279 lines
14 KiB
HTML
279 lines
14 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Complete the planning work sheets" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhscenpase.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_configurekerberosserver.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakhpascesenario_planningworksheets" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Complete the planning work sheets </title>
|
|
</head>
|
|
<body id="rzakhpascesenario_planningworksheets"><a name="rzakhpascesenario_planningworksheets"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Complete the planning work sheets </h1>
|
|
<div>
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Prerequisite planning work sheet</caption><thead align="left"><tr><th valign="top" width="75%" id="d0e18">Questions</th>
|
|
<th valign="top" width="25%" id="d0e20">Answers </th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td align="left" valign="top" width="75%" headers="d0e18 ">Is your i5/OS™ V5R3 or later (5722-SS1)?</td>
|
|
<td align="left" valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e18 ">Are the following options and licensed products installed
|
|
on iSeries™ A:<ul><li>i5/OS Host
|
|
Servers (5722-SS1 Option 12)</li>
|
|
<li>i5/OS PASE
|
|
(5722-SS1 Option 33)</li>
|
|
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
|
|
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
|
|
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
|
|
<li> iSeries Access
|
|
for Windows<sup>®</sup> (5722-XE1)</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e18 ">Have you installed Windows 2000 or Windows XP
|
|
on all of your PCs?</td>
|
|
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e18 ">Have you installed Windows 2000 Support Tools (which provides
|
|
the <span class="cmdname">ksetup</span> command) on all of your PCs?</td>
|
|
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e18 ">Is iSeries Access for Windows (5722-XE1) installed on the
|
|
administrator's PC?</td>
|
|
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e18 ">Have you installed iSeries Navigator on the administrator's
|
|
PC?<ul><li>Is the Security subcomponent of iSeries Navigator installed on the administrator's
|
|
PC?</li>
|
|
<li>Is the Network subcomponent of iSeries Navigator installed on the administrator's
|
|
PC?</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="25%" headers="d0e20 "><p>Yes<br />
|
|
Yes<br />
|
|
Yes</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e18 ">Have you installed the latest iSeries Access for Windows service
|
|
pack? See <a href="http://www-1.ibm.com/servers/eserver/iseries/access/casp.htm" target="_blank">iSeries Access</a><img src="www.gif" alt="link outside the Information Center" /> for the
|
|
latest service pack.</td>
|
|
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td align="left" valign="top" width="75%" headers="d0e18 ">Do you have *SECADM, *ALLOBJ, and *IOSYSCFG
|
|
special authorities? You must have these special authorities to use the Network
|
|
Authentication Service wizard for this scenario.</td>
|
|
<td align="left" valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e18 ">Do you have your DNS configured and the correct host
|
|
names for your iSeries and
|
|
Kerberos server?</td>
|
|
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td align="left" valign="top" width="75%" headers="d0e18 ">On which operating system do you want to
|
|
configure the Kerberos server?<ol><li>Windows 2000
|
|
Server</li>
|
|
<li>Windows Server
|
|
2003</li>
|
|
<li>AIX<sup>®</sup> Server</li>
|
|
<li>i5/OS PASE
|
|
(V5R3 or later)</li>
|
|
<li>zSeries<sup>®</sup></li>
|
|
</ol>
|
|
</td>
|
|
<td align="left" valign="top" width="25%" headers="d0e20 ">i5/OS PASE</td>
|
|
</tr>
|
|
<tr><td align="left" valign="top" width="75%" headers="d0e18 ">Have you applied the latest program temporary
|
|
fixes (PTFs)?</td>
|
|
<td align="left" valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
<tr><td align="left" valign="top" width="75%" headers="d0e18 ">Is the iSeries system time within five minutes
|
|
of the Kerberos server's system time? If not see <a href="rzakhsync.htm">Synchronize
|
|
system times</a>.</td>
|
|
<td align="left" valign="top" width="25%" headers="d0e20 ">Yes</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<div class="p">For this scenario, you must specify a number of different passwords. The
|
|
following planning worksheet provides a list of the passwords you need to
|
|
use for this scenario. Refer to this table as you perform the configuration
|
|
steps for setting up the Kerberos server in i5/OS PASE.<div class="note"><span class="notetitle">Note:</span> Any and all passwords
|
|
specified in this scenario are for example purposes only. To prevent a compromise
|
|
to your system or network security, you should never use these passwords as
|
|
part of your own configuration.</div>
|
|
</div>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Password planning work sheet</caption><thead align="left"><tr><th valign="top" width="75%" id="d0e203">Entity</th>
|
|
<th valign="top" width="25%" id="d0e205">Password </th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td align="left" valign="top" width="75%" headers="d0e203 ">i5/OS PASE administrator: admin/admin<div class="note"><span class="notetitle">Note:</span> i5/OS PASE
|
|
specifies <tt>admin/admin</tt> as the default user name for the administrator.</div>
|
|
</td>
|
|
<td align="left" valign="top" width="25%" headers="d0e205 ">secret</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e203 ">i5/OS PASE Database Master</td>
|
|
<td valign="top" width="25%" headers="d0e205 ">pasepwd</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e203 ">Windows 2000 workstations:<ul><li>pc1.myco.com (John Day's PC)</li>
|
|
<li>pc2.myco.com (Karen Jones' PC)</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="25%" headers="d0e205 "><p>secret1<br />
|
|
secret2</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e203 ">Kerberos user principals: <ul><li>day@MYCO.COM</li>
|
|
<li>jones@MYCO.COM</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="25%" headers="d0e205 "><p>123day<br />
|
|
123jones</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="75%" headers="d0e203 "><p>i5/OS service principal for iSeries A:<br />
|
|
krbsvr400/iseriesa.myco.com@MYCO.COM</p>
|
|
</td>
|
|
<td valign="top" width="25%" headers="d0e205 ">iseriesa123</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<p>The following planning work sheet illustrates the type of information you
|
|
need before you begin configuring the Kerberos server in i5/OS PASE and
|
|
network authentication service. All answers on the prerequisite work sheet
|
|
and password planning work sheet should be answered before you proceed with
|
|
configuring the Kerberos server in i5/OS PASE. </p>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 3. Planning work sheet for configuring
|
|
a Kerberos server in i5/OS PASE and configuring network authentication service</caption><thead align="left"><tr><th align="left" valign="top" width="53.191489361702125%" id="d0e281">Questions</th>
|
|
<th align="left" valign="top" width="46.808510638297875%" id="d0e283">Answers</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td align="left" valign="top" width="53.191489361702125%" headers="d0e281 ">What is the name of the Kerberos default
|
|
realm?</td>
|
|
<td align="left" valign="top" width="46.808510638297875%" headers="d0e283 ">MYCO.COM</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">Is this default realm located on Microsoft<sup>®</sup> Active
|
|
Directory?</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 ">No</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What is the Kerberos server, also known as a key distribution
|
|
center (KDC), for this Kerberos default realm? What is the port on which the
|
|
Kerberos server listens?</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p><strong>KDC:</strong> kdc1.myco.com<br />
|
|
<strong>Port:</strong> 88 </p>
|
|
<div class="note"><span class="notetitle">Note:</span> This is the default port for the Kerberos server.</div>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">Do you want to configure a password server for this
|
|
default realm? </td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 ">No <div class="note"><span class="notetitle">Note:</span> Currently password servers are not supported
|
|
by i5/OS PASE
|
|
or AIX.</div>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">For which services do you want to create keytab entries?<ul><li>i5/OS Kerberos
|
|
Authentication</li>
|
|
<li>LDAP</li>
|
|
<li>iSeries IBM<sup>®</sup> HTTP
|
|
Server</li>
|
|
<li>iSeries NetServer™</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 ">i5/OS Kerberos Authentication</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">Do you want to create a batch file to automate adding
|
|
the service principals to Microsoft Active Directory?</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 ">Not applicable</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What is the default user name for the i5/OS PASE administrator? <p>What
|
|
is the password you want to specify for the i5/OS PASE administrator?</p>
|
|
<div class="note"><span class="notetitle">Note:</span> Any
|
|
and all passwords specified in this scenario are for example purposes only.
|
|
To prevent a compromise to your system or network security, you should never
|
|
use these passwords as part of your own configuration.</div>
|
|
</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>User name: admin/admin<br />
|
|
Password: secret</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What is the naming convention for your principals that
|
|
represent users in your network?</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 ">Principals that represent users will be lowercase family
|
|
name followed by the uppercase realm name</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What are the Kerberos user principal names for these
|
|
users:<ul><li>John Day</li>
|
|
<li>Karen Jones</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>day@MYCO.COM<br />
|
|
jones@MYCO.COM</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What are the i5/OS user profile names for these users:<ul><li>John Day</li>
|
|
<li>Karen Jones</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>JOHND<br />
|
|
KARENJ</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What are the Windows 2000 user names for these users:<ul><li>John Day</li>
|
|
<li>Karen Jones</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>johnday<br />
|
|
karenjones</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What are the host names for these Windows 2000
|
|
workstations:<ul><li>John Day's PC</li>
|
|
<li>Karen Jones' PC</li>
|
|
</ul>
|
|
</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>pc1.myco.com<br />
|
|
pc2.myco.com</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What is the name of the i5/OS service principal for iSeries A?</td>
|
|
<td valign="top" width="46.808510638297875%" headers="d0e283 ">krbsvr400/iseriesa.myco.com@MYCO.COM<div class="note"><span class="notetitle">Note:</span> The name of
|
|
this service principal is for example purposes only. In your configuration,
|
|
specify the host name and domain of your i5/OS system in the name of the service
|
|
principal.</div>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscenpase.htm" title="Understand the goals, objectives, prerequisites, and configuration steps for setting up your Kerberos server.">Scenario: Set up Kerberos server in i5/OS PASE</a></div>
|
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhpascesenario_configurekerberosserver.htm">Configure Kerberos server in i5/OS PASE</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |