="section" id="rzamzconfigssomgtcentral__prereq"><a name="rzamzconfigssomgtcentral__prereq"><!-- --></a><h4 class="sectionscenariobar">Prerequisites
|
|
and assumptions</h4><div class="p">Successful implementation of this scenario requires
|
|
that the following assumptions and prerequisites are met:<ul><li><strong>Central system iSeriesMC1 (also specified as the model system):</strong><div class="note"><span class="notetitle">Note:</span> This
|
|
scenario assumes that the central system is properly configured for single
|
|
signon. Refer to the <a href="rzamzenablesso.htm">Scenario: Create a single
|
|
signon test environment</a> to ensure that all of the single signon configuration
|
|
tasks on the central system are completed and verified.</div>
|
|
<ul><li>All system requirements, including software and operating system installation,
|
|
have been verified. To verify that these licensed programs have been installed,
|
|
complete the following:<ul><li>In <span class="keyword">iSeries Navigator</span>, expand your <span class="uicontrol">iSeries
|
|
server→Configuration and Service→Software→Installed Products</span>.</li>
|
|
<li>Ensure that all the necessary licensed programs are installed.</li>
|
|
</ul>
|
|
</li>
|
|
<li>All necessary hardware planning and setup is complete.</li>
|
|
<li>TCP/IP and basic system security are configured and tested.</li>
|
|
<li>Secure Sockets Layer (SSL) has been configured to protect the transmission
|
|
of data between these servers.<div class="note"><span class="notetitle">Note:</span> When you propagate network configuration
|
|
service configuration among servers, sensitive information like passwords
|
|
are sent across the network. You should use SSL to protect this information,
|
|
especially if it is being sent outside your Local Area Network (LAN). See <a href="../rzain/rzainmc.htm">Scenario: Secure all
|
|
connections to your Management Central server with SSL</a> for details.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li><strong>Endpoint systems <span class="keyword">iSeries</span> A, <span class="keyword">iSeries</span> B, and <span class="keyword">iSeries</span> C:</strong><ul><li>All system requirements, including software and operating system installation,
|
|
have been verified. To verify that these licensed programs have been installed,
|
|
complete the following:<ul><li>In <span class="keyword">iSeries Navigator</span>, expand your <span class="uicontrol">iSeries
|
|
server→Configuration and Service→Software→Installed Products</span>.</li>
|
|
<li>Ensure that all the necessary licensed programs are installed.</li>
|
|
</ul>
|
|
</li>
|
|
<li>All necessary hardware planning and setup is complete.</li>
|
|
<li>TCP/IP and basic system security are configured and tested.</li>
|
|
<li>Secure Sockets Layer (SSL) has been configured to protect the transmission
|
|
of data between these servers.<div class="note"><span class="notetitle">Note:</span> When you propagate network configuration
|
|
service configuration among servers, sensitive information like passwords
|
|
are sent across the network. You should use SSL to protect this information,
|
|
especially if it is being sent outside your Local Area Network (LAN). See <a href="../rzain/rzainmc.htm">Scenario: Secure all
|
|
connections to your Management Central server with SSL</a> for details.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li>You have already configured network authentication service and EIM on
|
|
your central system and endpoint systems (see<a href="rzamzenablessoos400.htm">Scenario:
|
|
Enable single signon for i5/OS</a> and <a href="rzamzsynchconfig.htm#rzamzsynchconfig">Scenario: Propagate network authentication service and EIM across
|
|
multiple systems</a> for information).</li>
|
|
<li>You are using Microsoft<sup>®</sup> Windows Active Directory as a Kerberos
|
|
server.</li>
|
|
<li>You have already added <span class="keyword">i5/OS</span> service
|
|
principal names to the Kerberos server (you perform this task in <a href="rzamzenablessoos400.htm">Scenario:
|
|
Enable single signon for i5/OS</a>).</li>
|
|
<li>You have already tested the network authentication services configuration
|
|
(you perform this task in <a href="rzamzsynchconfig.htm#rzamzsynchconfig">Scenario: Propagate network authentication service and EIM across
|
|
multiple systems</a>).</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="section" id="rzamzconfigssomgtcentral__steps"><a name="rzamzconfigssomgtcentral__steps"><!-- --></a><h4 class="sectionscenariobar">Configuration
|
|
steps</h4><p>To enable single signon for users of the Management Central
|
|
servers, complete the following tasks:</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<ol>
|
|
<li class="olchildlink"><a href="rzamzverifythatthedomainappears.htm">Verify that the domain appears in Domain Management</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzcreateeimidentifiers.htm">Create EIM identifiers</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzcreateidentifierassociations.htm">Create identifier associations</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzconfigurethemanagementcentral.htm">Configure the Management Central servers to use network authentication service</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzconfigurethemanagementcentralserverstouseeim.htm">Configure the Management Central servers to use EIM</a><br />
|
|
</li>
|
|
</ol>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzscenarios.htm" title="Use this information to review scenarios that illustrate typical single signon implementation situations to help you plan your own certificate implementation as part of your server security policy.">Scenarios</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |