friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhconfig.htm

130 lines
9.2 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure network authentication service" />
<meta name="abstract" content="Configure network authentication service on your systems." />
<meta name="description" content="Configure network authentication service on your systems." />
<meta name="DC.Relation" scheme="URI" content="rzakhconfigparent.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhdefineiseries.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhhome.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhtestnas.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhconfig" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure network authentication service</title>
</head>
<body id="rzakhconfig"><a name="rzakhconfig"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure network authentication service</h1>
<div><p>Configure network authentication service on your systems.</p>
<div class="p">Before you configure network authentication service, you should perform
the following tasks:<ul><li>Complete all the necessary <a href="rzakhplanwrkshts.htm#rzakhplanwrkshts">planning
work sheets</a>.</li>
<li>Verify that when your PCs and iSeries™ systems perform host name resolution,
they resolve the same host names for your iSeries systems. Refer to <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a> for
this task.</li>
<li>Configure a Kerberos server on a secure system in your network. If you
have configured a Kerberos server in i5/OS™ PASE, ensure that you have completed
all the necessary configuration of the server and client workstations before
configuring network authentication on the iSeries server. See <a href="rzakhconfigpase.htm#rzakhconfigpase">Configure a Kerberos server in i5/OS PASE</a> for
details on configuring a Kerberos server in i5/OS PASE.<p>You can also have a Kerberos
server configured on Microsoft<sup>®</sup> Windows<sup>®</sup> 2000 and Windows Server
2003 and z/OS<sup>®</sup>.
See the appropriate documentation that corresponds with the Kerberos configuration
for the system that will be used as a Kerberos server.</p>
<p>It is recommended
that you configure the Kerberos server before configuring network authentication
service on the iSeries. </p>
</li>
</ul>
<p>To configure network authentication service, complete the following
steps:</p>
</div>
<ol><li class="stepexpand"><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Security</span></span>.</span></li>
<li class="stepexpand"><span>Right-click <span class="uicontrol">Network Authentication Service</span> and
select <span class="uicontrol">Configure</span> to start the configuration wizard.</span> <div class="note"><span class="notetitle">Note:</span> After you have configured network authentication service, this
option will be <span class="uicontrol">Reconfigure</span>.</div>
</li>
<li class="stepexpand"><span>Review the <span class="uicontrol">Welcome</span> page for information
about what objects the wizard creates. Click <span class="uicontrol">Next</span>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify realm information</span> page, enter
the name of the default realm in the <span class="uicontrol">Default realm</span> field.
If you are using Microsoft Active Directory for Kerberos authentication,
select <span class="uicontrol">Microsoft Active Directory is used for Kerberos authentication</span>.
Click <span class="uicontrol">Next</span>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify KDC information</span> page, enter
the name of the Kerberos server for this realm in the <span class="uicontrol">KDC</span> field
and enter 88 in the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify password information</span> page,
select either <span class="uicontrol">Yes</span> or <span class="uicontrol">No</span> for
setting up a password server. The password server allows principals to change
passwords on the Kerberos server. If you select <span class="uicontrol">Yes</span>,
enter the password server name in the <span class="uicontrol">Password server</span> field.
The password server has the default port of 464. Click <span class="uicontrol">Next</span>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Select keytab entries</span> page, select
the <span class="uicontrol">i5/OS Kerberos Authentication</span>. </span> In addition
you can also create keytab entries for the Directory services (LDAP), iSeries NetServer™,
and iSeries HTTP
server if you want these services to use Kerberos authentication. <div class="note"><span class="notetitle">Note:</span> Some
of these services require additional configuration to use Kerberos authentication.</div>
Click <span class="uicontrol">Next</span>. </li>
<li class="stepexpand"><span>On the <span class="uicontrol">Create i5/OS keytab entry</span> page, enter
and confirm a password. Click <span class="uicontrol">Next</span>. </span> <div class="note"><span class="notetitle">Note:</span> This
is the same password you will use when you add the i5/OS principals to the Kerberos server.</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Create batch file</span> page, select <span class="uicontrol">Yes</span> to
create this file.</span> <div class="note"><span class="notetitle">Note:</span> This page only appears if you selected <span class="uicontrol">Microsoft
Active Directory is used for Kerberos authentication</span> in Step 4
(above).</div>
</li>
<li class="stepexpand"><span>In the <span class="uicontrol">Batch file</span> field, update the directory
path. You can click <span class="uicontrol">Browse</span> to locate the appropriate
directory path and you can edit the path in the field.</span></li>
<li class="stepexpand"><span>In the <span class="uicontrol">Include password</span> field, select <span class="uicontrol">Yes</span>. </span> This ensures that all passwords associated with the i5/OS service
principal are included in the batch file. It is important to note that passwords
are displayed in clear text and can be read by anyone with read access to
the batch file.<div class="note"><span class="notetitle">Note:</span> You can also manually add the service principals that
are generated by the wizard to Microsoft Active Directory. If you
want to know how to manually add the i5/OS service principals to Microsoft Active
Directory, see <a href="rzakhdefineiseries.htm#rzakhdefineiseries">Add i5/OS principals to the Kerberos server</a></div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Summary</span> page, review the network
authentication service configuration details. Click <span class="uicontrol">Finish</span>.</span></li>
</ol>
<div class="section">Network authentication service is now configured.</div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzakhdefineiseries.htm">Add i5/OS principals to the Kerberos server</a><br />
Add the i5/OS principals to a Kerberos server in i5/OS PASE or
a Windows 2000
domain.</li>
<li class="olchildlink"><a href="rzakhhome.htm">Create a home directory</a><br />
Create a home directory for each user that will connect to the i5/OS applications.</li>
<li class="olchildlink"><a href="rzakhtestnas.htm">Test network authentication service configuration</a><br />
Test the network authentication service configuration by requesting
a ticket granting ticket for your i5/OS principal.</li>
</ol>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhconfigparent.htm" title="Network authentication service allows the iSeries server to participate in an existing Kerberos network. As such, network authentication service assumes you have a Kerberos server configured on a secure system in your network.">Configure network authentication service</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink