ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhpprin.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Plan principal names" />
<meta name="abstract" content="Plan for principal names in your Kerberos network." />
<meta name="description" content="Plan for principal names in your Kerberos network." />
<meta name="DC.Relation" scheme="URI" content="rzakhplan.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhprealm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzakhpdns.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhpprin" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Plan principal names</title>
</head>
<body id="rzakhpprin"><a name="rzakhpprin"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Plan principal names</h1>
<div><p>Plan for principal names in your Kerberos network.</p>
<p>Principals are names of users or services in a Kerberos network. Principal
names consist of the user name or service name and the name of the realm in
which that user or service belongs. If Mary Jones uses the realm MYCO.COM,
her principal name might be jonesm@MYCO.COM. Mary Jones uses this principal
name and its associated password to be authenticated by a centralized Kerberos
server. All principals are added to the Kerberos server, which maintains a
database of all users and services within a realm. </p>
<p>When developing a system for naming principals, you should assign principal
names using a consistent naming convention that will accommodate current and
future users. Use the following suggestions to establish a naming convention
for your principals:</p>
<div class="p"><ul><li>Use family name and initial of first name</li>
<li>Use first initial and full family name</li>
<li>Use first name plus last initial</li>
<li>Use application or service names with identifying numbers, such as database1.</li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">i5/OS™ principal
names</h4><div class="p">When you configure network authentication service on iSeries™ systems,
the principal names can be optionally created. Each of these principals represent
services located on the iSeries server. During configuration of network authentication
service, a key table entry is created on the iSeries system for each of the service
principals that you choose to create. This key table entry stores the service
principal name and the encrypted password that you specified during configuration.
 It is important to note that all i5/OS service principals need to be added
to the Kerberos server after network authentication service is configured.
The methods of adding the i5/OS principal to the Kerberos server varies based
on the Kerberos server that you have configured in your enterprise. For instructions
on how to add the i5/OS principal name to either a Windows<sup>®</sup> 2000
domain or a Kerberos server in i5/OS PASE, see <a href="rzakhdefineiseries.htm#rzakhdefineiseries">Add i5/OS principals to the Kerberos server</a>.
The following information describes each of the i5/OS service principals that are created
during network authentication service configuration:<dl><dt class="dlterm">i5/OS Kerberos
Authentication</dt>
<dd>When you choose to create a keytab entry for i5/OS Kerberos Authentication, the service
principal is generated in the keytab file in one of these formats: <strong>krbsvr400/iSeries
fully qualified domain name@REALM NAME</strong> or <strong>krbsvr400/iSeries host name@REALM
NAME</strong>. For example, a valid service principal for i5/OS Kerberos Authentication might be
krbsvr400/iseriesa.myco.com@MYCO.COM or krbsvr400/iseriesa@MYCO.COM. i5/OS generates
the principal based on the host name that it finds on either the DNS server
or on the iSeries server
depending on how the iSeries is configured to resolve host names. <p>The
service principal is used for several i5/OS interfaces, such as QFileSrv.400,
Telnet, Distributed
Relational Database Architecture™ (DRDA<sup>®</sup>), iSeries NetServer™, and IBM<sup>®</sup> <img src="eserver.gif" alt="e(logo) server" /> iSeries Access
for Windows including iSeries Navigator.
Each of these applications may require additional configuration to enable
Kerberos authentication.</p>
</dd>
<dt class="dlterm">LDAP</dt>
<dd>In addition to the i5/OS service principal name, you can optionally configure
additional service principals for IBM Directory Server for iSeries (LDAP)
during network authentication service configuration. The LDAP principal name
is <strong>ldap/iSeries fully qualified domain name@REALM NAME</strong>. For example,
a valid LDAP principal name might be ldap/iseriesa.myco.com@MYCO.COM. This
principal name identifies the directory server located on that iSeries system. <div class="note"><span class="notetitle">Note:</span> In
past releases, the network authentication service wizard created an uppercase
keytab entry for LDAP service. If you have configured the LDAP principal previously
when you reconfigure network authentication service or access the wizard through
the Enterprise Identity Mapping (EIM) interface, you will be prompted to change
this principal name to its lowercase version.</div>
<div class="p">If you plan on using
Kerberos authentication with the directory server, you will not only need
to configure network authentication service, but also change properties for
the directory server to accept Kerberos authentication. When Kerberos authentication
is used, directory server associates the server distinguished name (DN) with
the Kerberos principal name. You can choose to have the server DN associated
with one of the following methods:<ul><li>The server can create a DN based on the Kerberos principal name. When
you choose this option, a Kerberos identity of the form principal@realm generates
a DN of the form ibm-kn=principal@realm. ibm-kn= is equivalent to ibm-kerberosName=.</li>
<li>The server can search the directory for a distinguished name (DN) that
contains an entry for the Kerberos principal and realm. When you choose this
option, the server searches the directory for an entry that  specifies this
Kerberos identity.</li>
</ul>
</div>
<p>See <a href="../rzahy/rzahyrzahywelpo.htm">IBM Directory
Server for iSeries (LDAP)</a> for
details on the configuration Kerberos authentication for the directory server.</p>
</dd>
<dt class="dlterm">HTTP Server powered by Apache</dt>
<dd>In addition to the i5/OS service principal name, you can optionally configure
additional service principals for HTTP Server powered by Apache (HTTP) during
network authentication service configuration. The HTTP principal name is <strong>HTTP/iSeries
fully qualified domain name@REALM NAME</strong>. This principal name identifies
the HTTP server instances on the iSeries that will be using Kerberos to
authenticate web users. To use Kerberos authentication with an HTTP server
instance, you will also need to complete additional configuration steps that
pertain to HTTP server.<p>See the <a href="http://www-1.ibm.com/servers/eserver/iseries/software/http/docs/doc.htm" target="_blank">HTTP Server: documentation</a><img src="www.gif" alt="Link outside the Information center" /> home page to find information about using Kerberos
authentication with HTTP server.</p>
</dd>
<dt class="dlterm">iSeries NetServer</dt>
<dd>For iSeries NetServer,
you can also choose to create several NetServer principals that are automatically
added to the keytab file on the iSeries. Each of these NetServer principals
represent all the potential clients that you might use to connect with iSeries NetServer.
The following table shows the iSeries NetServer principal name and the clients
they represent:
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="90%" frame="border" border="1" rules="all"><caption>Table 1. iSeries NetServer principal names</caption><thead align="left"><tr><th valign="top" id="d0e231">Client connection</th>
<th valign="top" id="d0e233">iSeries NetServer principal
name</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e231 ">Windows XP</td>
<td valign="top" headers="d0e233 "><p>cifs/iSeries fully qualified domain name<br />
cifs/iSeries host name<br />
cifs/QiSeries host name<br />
cifs/qiSeries host name<br />
cifs/IP address</p>
</td>
</tr>
<tr><td valign="top" headers="d0e231 ">Windows 2000</td>
<td valign="top" headers="d0e233 "><p>HOST/iSeries fully qualified domain name<br />
HOST/iSeries host name<br />
HOST/QiSeries host name<br />
HOST/qiSeries host name<br />
HOST/IP address</p>
</td>
</tr>
</tbody>
</table>
</div>
<p>See <a href="../rzahl/rzahlusergoal.htm">iSeries NetServer</a> for
more information about using Kerberos authentication with this application.</p>
</dd>
</dl>
</div>
<div class="p"><strong>Example planning work sheet</strong>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Example principal planning work sheet</caption><thead align="left"><tr><th valign="top" id="d0e277">Questions</th>
<th valign="top" id="d0e279">Answers</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e277 ">What is the naming convention that you plan to use for
Kerberos principals that represent users in your network?</td>
<td valign="top" headers="d0e279 "><p>First initial followed by first five letters of the
family name in lowercase Example: mjones</p>
</td>
</tr>
<tr><td valign="top" headers="d0e277 ">What is the naming convention for applications on your
network?</td>
<td valign="top" headers="d0e279 "><p>Descriptive name followed by number Example: database123</p>
</td>
</tr>
<tr><td valign="top" headers="d0e277 ">For which i5/OS services do you plan to use Kerberos
authentication?</td>
<td valign="top" headers="d0e279 "><ol><li>i5/OS Kerberos
Authentication for the following services: iSeries Access for Windows, iSeries Navigator, NetServer,
and Telnet.</li>
<li>HTTP Server powered by Apache</li>
<li>LDAP</li>
</ol>
</td>
</tr>
<tr><td valign="top" headers="d0e277 ">What are the i5/OS principal names for each of these i5/OS services?</td>
<td valign="top" headers="d0e279 "><ol><li>krbsvr400/iseriesa.myco.com@MYCO.COM</li>
<li>HTTP/iseriesa.myco.com@MYCO.COM</li>
<li>ldap/iseriesa.myco.com@MYCO.COM</li>
</ol>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhplan.htm" title="Before implementing network authentication service or a Kerberos solution on your network it is essential to complete the necessary planning tasks.">Plan network authentication service</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzakhprealm.htm" title="Understanding your enterprise can help you plan for realms in your environment.">Plan realms</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhpdns.htm" title="Ensure that Kerberos authentication and host name resolution work properly with your Kerberos enabled applications by verifying that your PCs and your iSeries servers resolve the same host name for the system on which the service application resides.">Host name resolution considerations</a></div>
</div>
</div>
</body>
</html>