ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhdefineiseries.htm

172 lines
12 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Add i5/OS principals to the Kerberos server" />
<meta name="abstract" content="Add the i5/OS principals to a Kerberos server in i5/OS PASE or a Windows 2000 domain." />
<meta name="description" content="Add the i5/OS principals to a Kerberos server in i5/OS PASE or a Windows 2000 domain." />
<meta name="DC.Relation" scheme="URI" content="rzakhconfig.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhhome.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhdefineiseries" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Add i5/OS principals
to the Kerberos server</title>
</head>
<body id="rzakhdefineiseries"><a name="rzakhdefineiseries"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Add i5/OS principals
to the Kerberos server</h1>
<div><p>Add the i5/OS™ principals to a Kerberos server in i5/OS PASE or
a Windows<sup>®</sup> 2000
domain.</p>
<div class="section"><p>After you configure network authentication service
on your iSeries™,
you must add your i5/OS principals to the Kerberos server. Network authentication
service provides an i5/OS principal name, <strong>krbsvr400</strong> for the server
and the i5/OS applications.
The name of the principal that represents i5/OS is krbsrv400/<em>iSeries host
name</em>@REALM NAME, where <em>iSeries host name</em> is either the fully
qualified host name or the short host name for the iSeries server. This principal name needs
to be added to the Kerberos server so that Kerberos client applications can
request and receive service tickets. For example, in our configuration scenarios,
the administrator for MyCo added the service principal krbsvr400/iseriesa.myco.com@MYCO.COM
to the company's Kerberos server.</p>
<p>Depending on the operating system
on which you have configured a Kerberos server, the steps for adding the i5/OS principal
are different. This information provides instructions on adding the i5/OS principals
to a Kerberos server in i5/OS PASE or a Windows 2000 domain. If you have optionally
created service principals for either IBM<sup>®</sup> Directory Server for iSeries (LDAP), iSeries NetServer™,
or HTTP server you must also add those service principals to the Kerberos
server.</p>
</div>
<ol><li class="stepexpand"><span>i5/OS PASE </span> If your Kerberos server is located in i5/OS PASE, you can add i5/OS service
principals by using the QP2TERM command, which opens an interactive shell
environment that allows you to work with i5/OS PASE applications. To add an i5/OS service
principal to a Kerberos server in i5/OS PASE, complete these steps:<ol type="a"><li class="substepexpand"><span>In a character-based interface, type <span class="cmdname">call QP2TERM</span>. </span></li>
<li class="substepexpand"><span>At the command line, enter <tt>export PATH=$PATH:/usr/krb5/sbin</tt>. </span> This command points to the Kerberos scripts that are necessary to run
the executable files.</li>
<li class="substepexpand"><span>At the command line, type <span class="cmdname">kadmin -p admin/admin</span>.</span></li>
<li class="substepexpand"><span>Logon with your user name and password.</span></li>
<li class="substepexpand"><span>At the kadmin command line, enter <tt>addprinc -pw secret krbsvr400/iSeries
fully qualified host name@REALM</tt>, where <tt>secret</tt> is the password
for the i5/OS service
principal, </span> For example, <tt>krbsvr400/iseriesa.myco.com@MYCO.COM</tt> might
be a valid i5/OS service
principal name.</li>
</ol>
</li>
<li class="stepexpand"><span>Microsoft<sup>®</sup> Windows Active Directory</span> <p>To
add an i5/OS service
principal to a Kerberos server, you have two options: Allow the Network Authentication
Service wizard to add the principals or add them manually.</p>
<div class="p">The Network
Authentication Service wizard allows you to optionally create a batch file,
called <tt>NASConfig.bat</tt>. This batch file contains all of the principal
names for the services that you selected during configuration. You can also
choose to add their associated passwords in this batch file. <div class="note"><span class="notetitle">Note:</span> If you
include the password, anyone with read access to the batch file can view the
passwords. It is recommended that if you include the password, that you delete
the batch file from the Kerberos server and from your PC immediately after
use. If you do not include the password in the batch file, you will be prompted
for a password when the batch file is run on the Windows server.</div>
</div>
<strong>Using
the batch file generated by the Network Authentication Service wizard</strong><ol type="a"><li class="substepexpand"><span>Using FTP on the Windows 2000 workstation that the administrator
used to configure network authentication service, open a command prompt and
type <tt>ftp <em>server</em></tt> where <em>server</em> is the host name for the
Kerberos server. </span> This will start an FTP session on your PC. You
will be prompted for the administrator's user name and password.</li>
<li class="substepexpand"><span>At the FTP prompt, type <tt>lcd "C:\Documents and Settings\All
Users\Documents\IBM\Client Access"</tt>. Press <span class="uicontrol">Enter</span>. </span> <div class="note"><span class="notetitle">Note:</span> This is an example of a directory that may contain the batch file.</div>
You should receive the message <tt>Local directory now C:\Documents
and Settings\All Users\Documents\IBM\Client Access</tt>.</li>
<li class="substepexpand"><span>At the FTP prompt, type <tt>binary</tt>.</span> This indicates
that the file to be transferred is binary.</li>
<li class="substepexpand"><span>At the FTP prompt, type <tt>cd \<em>mydirectory</em></tt>, where <em>mydirectory</em> is
a directory on the Windows server where you want to place the batch
file.</span></li>
<li class="substepexpand"><span>At the FTP prompt, type <tt>put NASConfig.bat</tt>. </span> You
should receive this message: <tt>226 Transfer complete</tt>.</li>
<li class="substepexpand"><span>On your Windows 2000 server, open the directory
where you transferred the batch file.</span></li>
<li class="substepexpand"><span>Find the <tt>NASConfig.bat</tt> file and double click the file
to run it.</span></li>
<li class="substepexpand"><span>After the file runs, verify that the i5/OS principal name has been added to
the Microsoft Windows Active
Directory by completing the following:</span> <ol type="i"><li>On your Windows 2000 server, expand <span class="menucascade"><span class="uicontrol">Start</span> &gt; <span class="uicontrol">Programs</span> &gt; <span class="uicontrol">Administrative Tools</span> &gt; <span class="uicontrol">Active Directory Users and Computers</span> &gt; <span class="uicontrol">Users</span></span>.</li>
<li>Verify the iSeries has
a user account by selecting the appropriate Windows 2000 domain. <div class="note"><span class="notetitle">Note:</span> This Windows domain
should be the same as the default realm name that you specified network authentication
service configuration.</div>
</li>
<li>In the list of users that displays, find the name that corresponds with
the service principal that you just added. </li>
<li>Access the properties on your Active Directory users.
From the <span class="uicontrol">Account</span> tab, select the <span class="uicontrol">Account
is trusted for delegation</span>. <div class="note"><span class="notetitle">Note:</span> This optional step enables your
system to delegate, or forward, a user's credentials to other systems. As
a result, the i5/OS service
principal can access services on multiple systems on behalf of the user. This
is useful in a multi-tier network.</div>
</li>
</ol>
</li>
</ol>
<strong>Manually adding the service principal to Microsoft Windows Active Directory</strong> You can also add i5/OS principals to the Microsoft Windows Active Directory manually by
using the ktpass command. This command is shipped with Windows Support
Tools and must be installed on the system being used as the Kerberos server. <ol type="a"><li class="substepexpand"><span>On your Windows 2000 server, expand <span class="menucascade"><span class="uicontrol">Start</span> &gt; <span class="uicontrol">Programs</span> &gt; <span class="uicontrol">Administrative
Tools</span> &gt; <span class="uicontrol">Active Directory Users and Computers</span></span>.</span></li>
<li class="substepexpand"><span>Select the Windows 2000 domain to which you want
to add the iSeries user
account and expand <span class="menucascade"><span class="uicontrol">Action</span> &gt; <span class="uicontrol">New </span> &gt; <span class="uicontrol">User</span></span>. </span> <div class="note"><span class="notetitle">Note:</span> This Windows 2000
domain should be the same as the default realm name that you specified network
authentication service configuration.</div>
</li>
<li class="substepexpand"><span>In the <span class="uicontrol">Name</span> field, enter a name that
will identify the iSeries to this Windows 2000 domain. </span> This
will add a new user account for iSeries. For example,
you might enter the name <tt>krbsvr400iseriesa</tt> or <tt>httpiseriesa</tt> as
a valid user account name.</li>
<li class="substepexpand"><span>Access the properties on the Active Directory user that you
created in Step 3. From the <span class="uicontrol">Account</span> tab, select the <span class="uicontrol">Account
is trusted for delegation</span>.</span> This allows the i5/OS service
principal to access other services on behalf of a signed-in user.</li>
<li class="substepexpand"><span>You need to map the user account you just created to the i5/OS service
principal by using the <span class="cmdname">ktpass</span> command. The ktpass tool
is provided in the <span class="uicontrol">Service Tools</span> folder on the Windows 2000
Server installation CD. To map the user account, complete the following task:</span> <ol type="i"><li>At a command prompt, enter<pre>ktpass -mapuser krbsvr400iseriesa -pass secret -princ krbsvr400/iseries-domain-name@REALM
-mapop set</pre>
<div class="note"><span class="notetitle">Note:</span> In the command, <tt>krbsvr400iseriesa</tt> represents
the user account name that was created in Step 3 and <tt>secret</tt> is the
password that you entered during network authentication service configuration
for the i5/OS principal.</div>
</li>
</ol>
</li>
</ol>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhconfig.htm" title="Configure network authentication service on your systems.">Configure network authentication service</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhhome.htm" title="Create a home directory for each user that will connect to the i5/OS applications.">Create a home directory</a></div>
</div>
</div>
</body>
</html>