ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzconfigure.htm

131 lines
8.5 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure" />
<meta name="abstract" content="This information explains how to configure everything you need to implement a single signon environment in your enterprise." />
<meta name="description" content="This information explains how to configure everything you need to implement a single signon environment in your enterprise." />
<meta name="DC.Relation" scheme="URI" content="rzamzsso.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzconfigure" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure</title>
</head>
<body id="rzamzconfigure"><a name="rzamzconfigure"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure</h1>
<div><p>This information explains how to configure everything you need
to implement a single signon environment in your enterprise.</p>
<div class="p"><p>Creating a single signon environment is a matter of appropriately
configuring Enterprise Identity Mapping (EIM) and a compatible authentication
method to work together in such a way that the combined configuration provides
a true single signon environment. In the case of the <span class="keyword">i5/OS™</span> single
signon solutions, the authentication method is network authentication service
(Kerberos).</p>
<p>Because a single signon environment can be complex to configure,
you may find it useful to create a test environment before you implement single
signon across your enterprise. The <a href="rzamzenablesso.htm#rzamzenablesso">Scenario: Create a test single signon environment</a> demonstrates
how to configure such a test environment so that you can learn more about
the planning needs of implementing single signon as well as gain a better
understanding of how an single signon environment can work for you.</p>
<p>After
you work with a test environment, you can use what you learn to plan how to
implement single signon on a larger scale in your enterprise. You may find
it useful to work through the <a href="rzamzenablessoos400.htm">Scenario:
Enable single signon for i5/OS</a> to learn about the more advanced configuration
options that you can employ when you implement an single signon environment.</p>
<p>Once
you have reviewed these and the other single signon scenarios, you can use
the <a href="rzamzssoplanworksheet.htm#rzamzssoplanworksheet">Single
signon planning worksheets</a> to create an informed single signon implementation
plan that fits the needs of your enterprise. With these planning worksheets
in hand, you are ready to continue with the configuration process.</p>
<p>This
information helps you configure a single signon environment using the network
authentication service as your authentication method and using EIM to create
and manage your user profiles and identity mappings. Because single signon
involves a number of detailed configuration steps, this information describes
the high-level configuration tasks for single signon and provides links to
the more detailed configuration information for both EIM and network authentication
service where appropriate.</p>
</div>
<div class="section">Perform these tasks to configure a single signon environment: </div>
<ol><li class="stepexpand"><span>Create your <span class="keyword">Windows<sup>®</sup> 2000</span> domain</span><ol type="a"><li class="substepexpand"><span>Configure the KDC on the Active Directory (AD) Server.</span> <div class="note"><span class="notetitle">Note:</span> You can choose to create and run your KDC on <span class="keyword">i5/OS</span> PASE
rather than create a Windows domain and run the KDC on a
windows server.</div>
</li>
<li class="substepexpand"><span>Add <span class="keyword">i5/OS</span> service
principals to the Kerberos server.</span></li>
<li class="substepexpand"><span>Create a home directory for each Kerberos user who will participate
in your single signon environment.</span></li>
<li class="substepexpand"><span>Verify TCP/IP domain information.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Create an EIM domain by running the both the network authentication
service wizard and the EIM configuration wizard on a server. </span> When
you have completed these wizards, you have actually accomplished the following
tasks:<ol type="a"><li><span>Configured <span class="keyword">i5/OS</span> interfaces
to accept Kerberos tickets.</span></li>
<li><span>Configured the Directory server on the <span class="keyword">iSeries™</span> to
be the EIM domain controller.</span></li>
<li><span>Created an EIM domain.</span></li>
<li><span>Configured a user identity for <span class="keyword">i5/OS</span> and <span class="keyword">i5/OS</span> applications to use when conducting
EIM operations.</span></li>
<li><span>Added a registry definition to EIM for the local <span class="keyword">i5/OS</span> registry
and the local Kerberos registry (if Kerberos is configured).</span></li>
</ol>
</li>
<li class="stepexpand"><span>For servers running <span class="keyword">i5/OS</span> V5R3
or later, see the <a href="rzamzsynchconfig.htm">Scenario: Propagate network
authentication service and EIM across multiple systems</a> for a detailed
demonstration on how to use the Synchronize Functions wizard in <span class="keyword">iSeries Navigator</span> to
propagate a single signon configuration across multiple servers in a mixed <span class="keyword">i5/OS</span> release environment. </span> Administrators can save time by configuring single signon once and propagating
that configuration to all of their systems instead of configuring each system
individually.</li>
<li class="stepexpand"><span><a href="../rzakh/rzakhconfig.htm">Finish
your configuration for the network authentication service</a></span> Based
on your single signon implementation plan, create a home directory for users
on your servers.</li>
<li class="stepexpand"><span>Based on your implementation plan, customize your EIM environment
by setting up associations for the user identities in your enterprise. Learn
how to <a href="../rzalv/rzalvcnfg.htm">customize
your EIM environment</a> in the <span class="keyword">iSeries Information Center</span></span><ol type="a"><li><span>Configure other servers to participate in the EIM domain.</span></li>
<li><span>Create EIM identifiers and identifier associations as needed.</span></li>
<li><span>Add additional registry definitions as needed.</span></li>
<li><span>Create policy associations as needed.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Test your single signon configuration.</span> <p>To verify
that you have configured the network authentication service and EIM correctly,
sign onto the system with a user ID, and then open <span class="keyword">iSeries Navigator</span>.
If no <span class="keyword">i5/OS</span> signon prompt
displays, EIM successfully mapped the Kerberos principal to an identifier
on the domain. </p>
<div class="note"><span class="notetitle">Note:</span> If you find that your test of your single signon
configuration fails, there may be a problem with your configuration. You can <a href="rzamztroubleshoot.htm#rzamztroubleshoot">troubleshoot
single signon</a> and learn how to recognize and fix common problems with
your single signon configuration.</div>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzsso.htm">Single signon</a></div>
</div>
</div>
</body>
</html>