ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahl_5.4.0.1/rzahlkrbcfgreqs.htm

111 lines
6.4 KiB
HTML

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Additional configuration requirements for Kerberos v5 authentication
enablement</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="krbcfgreq"></a>
<h3 id="krbcfgreq">Additional configuration requirements for Kerberos v5 authentication
enablement</h3>
<p><span class="bold"></span></p>
<p>You must complete all of the following steps prior to restarting
the iSeries server. </p>
<ol type="1">
<li>The <a href="../rzalv/rzalvmst.htm" target="_blank">Enterprise Identity
Mapping (EIM)</a> and <a href="../rzakh/rzakh000.htm" target="_blank">Network authentication
service</a> must be configured on the server in order to use Kerberos v5 authentication. <span class="bold">If you currently have EIM and Network authentication services
configured, skip this step and proceed to <a href="rzahlkrbcfgreqs.htm#w2kwxpstep">2</a>.</span>
<a name="wq38"></a>
<div class="notetitle" id="wq38">Note:</div>
<div class="notebody"> The EIM configuration wizard gives you the option to
configure Network authentication service, if it is not currently configured
on your server. In this event, you must select to configure the Network authentication
service, as it is a required service in order to use Kerberos v5 authentication
with iSeries NetServer&trade;.</div>
<p>To configure EIM and Network authentication
services complete the following steps:</p>
<ol type="a">
<li>Open iSeries Navigator and connect to the system you want to work with.</li>
<li>Expand Network.</li>
<li>Right-click Enterprise Identity Mapping and select Configure.</li>
<li>Follow the instructions in the EIM configuration wizard.</li></ol>
<a name="wq40"></a>
<div class="notetitle" id="wq40">Note:</div>
<div class="notebody"> If Network authentication services is not currently
configured on the iSeries server, you will be prompted to configure this service
during the EIM configuration wizard. You must ensure that you select to add
the iSeries NetServer service principals when configuring Network authentication services.</div></li>
<li id="w2kwxpstep">
<a name="w2kwxpstep"></a>With Network authentication service currently
configured on your server, you must manually add the service principal names
to the keytab.
<ol type="a">
<li><span class="bold">For Windows 2000 clients:</span>
<div class="lines">HOST/&lt;fully qualified name>@&lt;REALM><br />
HOST/&lt;qname>@&lt;REALM><br />
HOST/&lt;IP Address>@&lt;REALM><br />
</div></li>
<li><span class="bold">For Windows XP and Windows Server 2003 clients:</span>
<div class="lines">cifs/&lt;fully qualified name>@&lt;REALM><br />
cifs/&lt;qname>@&lt;REALM><br />
cifs/&lt;IP Address>@&lt;REALM><br />
</div></li></ol>Keytab entries may be added using the Kerberos Key Tab (QKRBKEYTAB) API.
On a command line, use the following command string: <tt class="xph">CALL PGM(QKRBKEYTAB)
PARM('add' 'HOST/<span class="italic">qname</span></tt> where <span class="italic">qname</span> is the fully qualified name or the IP address.</li>
<li>Additional setup is also required on the Windows 2000 or Windows
Server 2003 domain controller that the iSeries NetServer clients use as the Key Distribution
Center (KDC).
<p>Complete the following steps to configure an iSeries NetServer service
principal on the Windows KDC: </p>
<ol type="a">
<li>Install the Support Tools from your Windows server CD.
<a name="wq43"></a>
<div class="notetitle" id="wq43">Note:</div>
<div class="notebody"> Instructions for installing the Support Tools can be
found in the <a href="http://support.microsoft.com/support/kb/articles/Q301/4/23.ASP" target="_blank">Microsoft KB article
Q301423</a> (support.microsoft.com/support/kb/articles/Q301/4/23.ASP)
<img src="www.gif" alt="Link outside Information Center" />.</div></li>
<li id="step">
<a name="step"></a>Create a new user in the Active Directory.</li>
<li id="stepp">
<a name="stepp"></a>From a command prompt, use the ktpass.exe support
tool to map a service principal to the newly created user. The password used
for ktpass should match the password used to create the service principal
on the iSeries system. Substituting your own parameters for the items in &lt;
>, use the appropriate command call as follows.
<p><span class="bold">For Windows 2000 clients:</span>
<br /><tt class="xph">ktpass -princ HOST/&lt;iSeriesNetServerName@REALM>
-mapuser &lt;new user> -pass &lt;password></tt></p>
<p><span class="bold">For Windows XP or Windows Server 2003 clients:</span>
<br /><tt class="xph">ktpass -princ cifs/&lt;iSeriesNetServerName>@REALM> -mapuser &lt;new user> -pass &lt;password></tt></p>
<a name="wq44"></a>
<div class="notetitle" id="wq44">Note:</div>
<div class="notebody"> Only one principal can be mapped to
a user. If both HOST/* and cifs/* principals are needed, each must be mapped
to a separate Active Directory user.</div></li>
<li>Repeat steps <a href="rzahlkrbcfgreqs.htm#step">3b</a> and <a href="rzahlkrbcfgreqs.htm#stepp">3c</a> if
you want to access iSeries NetServer using additional principal names.</li></ol></li></ol>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>