ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhkerberosscenario_testauthenticationon.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Test authentication on the endpoint systems" />
<meta name="DC.Relation" scheme="URI" content="rzakhscenmc2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_repeatsteps4through6.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhkerberosscenario_testauthenticationon" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Test authentication on the endpoint systems</title>
</head>
<body id="rzakhkerberosscenario_testauthenticationon"><a name="rzakhkerberosscenario_testauthenticationon"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Test authentication on the endpoint systems</h1>
<div><div class="section">Once the servers have been restarted, the systems will be using Kerberos
for authentication and the trusted group for authorization.  For a system
to accept and carry out a request, that system will verify not only that the
requesting system has a valid Kerberos principal, but also that it trusts
that Kerberos principal by checking if that principal is in its trusted group
list. <div class="note"><span class="notetitle">Note:</span> You need to repeat these steps on each of the target systems,
using the following i5/OS™ service principals:<ul><li>krbsvr400/iseriesa.myco.com@MYCO.COM</li>
<li>krbsvr400/iseriesb.myco.com@MYCO.COM</li>
<li>krbsvr400/iseriesc.myco.com@MYCO.COM</li>
<li>krbsvr400/iseriesd.myco.com@MYCO.COM</li>
</ul>
</div>
To verify that Kerberos authentication is working on the endpoint
systems, complete the following tasks:<div class="note"><span class="notetitle">Note:</span> Be sure you have created a home
directory for your i5/OS user profile before performing these tasks.</div>
</div>
<ol><li class="stepexpand"><span>Close any sessions of iSeries™ Navigator.</span></li>
<li class="stepexpand"><span>On a command line, enter <tt>QSH</tt> to start the Qshell Interpreter.</span></li>
<li class="stepexpand"><span>Enter <tt>keytab list</tt> to display a list of principals registered
in the keytab file. You should see results that are similar to this display:</span> <pre class="screen">Principal: krbsvr400/iseriesa.myc.com@MYCO.COM      
  Key version: 2                                                       
  Key type: 56-bit DES using key derivation                            
  Entry timestamp: 200X/05/29-11:02:58                                 </pre>
</li>
<li class="stepexpand"><span>Enter <tt>kinit -k krbsvr400/iseriesa.myco.com@MYCO.COM</tt> to
request a ticket-granting ticket from the Kerberos server. </span> This
command verifies that your iSeries server has been configured properly and the
password in the keytab file matches the password stored on the Kerberos server.
If this is successful then the QSH command will display without errors.</li>
<li class="stepexpand"><span>Enter <tt>klist</tt> to verify that the default principal is krbsvr400/iseriesa.myco.com@MYCO.COM. </span> This command displays the contents of a Kerberos credentials cache and
verifies that a valid ticket has been created for the i5/OS service principal and placed within
the credentials cache on the iSeries system.<pre class="screen"> Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred
                                                                    
 Default principal: krbsvr400/iseriesa.myco.com@MYCO.COM  
                                                                            
Server: krbtgt/MYCO.COM@MYCO.COM              
  Valid 200X/06/09-12:08:45 to 20XX/11/05-03:08:45                          
$                                                                           </pre>
</li>
</ol>
<div class="section">You have now completed the tasks required to configure your Management
Central server jobs to use Kerberos authentication between endpoint systems.</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscenmc2.htm" title="Use the following scenario to become familiar with the prerequisites and objectives for using Kerberos authentication between Management Central servers.">Scenario: Use Kerberos authentication between Management Central servers</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzakhkerberosscenario_repeatsteps4through6.htm">Repeat Steps 4 through 6 for target systems</a></div>
</div>
</div>
</body>
</html>