111 lines
6.9 KiB
HTML
111 lines
6.9 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Plan realms" />
|
|
<meta name="abstract" content="Understanding your enterprise can help you plan for realms in your environment." />
|
|
<meta name="description" content="Understanding your enterprise can help you plan for realms in your environment." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhplan.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhpkdc.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhpprin.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakhprealm" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Plan realms</title>
|
|
</head>
|
|
<body id="rzakhprealm"><a name="rzakhprealm"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Plan realms</h1>
|
|
<div><p>Understanding your enterprise can help you plan for realms in your
|
|
environment.</p>
|
|
<div class="p">In Kerberos protocol, realms consist of a collection of machines and services
|
|
that use a single authentication server called a Kerberos server or key distribution
|
|
center (KDC). Realms are managed individually. Applications and services within
|
|
the realm typically share some common use or purpose. The following general
|
|
questions can aid you in planning realms in your enterprise:<dl><dt class="dlterm">How large is my current environment?</dt>
|
|
<dd>The size of your environment determines the number of realms you will
|
|
need. In a larger enterprise you may consider several realms that are based
|
|
on organizational boundaries or how certain systems are used within the enterprise.
|
|
For example, you establish realms that represent different organizations in
|
|
your company such as realms for your human resource department, customer service
|
|
department, or shipping department. You can also create realms for a collection
|
|
of machines or services that perform similar functions. Typically, smaller
|
|
enterprises may need only one or two realms.</dd>
|
|
<dt class="dlterm">How quickly do I anticipate my environment to grow?</dt>
|
|
<dd>If you plan for your enterprise to grow quickly you may want to set up
|
|
several realms representing smaller organizational units in your enterprise.
|
|
If you anticipate that your enterprise will grow more slowly, you can set
|
|
up only one or two realms based on your organization now.</dd>
|
|
<dt class="dlterm">How many administrators will I need to manage these realms?</dt>
|
|
<dd>No matter how large or small your enterprise is, you need to make sure
|
|
you have knowledgeable personnel to set up and administer the realms that
|
|
you need. </dd>
|
|
</dl>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Naming realms</h4><p>According
|
|
to the conventions of the Kerberos protocol, realm names are typically comprised
|
|
of an uppercase version of the domain name, such as MYCO.COM. In networks
|
|
with multiple realms, you can create a realm name that includes an uppercase
|
|
descriptive name and domain name. For example, you might have two realms,
|
|
one called HR.MYCO.COM and the other named SHIPPING.MYCO.COM, each representing
|
|
a particular department in your organization.</p>
|
|
<p>It is not necessary to
|
|
use uppercase, however, some implementations of Kerberos enforce this convention.
|
|
For example, realm names are strictly uppercase in a Microsoft<sup>®</sup> Windows<sup>®</sup> Active
|
|
Directory. If you are configuring network authentication service on the iSeries™ to
|
|
participate in a Kerberos realm configured in Microsoft Windows Active Directory, you must enter
|
|
the realm name in uppercase.</p>
|
|
<p>For a Kerberos server that is configured
|
|
in i5/OS™ PASE,
|
|
you can create either upper or lowercase realm names. However, if you plan
|
|
to create trust relationships between a Kerberos server configured with Microsoft Window
|
|
Active Directory and a Kerberos server configured in i5/OS PASE, the realm names should be uppercase.</p>
|
|
<div class="p">
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Example planning work sheet for Kerberos realms</caption><thead align="left"><tr><th valign="top" id="d0e72">Questions</th>
|
|
<th valign="top" id="d0e74">Answers</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e72 ">How many realms do you need?</td>
|
|
<td valign="top" headers="d0e74 ">Two</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e72 ">How do you plan to organize realms?</td>
|
|
<td valign="top" headers="d0e74 ">Currently our company has a Windows 2000 server that authenticates
|
|
users in our Order Receiving Department. Our Shipping Department use a Kerberos
|
|
server in i5/OS PASE.
|
|
Each of these departments will have its own realm.</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e72 ">What will be the naming convention used for realms?</td>
|
|
<td valign="top" headers="d0e74 ">We will use an uppercase shortened name that indicates
|
|
the department followed by an uppercase version of the Windows 2000
|
|
domain name. For example, ORDEPT.MYCO.COM will represent the Order Receiving
|
|
Department and SHIPDEPT.MYCO.COM will represent the Shipping Department.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhplan.htm" title="Before implementing network authentication service or a Kerberos solution on your network it is essential to complete the necessary planning tasks.">Plan network authentication service</a></div>
|
|
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzakhpkdc.htm" title="Plan for a Kerberos server based on your operating system.">Plan a Kerberos server</a></div>
|
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzakhpprin.htm" title="Plan for principal names in your Kerberos network.">Plan principal names</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |