131 lines
8.5 KiB
HTML
131 lines
8.5 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="task" />
|
|
<meta name="DC.Title" content="Configure" />
|
|
<meta name="abstract" content="This information explains how to configure everything you need to implement a single signon environment in your enterprise." />
|
|
<meta name="description" content="This information explains how to configure everything you need to implement a single signon environment in your enterprise." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzsso.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzamzconfigure" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Configure</title>
|
|
</head>
|
|
<body id="rzamzconfigure"><a name="rzamzconfigure"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Configure</h1>
|
|
<div><p>This information explains how to configure everything you need
|
|
to implement a single signon environment in your enterprise.</p>
|
|
<div class="p"><p>Creating a single signon environment is a matter of appropriately
|
|
configuring Enterprise Identity Mapping (EIM) and a compatible authentication
|
|
method to work together in such a way that the combined configuration provides
|
|
a true single signon environment. In the case of the <span class="keyword">i5/OS™</span> single
|
|
signon solutions, the authentication method is network authentication service
|
|
(Kerberos).</p>
|
|
<p>Because a single signon environment can be complex to configure,
|
|
you may find it useful to create a test environment before you implement single
|
|
signon across your enterprise. The <a href="rzamzenablesso.htm#rzamzenablesso">Scenario: Create a test single signon environment</a> demonstrates
|
|
how to configure such a test environment so that you can learn more about
|
|
the planning needs of implementing single signon as well as gain a better
|
|
understanding of how an single signon environment can work for you.</p>
|
|
<p>After
|
|
you work with a test environment, you can use what you learn to plan how to
|
|
implement single signon on a larger scale in your enterprise. You may find
|
|
it useful to work through the <a href="rzamzenablessoos400.htm">Scenario:
|
|
Enable single signon for i5/OS</a> to learn about the more advanced configuration
|
|
options that you can employ when you implement an single signon environment.</p>
|
|
<p>Once
|
|
you have reviewed these and the other single signon scenarios, you can use
|
|
the <a href="rzamzssoplanworksheet.htm#rzamzssoplanworksheet">Single
|
|
signon planning worksheets</a> to create an informed single signon implementation
|
|
plan that fits the needs of your enterprise. With these planning worksheets
|
|
in hand, you are ready to continue with the configuration process.</p>
|
|
<p>This
|
|
information helps you configure a single signon environment using the network
|
|
authentication service as your authentication method and using EIM to create
|
|
and manage your user profiles and identity mappings. Because single signon
|
|
involves a number of detailed configuration steps, this information describes
|
|
the high-level configuration tasks for single signon and provides links to
|
|
the more detailed configuration information for both EIM and network authentication
|
|
service where appropriate.</p>
|
|
</div>
|
|
<div class="section">Perform these tasks to configure a single signon environment: </div>
|
|
<ol><li class="stepexpand"><span>Create your <span class="keyword">Windows<sup>®</sup> 2000</span> domain</span><ol type="a"><li class="substepexpand"><span>Configure the KDC on the Active Directory (AD) Server.</span> <div class="note"><span class="notetitle">Note:</span> You can choose to create and run your KDC on <span class="keyword">i5/OS</span> PASE
|
|
rather than create a Windows domain and run the KDC on a
|
|
windows server.</div>
|
|
</li>
|
|
<li class="substepexpand"><span>Add <span class="keyword">i5/OS</span> service
|
|
principals to the Kerberos server.</span></li>
|
|
<li class="substepexpand"><span>Create a home directory for each Kerberos user who will participate
|
|
in your single signon environment.</span></li>
|
|
<li class="substepexpand"><span>Verify TCP/IP domain information.</span></li>
|
|
</ol>
|
|
</li>
|
|
<li class="stepexpand"><span>Create an EIM domain by running the both the network authentication
|
|
service wizard and the EIM configuration wizard on a server. </span> When
|
|
you have completed these wizards, you have actually accomplished the following
|
|
tasks:<ol type="a"><li><span>Configured <span class="keyword">i5/OS</span> interfaces
|
|
to accept Kerberos tickets.</span></li>
|
|
<li><span>Configured the Directory server on the <span class="keyword">iSeries™</span> to
|
|
be the EIM domain controller.</span></li>
|
|
<li><span>Created an EIM domain.</span></li>
|
|
<li><span>Configured a user identity for <span class="keyword">i5/OS</span> and <span class="keyword">i5/OS</span> applications to use when conducting
|
|
EIM operations.</span></li>
|
|
<li><span>Added a registry definition to EIM for the local <span class="keyword">i5/OS</span> registry
|
|
and the local Kerberos registry (if Kerberos is configured).</span></li>
|
|
</ol>
|
|
</li>
|
|
<li class="stepexpand"><span>For servers running <span class="keyword">i5/OS</span> V5R3
|
|
or later, see the <a href="rzamzsynchconfig.htm">Scenario: Propagate network
|
|
authentication service and EIM across multiple systems</a> for a detailed
|
|
demonstration on how to use the Synchronize Functions wizard in <span class="keyword">iSeries Navigator</span> to
|
|
propagate a single signon configuration across multiple servers in a mixed <span class="keyword">i5/OS</span> release environment. </span> Administrators can save time by configuring single signon once and propagating
|
|
that configuration to all of their systems instead of configuring each system
|
|
individually.</li>
|
|
<li class="stepexpand"><span><a href="../rzakh/rzakhconfig.htm">Finish
|
|
your configuration for the network authentication service</a></span> Based
|
|
on your single signon implementation plan, create a home directory for users
|
|
on your servers.</li>
|
|
<li class="stepexpand"><span>Based on your implementation plan, customize your EIM environment
|
|
by setting up associations for the user identities in your enterprise. Learn
|
|
how to <a href="../rzalv/rzalvcnfg.htm">customize
|
|
your EIM environment</a> in the <span class="keyword">iSeries Information Center</span></span><ol type="a"><li><span>Configure other servers to participate in the EIM domain.</span></li>
|
|
<li><span>Create EIM identifiers and identifier associations as needed.</span></li>
|
|
<li><span>Add additional registry definitions as needed.</span></li>
|
|
<li><span>Create policy associations as needed.</span></li>
|
|
</ol>
|
|
</li>
|
|
<li class="stepexpand"><span>Test your single signon configuration.</span> <p>To verify
|
|
that you have configured the network authentication service and EIM correctly,
|
|
sign onto the system with a user ID, and then open <span class="keyword">iSeries Navigator</span>.
|
|
If no <span class="keyword">i5/OS</span> signon prompt
|
|
displays, EIM successfully mapped the Kerberos principal to an identifier
|
|
on the domain. </p>
|
|
<div class="note"><span class="notetitle">Note:</span> If you find that your test of your single signon
|
|
configuration fails, there may be a problem with your configuration. You can <a href="rzamztroubleshoot.htm#rzamztroubleshoot">troubleshoot
|
|
single signon</a> and learn how to recognize and fix common problems with
|
|
your single signon configuration.</div>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzsso.htm">Single signon</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |