198 lines
11 KiB
HTML
198 lines
11 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Plan principal names" />
|
|
<meta name="abstract" content="Plan for principal names in your Kerberos network." />
|
|
<meta name="description" content="Plan for principal names in your Kerberos network." />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakhpprin" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Plan principal names</title>
|
|
</head>
|
|
<body id="rzakhpprin"><a name="rzakhpprin"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Plan principal names</h1>
|
|
<div><p>Plan for principal names in your Kerberos network.</p>
|
|
<p>Principals are names of users or services in a Kerberos network. Principal
|
|
names consist of the user name or service name and the name of the realm in
|
|
which that user or service belongs. If Mary Jones uses the realm MYCO.COM,
|
|
her principal name might be jonesm@MYCO.COM. Mary Jones uses this principal
|
|
name and its associated password to be authenticated by a centralized Kerberos
|
|
server. All principals are added to the Kerberos server, which maintains a
|
|
database of all users and services within a realm. </p>
|
|
<p>When developing a system for naming principals, you should assign principal
|
|
names using a consistent naming convention that will accommodate current and
|
|
future users. Use the following suggestions to establish a naming convention
|
|
for your principals:</p>
|
|
<div class="p"><ul><li>Use family name and initial of first name</li>
|
|
<li>Use first initial and full family name</li>
|
|
<li>Use first name plus last initial</li>
|
|
<li>Use application or service names with identifying numbers, such as database1.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">i5/OS™ principal
|
|
names</h4><div class="p">When you configure network authentication service on iSeries™ systems,
|
|
the principal names can be optionally created. Each of these principals represent
|
|
services located on the iSeries server. During configuration of network authentication
|
|
service, a key table entry is created on the iSeries system for each of the service
|
|
principals that you choose to create. This key table entry stores the service
|
|
principal name and the encrypted password that you specified during configuration.
|
|
It is important to note that all i5/OS service principals need to be added
|
|
to the Kerberos server after network authentication service is configured.
|
|
The methods of adding the i5/OS principal to the Kerberos server varies based
|
|
on the Kerberos server that you have configured in your enterprise. For instructions
|
|
on how to add the i5/OS principal name to either a Windows<sup>®</sup> 2000
|
|
domain or a Kerberos server in i5/OS PASE, see <a href="rzakhdefineiseries.htm#rzakhdefineiseries">Add i5/OS principals to the Kerberos server</a>.
|
|
The following information describes each of the i5/OS service principals that are created
|
|
during network authentication service configuration:<dl><dt class="dlterm">i5/OS Kerberos
|
|
Authentication</dt>
|
|
<dd>When you choose to create a keytab entry for i5/OS Kerberos Authentication, the service
|
|
principal is generated in the keytab file in one of these formats: <strong>krbsvr400/iSeries
|
|
fully qualified domain name@REALM NAME</strong> or <strong>krbsvr400/iSeries host name@REALM
|
|
NAME</strong>. For example, a valid service principal for i5/OS Kerberos Authentication might be
|
|
krbsvr400/iseriesa.myco.com@MYCO.COM or krbsvr400/iseriesa@MYCO.COM. i5/OS generates
|
|
the principal based on the host name that it finds on either the DNS server
|
|
or on the iSeries server
|
|
depending on how the iSeries is configured to resolve host names. <p>The
|
|
service principal is used for several i5/OS interfaces, such as QFileSrv.400,
|
|
Telnet, Distributed
|
|
Relational Database Architecture™ (DRDA<sup>®</sup>), iSeries NetServer™, and IBM<sup>®</sup> <img src="eserver.gif" alt="e(logo) server" /> iSeries Access
|
|
for Windows including iSeries Navigator.
|
|
Each of these applications may require additional configuration to enable
|
|
Kerberos authentication.</p>
|
|
</dd>
|
|
<dt class="dlterm">LDAP</dt>
|
|
<dd>In addition to the i5/OS service principal name, you can optionally configure
|
|
additional service principals for IBM Directory Server for iSeries (LDAP)
|
|
during network authentication service configuration. The LDAP principal name
|
|
is <strong>ldap/iSeries fully qualified domain name@REALM NAME</strong>. For example,
|
|
a valid LDAP principal name might be ldap/iseriesa.myco.com@MYCO.COM. This
|
|
principal name identifies the directory server located on that iSeries system. <div class="note"><span class="notetitle">Note:</span> In
|
|
past releases, the network authentication service wizard created an uppercase
|
|
keytab entry for LDAP service. If you have configured the LDAP principal previously
|
|
when you reconfigure network authentication service or access the wizard through
|
|
the Enterprise Identity Mapping (EIM) interface, you will be prompted to change
|
|
this principal name to its lowercase version.</div>
|
|
<div class="p">If you plan on using
|
|
Kerberos authentication with the directory server, you will not only need
|
|
to configure network authentication service, but also change properties for
|
|
the directory server to accept Kerberos authentication. When Kerberos authentication
|
|
is used, directory server associates the server distinguished name (DN) with
|
|
the Kerberos principal name. You can choose to have the server DN associated
|
|
with one of the following methods:<ul><li>The server can create a DN based on the Kerberos principal name. When
|
|
you choose this option, a Kerberos identity of the form principal@realm generates
|
|
a DN of the form ibm-kn=principal@realm. ibm-kn= is equivalent to ibm-kerberosName=.</li>
|
|
<li>The server can search the directory for a distinguished name (DN) that
|
|
contains an entry for the Kerberos principal and realm. When you choose this
|
|
option, the server searches the directory for an entry that specifies this
|
|
Kerberos identity.</li>
|
|
</ul>
|
|
</div>
|
|
<p>See <a href="../rzahy/rzahyrzahywelpo.htm">IBM Directory
|
|
Server for iSeries (LDAP)</a> for
|
|
details on the configuration Kerberos authentication for the directory server.</p>
|
|
</dd>
|
|
<dt class="dlterm">HTTP Server powered by Apache</dt>
|
|
<dd>In addition to the i5/OS service principal name, you can optionally configure
|
|
additional service principals for HTTP Server powered by Apache (HTTP) during
|
|
network authentication service configuration. The HTTP principal name is <strong>HTTP/iSeries
|
|
fully qualified domain name@REALM NAME</strong>. This principal name identifies
|
|
the HTTP server instances on the iSeries that will be using Kerberos to
|
|
authenticate web users. To use Kerberos authentication with an HTTP server
|
|
instance, you will also need to complete additional configuration steps that
|
|
pertain to HTTP server.<p>See the <a href="http://www-1.ibm.com/servers/eserver/iseries/software/http/docs/doc.htm" target="_blank">HTTP Server: documentation</a><img src="www.gif" alt="Link outside the Information center" /> home page to find information about using Kerberos
|
|
authentication with HTTP server.</p>
|
|
</dd>
|
|
<dt class="dlterm">iSeries NetServer</dt>
|
|
<dd>For iSeries NetServer,
|
|
you can also choose to create several NetServer principals that are automatically
|
|
added to the keytab file on the iSeries. Each of these NetServer principals
|
|
represent all the potential clients that you might use to connect with iSeries NetServer.
|
|
The following table shows the iSeries NetServer principal name and the clients
|
|
they represent:
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="90%" frame="border" border="1" rules="all"><caption>Table 1. iSeries NetServer principal names</caption><thead align="left"><tr><th valign="top" id="d0e231">Client connection</th>
|
|
<th valign="top" id="d0e233">iSeries NetServer principal
|
|
name</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e231 ">Windows XP</td>
|
|
<td valign="top" headers="d0e233 "><p>cifs/iSeries fully qualified domain name<br />
|
|
cifs/iSeries host name<br />
|
|
cifs/QiSeries host name<br />
|
|
cifs/qiSeries host name<br />
|
|
cifs/IP address</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e231 ">Windows 2000</td>
|
|
<td valign="top" headers="d0e233 "><p>HOST/iSeries fully qualified domain name<br />
|
|
HOST/iSeries host name<br />
|
|
HOST/QiSeries host name<br />
|
|
HOST/qiSeries host name<br />
|
|
HOST/IP address</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<p>See <a href="../rzahl/rzahlusergoal.htm">iSeries NetServer</a> for
|
|
more information about using Kerberos authentication with this application.</p>
|
|
</dd>
|
|
</dl>
|
|
</div>
|
|
<div class="p"><strong>Example planning work sheet</strong>
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Example principal planning work sheet</caption><thead align="left"><tr><th valign="top" id="d0e277">Questions</th>
|
|
<th valign="top" id="d0e279">Answers</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e277 ">What is the naming convention that you plan to use for
|
|
Kerberos principals that represent users in your network?</td>
|
|
<td valign="top" headers="d0e279 "><p>First initial followed by first five letters of the
|
|
family name in lowercase Example: mjones</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e277 ">What is the naming convention for applications on your
|
|
network?</td>
|
|
<td valign="top" headers="d0e279 "><p>Descriptive name followed by number Example: database123</p>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e277 ">For which i5/OS services do you plan to use Kerberos
|
|
authentication?</td>
|
|
<td valign="top" headers="d0e279 "><ol><li>i5/OS Kerberos
|
|
Authentication for the following services: iSeries Access for Windows, iSeries Navigator, NetServer,
|
|
and Telnet.</li>
|
|
<li>HTTP Server powered by Apache</li>
|
|
<li>LDAP</li>
|
|
</ol>
|
|
</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e277 ">What are the i5/OS principal names for each of these i5/OS services?</td>
|
|
<td valign="top" headers="d0e279 "><ol><li>krbsvr400/iseriesa.myco.com@MYCO.COM</li>
|
|
<li>HTTP/iseriesa.myco.com@MYCO.COM</li>
|
|
<li>ldap/iseriesa.myco.com@MYCO.COM</li>
|
|
</ol>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
</body>
|
|
</html> |