ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhpascesenario_planningworksheets.htm

279 lines
14 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Complete the planning work sheets" />
<meta name="DC.Relation" scheme="URI" content="rzakhscenpase.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpascesenario_configurekerberosserver.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhpascesenario_planningworksheets" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Complete the planning work sheets </title>
</head>
<body id="rzakhpascesenario_planningworksheets"><a name="rzakhpascesenario_planningworksheets"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Complete the planning work sheets </h1>
<div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Prerequisite planning work sheet</caption><thead align="left"><tr><th valign="top" width="75%" id="d0e18">Questions</th>
<th valign="top" width="25%" id="d0e20">Answers </th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="75%" headers="d0e18 ">Is your i5/OS™ V5R3 or later (5722-SS1)?</td>
<td align="left" valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e18 ">Are the following options and licensed products installed
on iSeries™ A:<ul><li>i5/OS Host
Servers (5722-SS1 Option 12)</li>
<li>i5/OS PASE
(5722-SS1 Option 33)</li>
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
<li> iSeries Access
for Windows<sup>®</sup> (5722-XE1)</li>
</ul>
</td>
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e18 ">Have you installed Windows 2000 or Windows XP
on all of your PCs?</td>
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e18 ">Have you installed Windows 2000 Support Tools (which provides
the <span class="cmdname">ksetup</span> command) on all of your PCs?</td>
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e18 ">Is iSeries Access for Windows (5722-XE1) installed on the
administrator's PC?</td>
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e18 ">Have you installed iSeries Navigator on the administrator's
PC?<ul><li>Is the Security subcomponent of iSeries Navigator installed on the administrator's
PC?</li>
<li>Is the Network subcomponent of iSeries Navigator installed on the administrator's
PC?</li>
</ul>
</td>
<td valign="top" width="25%" headers="d0e20 "><p>Yes<br />
Yes<br />
Yes</p>
</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e18 ">Have you installed the latest iSeries Access for Windows service
pack? See <a href="http://www-1.ibm.com/servers/eserver/iseries/access/casp.htm" target="_blank">iSeries Access</a><img src="www.gif" alt="link outside the Information Center" /> for the
latest service pack.</td>
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e18 ">Do you have *SECADM, *ALLOBJ, and *IOSYSCFG
special authorities? You must have these special authorities to use the Network
Authentication Service wizard for this scenario.</td>
<td align="left" valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e18 ">Do you have your DNS configured and the correct host
names for your iSeries and
Kerberos server?</td>
<td valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e18 ">On which operating system do you want to
configure the Kerberos server?<ol><li>Windows 2000
Server</li>
<li>Windows Server
2003</li>
<li>AIX<sup>®</sup> Server</li>
<li>i5/OS PASE
(V5R3 or later)</li>
<li>zSeries<sup>®</sup></li>
</ol>
</td>
<td align="left" valign="top" width="25%" headers="d0e20 ">i5/OS PASE</td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e18 ">Have you applied the latest program temporary
fixes (PTFs)?</td>
<td align="left" valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
<tr><td align="left" valign="top" width="75%" headers="d0e18 ">Is the iSeries system time within five minutes
of the Kerberos server's system time? If not see <a href="rzakhsync.htm">Synchronize
system times</a>.</td>
<td align="left" valign="top" width="25%" headers="d0e20 ">Yes</td>
</tr>
</tbody>
</table>
</div>
<div class="p">For this scenario, you must specify a number of different passwords. The
following planning worksheet provides a list of the passwords you need to
use for this scenario. Refer to this table as you perform the configuration
steps for setting up the Kerberos server in i5/OS PASE.<div class="note"><span class="notetitle">Note:</span> Any and all passwords
specified in this scenario are for example purposes only. To prevent a compromise
to your system or network security, you should never use these passwords as
part of your own configuration.</div>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Password planning work sheet</caption><thead align="left"><tr><th valign="top" width="75%" id="d0e203">Entity</th>
<th valign="top" width="25%" id="d0e205">Password </th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="75%" headers="d0e203 ">i5/OS PASE administrator: admin/admin<div class="note"><span class="notetitle">Note:</span> i5/OS PASE
specifies <tt>admin/admin</tt> as the default user name for the administrator.</div>
</td>
<td align="left" valign="top" width="25%" headers="d0e205 ">secret</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e203 ">i5/OS PASE Database Master</td>
<td valign="top" width="25%" headers="d0e205 ">pasepwd</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e203 ">Windows 2000 workstations:<ul><li>pc1.myco.com (John Day's PC)</li>
<li>pc2.myco.com (Karen Jones' PC)</li>
</ul>
</td>
<td valign="top" width="25%" headers="d0e205 "><p>secret1<br />
secret2</p>
</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e203 ">Kerberos user principals: <ul><li>day@MYCO.COM</li>
<li>jones@MYCO.COM</li>
</ul>
</td>
<td valign="top" width="25%" headers="d0e205 "><p>123day<br />
123jones</p>
</td>
</tr>
<tr><td valign="top" width="75%" headers="d0e203 "><p>i5/OS service principal for iSeries A:<br />
krbsvr400/iseriesa.myco.com@MYCO.COM</p>
</td>
<td valign="top" width="25%" headers="d0e205 ">iseriesa123</td>
</tr>
</tbody>
</table>
</div>
<p>The following planning work sheet illustrates the type of information you
need before you begin configuring the Kerberos server in i5/OS PASE and
network authentication service. All answers on the prerequisite work sheet
and password planning work sheet should be answered before you proceed with
configuring the Kerberos server in i5/OS PASE. </p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 3. Planning work sheet for configuring
a Kerberos server in i5/OS PASE and configuring network authentication service</caption><thead align="left"><tr><th align="left" valign="top" width="53.191489361702125%" id="d0e281">Questions</th>
<th align="left" valign="top" width="46.808510638297875%" id="d0e283">Answers</th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="53.191489361702125%" headers="d0e281 ">What is the name of the Kerberos default
realm?</td>
<td align="left" valign="top" width="46.808510638297875%" headers="d0e283 ">MYCO.COM</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">Is this default realm located on Microsoft<sup>®</sup> Active
Directory?</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 ">No</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What is the Kerberos server, also known as a key distribution
center (KDC), for this Kerberos default realm? What is the port on which the
Kerberos server listens?</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p><strong>KDC:</strong> kdc1.myco.com<br />
<strong>Port:</strong> 88 </p>
<div class="note"><span class="notetitle">Note:</span> This is the default port for the Kerberos server.</div>
</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">Do you want to configure a password server for this
default realm? </td>
<td valign="top" width="46.808510638297875%" headers="d0e283 ">No <div class="note"><span class="notetitle">Note:</span> Currently password servers are not supported
by i5/OS PASE
or AIX.</div>
</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">For which services do you want to create keytab entries?<ul><li>i5/OS Kerberos
Authentication</li>
<li>LDAP</li>
<li>iSeries IBM<sup>®</sup> HTTP
Server</li>
<li>iSeries NetServer™</li>
</ul>
</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 ">i5/OS Kerberos Authentication</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">Do you want to create a batch file to automate adding
the service principals to Microsoft Active Directory?</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 ">Not applicable</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What is the default user name for the i5/OS PASE administrator? <p>What
is the password you want to specify for the i5/OS PASE administrator?</p>
<div class="note"><span class="notetitle">Note:</span> Any
and all passwords specified in this scenario are for example purposes only.
To prevent a compromise to your system or network security, you should never
use these passwords as part of your own configuration.</div>
</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>User name: admin/admin<br />
Password: secret</p>
</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What is the naming convention for your principals that
represent users in your network?</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 ">Principals that represent users will be lowercase family
name followed by the uppercase realm name</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What are the Kerberos user principal names for these
users:<ul><li>John Day</li>
<li>Karen Jones</li>
</ul>
</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>day@MYCO.COM<br />
jones@MYCO.COM</p>
</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What are the i5/OS user profile names for these users:<ul><li>John Day</li>
<li>Karen Jones</li>
</ul>
</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>JOHND<br />
KARENJ</p>
</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What are the Windows 2000 user names for these users:<ul><li>John Day</li>
<li>Karen Jones</li>
</ul>
</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>johnday<br />
karenjones</p>
</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What are the host names for these Windows 2000
workstations:<ul><li>John Day's PC</li>
<li>Karen Jones' PC</li>
</ul>
</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 "><p>pc1.myco.com<br />
pc2.myco.com</p>
</td>
</tr>
<tr><td valign="top" width="53.191489361702125%" headers="d0e281 ">What is the name of the i5/OS service principal for iSeries A?</td>
<td valign="top" width="46.808510638297875%" headers="d0e283 ">krbsvr400/iseriesa.myco.com@MYCO.COM<div class="note"><span class="notetitle">Note:</span> The name of
this service principal is for example purposes only. In your configuration,
specify the host name and domain of your i5/OS system in the name of the service
principal.</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscenpase.htm" title="Understand the goals, objectives, prerequisites, and configuration steps for setting up your Kerberos server.">Scenario: Set up Kerberos server in i5/OS PASE</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhpascesenario_configurekerberosserver.htm">Configure Kerberos server in i5/OS PASE</a></div>
</div>
</div>
</body>
</html>