friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm

178 lines
13 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Create a basic single signon configuration for iSeries A" />
<meta name="DC.Relation" scheme="URI" content="rzamzenablesso.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcompletetheplanningworksheets.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzaddiseriesaserviceprincipaltothekerberosserver.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Create a basic single signon configuration for iSeries A</title>
</head>
<body id="rzamzcreateabasicsinglesignonconfigurationforiseriesa"><a name="rzamzcreateabasicsinglesignonconfigurationforiseriesa"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Create a basic single signon configuration for iSeries A</h1>
<div><div class="section"><p>The EIM Configuration wizard helps you create a basic EIM configuration
and also opens the Network Authentication Service wizard to allow you to create
a basic network authentication service configuration.</p>
<div class="note"><span class="notetitle">Note:</span> Instructions
in this scenario are based on the assumption that the directory server has
not been previously configured on <span class="keyword">iSeries™</span> A.
However, if you already configured the directory server, you can still use
these instructions with only slight differences. These differences are noted
in the appropriate places within the configuration steps.</div>
<p>When you
have finished this step, you will have completed the following tasks:</p>
<ul><li>Created a new EIM domain</li>
<li>Configured the directory server on <span class="keyword">iSeries</span> A
to be the EIM domain controller</li>
<li>Configured network authentication service</li>
<li>Created EIM registry definitions for the <span class="keyword">iSeries</span> A <span class="keyword">i5/OS™</span> registry and the Kerberos
registry in the newly created EIM domain</li>
<li>Configured <span class="keyword">iSeries</span> A to
participate in the EIM domain</li>
</ul>
</div>
<ol><li class="stepexpand"><span>In <span class="keyword">iSeries Navigator</span>, expand <span class="menucascade"><span class="uicontrol">iSeries A</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise
Identity Mapping</span></span>.</span></li>
<li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure</span> to
start the EIM Configuration wizard.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page, select <span class="uicontrol">Create
and join a new domain</span>. Click <span class="uicontrol">Next</span>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM Domain Location</span> page,
select <span class="uicontrol">On the local Directory server</span>. Click <span class="uicontrol">Next</span> and
the Network Authentication Service wizard is displayed.</span> <div class="note"><span class="notetitle">Note:</span> The
Network Authentication Service wizard only displays when the system determines
that you need to enter additional information to configure network authentication
service for the single signon implementation.</div>
</li>
<li class="stepexpand"><span>Complete these tasks to configure network authentication service:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page,
select <span class="uicontrol">Yes</span>. </span> <div class="note"><span class="notetitle">Note:</span> This launches the Network
Authentication Service wizard. With this wizard, you can configure several <span class="keyword">i5/OS</span> interfaces and services to
participate in a Kerberos realm.</div>
</li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Realm Information</span> page,
enter <tt>MYCO.COM</tt> in the <span class="uicontrol">Default realm</span> field
and select <span class="uicontrol">Microsoft Active Directory is used for Kerberos authentication</span>.
Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page,
enter <tt>kdc1.myco.com</tt> in the <span class="uicontrol">KDC</span> field and enter <tt>88</tt> in
the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page,
select <span class="uicontrol">Yes</span>. Enter <tt>kdc1.myco.com</tt> in the <span class="uicontrol">Password
server</span> field and <tt>464</tt> in the <span class="uicontrol">Port</span> field.
Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS
Kerberos Authentication</span>. Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Create i5/OS Keytab Entry</span> page,
enter and confirm a password, and click <span class="uicontrol">Next</span>. For example, <tt>iseriesa123</tt>.
This password will be used when <span class="keyword">iSeries</span> A
is added to the Kerberos server. </span> <div class="note"><span class="notetitle">Note:</span> Any and all passwords specified
in this scenario are for example purposes only. To prevent a compromise to
your system or network security, you should never use these passwords as part
of your own configuration. </div>
</li>
<li class="substepexpand"><strong>Optional: </strong><span>On the <span class="uicontrol">Create Batch File</span> page,
select <span class="uicontrol">Yes</span>, specify the following information, and
click <span class="uicontrol">Next</span>:</span> <ul><li><span class="uicontrol">Batch file:</span> Add the text <tt>iseriesa</tt> to the
end of the default batch file name. For example, <tt>C:\Documents and Settings\All
Users\Documents\IBM\Client Access\NASConfigiseriesa.bat</tt>.</li>
<li>Select <span class="uicontrol">Include password</span>. This ensures that all
passwords associated with the <span class="keyword">i5/OS</span> service
principal are included in the batch file. It is important to note that passwords
are displayed in clear text and can be read by anyone with read access to
the batch file. Therefore, it is recommended that you delete the batch file
from the Kerberos server and from your PC immediately after use.<div class="note"><span class="notetitle">Note:</span> If you
do not include the password, you will be prompted for the password when the
batch file is run.</div>
</li>
</ul>
</li>
<li class="substepexpand"><span>On the <span class="uicontrol">Summary</span> page, review the network
authentication service configuration details and click <span class="uicontrol">Finish</span> to
complete the Network Authentication Service wizard and return to the EIM Configuration
wizard.</span></li>
</ol>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Configure Directory Server</span> page,
enter the following information, and click <span class="uicontrol">Next</span>:</span> <div class="note"><span class="notetitle">Note:</span> If you configured the directory server before you started this
scenario, you will see the <span class="uicontrol">Specify User for Connection</span> page
instead of the <span class="uicontrol">Configure Directory Server</span> page. In
that case, you must specify the distinguished name and password for the LDAP
administrator.</div>
<ul><li><span class="uicontrol">Port</span>: <tt>389</tt></li>
<li><span class="uicontrol">Distinguished name</span>: <tt>cn=administrator</tt></li>
<li><span class="uicontrol">Password</span>: <tt>mycopwd</tt> <div class="note"><span class="notetitle">Note:</span> Any and all passwords
specified in this scenario are for example purposes only. To prevent a compromise
to your system or network security, you should never use these passwords as
part of your own configuration.</div>
</li>
</ul>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain </span> page, enter the name
of the domain in the <span class="uicontrol">Domain</span> field, and click <span class="uicontrol">Next</span>.
For example, <tt>MyCoEimDomain</tt>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Parent DN for Domain</span> page,
select <span class="uicontrol">No</span>, and click <strong>Next</strong>. </span> <div class="note"><span class="notetitle">Note:</span> If
the directory server is active, a message is displayed that indicates you
need to end and restart the directory server for the changes to take effect.
Click <strong>Yes</strong> to restart the directory server.</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, select <span class="uicontrol">Local
i5/OS</span> and <span class="uicontrol">Kerberos</span>, and click <span class="uicontrol">Next</span>.
Write down the registry names. You will need these registry names when you
create associations to EIM identifiers. </span> <div class="note"><span class="notetitle">Note:</span> <ul><li>Registry names must be unique to the domain.</li>
<li>You can enter a specific registry definition name for the user registry
if you want to use a specific <a href="../rzalv/rzalv_reg_plan.htm ">registry definition naming plan</a>. However, for this scenario
you can accept the default values.</li>
</ul>
</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select
the user the operating system uses when performing EIM operations on behalf
of operating system functions, and click <span class="uicontrol">Next</span></span> <div class="note"><span class="notetitle">Note:</span> Because you did not configure the directory server prior to performing
the steps in this scenario, the only distinguished name (DN) that you can
choose is the LDAP administrator's DN.<ul><li><span class="uicontrol">User type</span>: <tt>Distinguished name and password</tt></li>
<li><span class="uicontrol">Distinguished name</span>: <tt>cn=administrator</tt></li>
<li><span class="uicontrol">Password</span>: <tt>mycopwd</tt> <div class="note"><span class="notetitle">Note:</span> Any and all passwords
specified in this scenario are for example purposes only. To prevent a compromise
to your system or network security, you should never use these passwords as
part of your own configuration.</div>
</li>
</ul>
</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Summary</span> page, confirm the EIM configuration
information. Click <span class="uicontrol">Finish</span>.</span></li>
</ol>
<div class="section"><p>Now that you have completed a basic EIM and network authentication
service configuration on <span class="keyword">iSeries</span> A,
you can add the service principal for <span class="keyword">iSeries</span> A
to the Kerberos server.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzenablesso.htm" title="In this scenario, you want to configure network authentication service and EIM to create a basic single signon test environment. Use this scenario to gain a basic understanding of what configuring a single signon environment involves on a small scale before implementing single signon across an entire enterprise.">Scenario: Create a single signon test environment</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzamzcompletetheplanningworksheets.htm">Complete the planning work sheets</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzamzaddiseriesaserviceprincipaltothekerberosserver.htm">Add iSeries A service principal to the Kerberos server</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink