382 lines
24 KiB
HTML
382 lines
24 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="reference" />
|
|
<meta name="DC.Title" content="Scenario: Enable single signon for i5/OS" />
|
|
<meta name="abstract" content="Use the following scenario to become familiar with the prerequisites and objectives for enabling single signon for i5/OS." />
|
|
<meta name="description" content="Use the following scenario to become familiar with the prerequisites and objectives for enabling single signon for i5/OS." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_completeplanningworksheets.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createassoconfiguration.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_configureiseriesbeim.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_addi5principals.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createuserprofilesseries.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createhomedirectorie.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_testnas.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createeimidentifiers.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createidentifierassociations.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createidentifierassociations2.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_createfegistrypolicy.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_enableregistrieslookup.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_testeimidentitymappings.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_configureiseriesaccessforwinapps.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_verifynaseimconfiguration.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhssoscenario_postconfigurationconsiderations.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakhscen2" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Scenario: Enable single signon for i5/OS</title>
|
|
</head>
|
|
<body id="rzakhscen2"><a name="rzakhscen2"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Scenario: Enable single signon for i5/OS</h1>
|
|
<div><p>Use the following scenario to become familiar with the prerequisites
|
|
and objectives for enabling single signon for i5/OS™.</p>
|
|
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are
|
|
a network administrator that manages a network and network security for your
|
|
company, including the Order Receiving department. You oversee the IT operations
|
|
for a large number of employees who take customer orders over the telephone.
|
|
You also supervise two other network administrators who help you maintain
|
|
the network.</p>
|
|
<p>The employees in the Order Receiving department use Windows<sup>®</sup> 2000
|
|
and i5/OS and
|
|
require multiple passwords for the different applications they use every day.
|
|
Consequently, you spend a lot of time managing and troubleshooting problems
|
|
related to passwords and user identities, such as resetting forgotten passwords.</p>
|
|
<div class="p">As
|
|
the company's network administrator, you are always looking for ways to improve
|
|
the business, starting with the Order Receiving department. You know that
|
|
most of your employees need the same type of authority to access the application
|
|
that they use to query inventory status. It seems redundant and time consuming
|
|
for you to maintain individual user profiles and numerous passwords that are
|
|
required in this situation. In addition, you know that all of your employees
|
|
can benefit by using fewer user IDs and passwords. You want to do these things: <ul><li>Simplify the task of password management for the Order Receiving department.
|
|
Specifically, you want to efficiently manage user access to the application
|
|
your employees routinely use for customer orders.</li>
|
|
<li>Decrease the use of multiple user IDs and passwords for the department
|
|
employees, as well as for the network administrators. However, you do not
|
|
want to make the Windows 2000 IDs and i5/OS user profiles the same nor do you
|
|
want to use password caching or synching.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p">Based on your research, you know that i5/OS supports <a href="../rzamz/rzamzoverview.htm">single signon</a>, a solution that allows your users to log
|
|
on once to access multiple applications and services that normally require
|
|
them to log on with multiple user IDs and passwords. Because your users do
|
|
not need to provide as many user IDs and passwords to do their jobs, you have
|
|
fewer password problems to solve for them. Single signon seems to be an ideal
|
|
solution because it allows you to simplify password management in the following
|
|
ways: <ul><li>For typical users that require the same authority to an application, you
|
|
can create policy associations. For example, you want the order clerks in
|
|
the Order Receiving department to be able to log on once with their Windows user
|
|
name and password and then be able to access a new inventory query application
|
|
in the manufacturing department without having to be authenticated again.
|
|
However, you also want to ensure that the level of authorization that they
|
|
have when using this application is appropriate. To attain this goal, you
|
|
decide to create a policy association that maps the Windows 2000
|
|
user identities for this group of users to a single i5/OS user profile that has the appropriate
|
|
level of authority for running the inventory query application. Because this
|
|
is a query-only application in which users cannot change data, you are not
|
|
as concerned about detailed auditing for this application. Consequently, you
|
|
feel confidant that using a policy association in this situation conforms
|
|
to your security policy.<p>You create a policy association to map the group
|
|
of order clerks with similar authority requirements to a single i5/OS user profile
|
|
with the appropriate level of authority for the inventory query application.
|
|
Your users benefit by having one less password to remember and one less logon
|
|
to perform. As the administrator, you benefit by having to maintain only one
|
|
user profile for user access to the application instead of multiple user profiles
|
|
for everyone in the group.</p>
|
|
</li>
|
|
<li>For each of your network administrators who have user profiles with special
|
|
authorities, such as *ALLOBJ and *SECADM, you can create identifier associations.
|
|
For example, you want all of the user identities for a single network administrator
|
|
to be precisely and individually mapped to one another because of the administrator's
|
|
high level of authority. <p>Based on your company's security policy, you decide
|
|
to create identifier associations to map specifically from each network administrator's Windows identity
|
|
to his i5/OS user
|
|
profile. You can more easily monitor and trace the activity of the administrator
|
|
because of the one-to-one mapping that identifier associations provide. For
|
|
example, you can monitor the jobs and objects that run on the system for a
|
|
specific user identity. Your network administrator benefits by having one
|
|
less password to remember and one less logon to perform. As the network administrator,
|
|
you benefit by tightly controlling the relationships between all of your administrator's
|
|
user identities.</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p">This scenario has the following advantages: <ul><li>Simplifies authentication process for users.</li>
|
|
<li>Simplifies managing access to applications.</li>
|
|
<li>Eases the overhead of managing access to servers in the network.</li>
|
|
<li>Minimizes the threat of password theft.</li>
|
|
<li>Avoids the need for multiple signons.</li>
|
|
<li>Simplifies user identity management across the network.</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
|
|
scenario, you are the administrator at MyCo, Inc. who wants to enable single
|
|
signon for the users in the Order Receiving department.</p>
|
|
<p>The objectives
|
|
of this scenario are as follows:</p>
|
|
<ul><li>iSeries™ A
|
|
and iSeries B
|
|
must participate in the MYCO.COM realm to authenticate the users and services
|
|
that are participating in this single signon environment. To enable the systems
|
|
to use Kerberos, iSeries A
|
|
and iSeries B
|
|
must be configured for network authentication service.</li>
|
|
<li>The IBM<sup>®</sup> Directory
|
|
Server for iSeries (LDAP)
|
|
on iSeries A
|
|
must function as the domain controller for the new EIM domain.<div class="note"><span class="notetitle">Note:</span> Refer
|
|
to <a href="../rzamz/rzamzdomains.htm">domains</a> to
|
|
learn how two different types of domains, an EIM domain and a Windows 2000
|
|
domain, fit into the single signon environment.</div>
|
|
</li>
|
|
<li>All user identities in the Kerberos registry must map successfully to
|
|
a single i5/OS user
|
|
profile with appropriate authority for user access to the inventory query
|
|
application.</li>
|
|
<li>Based on your security policy, two administrators, John Day and Sharon
|
|
Jones, who also have user identities in the Kerberos registry, must have identifier
|
|
associations to map these identities to their i5/OS user profiles which have *SECADM
|
|
special authority. These one-to-one mappings enable you to closely monitor
|
|
the jobs and objects that run on the system for these user identities.</li>
|
|
<li>A Kerberos service principal must be used to authenticate the users to
|
|
the IBM iSeries Access
|
|
for Windows applications,
|
|
including iSeries Navigator.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
|
|
figure illustrates the network environment for this scenario.</p>
|
|
<p><br /><img src="rzakh512.gif" longdesc="scen2graphicdesc.htm" alt=" Single signon environment diagram" /><br /></p>
|
|
<p>The figure illustrates the following points
|
|
relevant to this scenario.</p>
|
|
<div class="p"><strong>EIM domain data defined for the enterprise</strong><ul><li>Three registry definition names:<ul><li>A registry definition name of MYCO.COM for the Windows 2000 server registry. You will
|
|
define this when you use the EIM configuration wizard on iSeries A.</li>
|
|
<li>A registry definition name of ISERIESA.MYCO.COM for the i5/OS registry
|
|
on iSeries A.
|
|
You will define this when you use the EIM configuration wizard on iSeries A.</li>
|
|
<li>A registry definition name of ISERIESB.MYCO.COM for the i5/OS registry
|
|
on iSeries B.
|
|
You will define this when you use the EIM configuration wizard on iSeries B.</li>
|
|
</ul>
|
|
</li>
|
|
<li>Two <a href="../rzalv/rzalveserverassoc.htm">default
|
|
registry policy associations</a>:<div class="note"><span class="notetitle">Note:</span> <a href="../rzalv/rzalveservereimmaplookup.htm">EIM lookup operation</a> processing assigns the highest priority
|
|
to identifier associations. Therefore, when a user identity is defined as
|
|
a source in both a policy association and an identifier association, only
|
|
the identifier association maps that user identity. In this scenario, two
|
|
network administrators, John Day and Sharon Jones, both have user identities
|
|
in the MYCO.COM registry, which is the source of the default registry policy
|
|
associations. However, as shown below, these administrators also have identifier
|
|
associations defined for their user identities in the MYCO.COM registry. The
|
|
identifier associations ensure that their MYCO.COM user identities are not
|
|
mapped by the policy associations. Instead, the identifier associations ensure
|
|
that their user identities in the MYCO.COM registry are individually mapped
|
|
to other specific individual user identities.</div>
|
|
<ul><li>One default registry policy association maps all user identities in the Windows 2000
|
|
server registry called MYCO.COM, to a single i5/OS user profile called SYSUSERA in the
|
|
ISERIESA.MYCO.COM registry on iSeries A. For this scenario, mmiller
|
|
and ksmith represent two of these user identities.</li>
|
|
<li>One default registry policy association maps all user identities in the Windows 2000
|
|
server registry called MYCO.COM, to a single i5/OS user profile called SYSUSERB in the
|
|
ISERIESB.MYCO.COM registry on iSeries B. For this scenario, mmiller
|
|
and ksmith represent two of these user identities.</li>
|
|
</ul>
|
|
</li>
|
|
<li>Two EIM identifiers named John Day and Sharon Jones to represent the two
|
|
network administrators in the company who have those names.</li>
|
|
<li>For the John Day EIM identifier, these identifier associations are defined:<ul><li>A source association for the jday user identity, which is a Kerberos principal
|
|
in the Windows 2000 server registry.</li>
|
|
<li>A target association for the JOHND user identity, which is a user profile
|
|
in the i5/OS registry
|
|
on iSeries A.</li>
|
|
<li>A target association for the DAYJO user identity, which is a user profile
|
|
in the i5/OS registry
|
|
on iSeries B.</li>
|
|
</ul>
|
|
</li>
|
|
<li>For the Sharon Jones EIM identifier, these identifier associations are
|
|
defined:<ul><li>A source association for the sjones user identity, which is a Kerberos
|
|
principal in the Windows 2000 server registry.</li>
|
|
<li>A target association for the SHARONJ user identity, which is a user profile
|
|
in the i5/OS registry
|
|
on iSeries A.</li>
|
|
<li>A target association for the JONESSH user identity, which is a user profile
|
|
in the i5/OS registry
|
|
on iSeries B.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>Windows 2000 server</strong><ul><li>Acts as the Kerberos server (<tt>kdc1.myco.com</tt>), also known as a
|
|
key distribution center (KDC), for the network.</li>
|
|
<li>The default realm for the Kerberos server is <tt>MYCO.COM</tt>.</li>
|
|
<li>All Microsoft<sup>®</sup> Windows Active Directory users that
|
|
do not have identifier associations are mapped to a single i5/OS user profile
|
|
on each of the iSeries systems.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>iSeries A</strong><ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) or later with the
|
|
following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host
|
|
Servers (5722-SS1 Option 12)</li>
|
|
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
|
|
<li>iSeries Access
|
|
for Windows (5722-XE1)</li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
|
|
V5R4<img src="./deltaend.gif" alt="End of change" /></li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are using V5R3<img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
<div class="note"><span class="notetitle">Note:</span> You can implement this scenario using a server that runs V5R2.
|
|
However, some of the configuration steps will be slightly different. In addition,
|
|
this scenario demonstrates some of the single signon function that is only
|
|
available in V5R3 <span><img src="./delta.gif" alt="Start of change" />and later<img src="./deltaend.gif" alt="End of change" /></span>, such as policy associations.</div>
|
|
</li>
|
|
<li>The directory server on iSeries A will be configured to be the EIM domain
|
|
controller for the new EIM domain, MyCoEimDomain.</li>
|
|
<li>Participates in the EIM domain, MyCoEimDomain.</li>
|
|
<li>Has the service principal name of <tt>krbsvr400/iseriesa.myco.com@MYCO.COM</tt>.</li>
|
|
<li>Has the fully qualified host name of <tt>iseriesa.myco.com</tt>. This
|
|
name is registered in a single Domain Name System (DNS) to which all PCs and
|
|
servers in the network point.</li>
|
|
<li>Home directories on iSeries A store the Kerberos credentials caches for i5/OS user
|
|
profiles.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>iSeries B</strong><ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) or later with the
|
|
following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host
|
|
Servers (5722-SS1 Option 12)</li>
|
|
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
|
|
<li>iSeries Access
|
|
for Windows (5722-XE1)</li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
|
|
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
|
|
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
</li>
|
|
<li>Has the fully qualified host name of <tt>iseriesb.myco.com</tt>. This
|
|
name is registered in a single Domain Name System (DNS) to which all PCs and
|
|
servers in the network point.</li>
|
|
<li>The principal name for iSeries B is <tt>krbsvr400/iseriesb.myco.com@MYCO.COM</tt>.</li>
|
|
<li>Participates in the EIM domain, MyCoEimDomain.</li>
|
|
<li>Home directories on iSeries B store the Kerberos credentials caches for i5/OS user
|
|
profiles.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>Administrative PC</strong><ul><li>Runs Microsoft Windows 2000 operating system.</li>
|
|
<li>Runs iSeries Access
|
|
for Windows (5722-XE1).</li>
|
|
<li>Runs iSeries Navigator
|
|
with the following subcomponents installed:<ul><li>Network</li>
|
|
<li>Security</li>
|
|
<li>Users and Groups</li>
|
|
</ul>
|
|
</li>
|
|
<li>Serves as the primary logon system for the administrator.</li>
|
|
<li>Configured to be part of the MYCO.COM realm (Windows domain).</li>
|
|
</ul>
|
|
</div>
|
|
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />The KDC server name, <strong>kdc1.myco.com</strong>, and
|
|
the hostname, <strong>iseriesa.myco.com</strong> are fictitious names used in this scenario.<img src="./deltaend.gif" alt="End of change" /></div>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><p>Successful
|
|
implementation of this scenario requires that the following assumptions and
|
|
prerequisites are met:</p>
|
|
<ol><li>All system requirements, including software and operating system installation,
|
|
have been verified.<div class="p">To verify that these licensed programs have been installed,
|
|
complete the following:<ol type="a"><li>In iSeries Navigator,
|
|
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Configuration
|
|
and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed
|
|
Products</span></span>.</li>
|
|
<li>Ensure that all the necessary licensed programs are installed.</li>
|
|
</ol>
|
|
</div>
|
|
</li>
|
|
<li>All necessary hardware planning and setup are complete.</li>
|
|
<li>TCP/IP and basic system security are configured and tested on each system.</li>
|
|
<li>The directory server and EIM should not be previously configured on iSeries A.<div class="note"><span class="notetitle">Note:</span> Instructions
|
|
in this scenario are based on the assumption that the directory server has
|
|
not been previously configured on iSeries A. However, if you already configured
|
|
the directory server, you can still use these instructions with only slight
|
|
differences. These differences are noted in the appropriate places within
|
|
the configuration steps.</div>
|
|
</li>
|
|
<li>A single DNS server is used for host name resolution for the network.
|
|
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
|
|
with Kerberos authentication may result in name resolution errors or other
|
|
problems. For more detailed information about how host name resolution works
|
|
with Kerberos authentication, see <a href="rzakhpdns.htm#rzakhpdns">Host name resolution considerations</a>.</div>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Configuration steps</h4><div class="note"><span class="notetitle">Note:</span> You
|
|
need to thoroughly understand the concepts related to single signon, which
|
|
include network authentication service and Enterprise Identity Mapping (EIM)
|
|
concepts, before you implement this scenario. See the following information
|
|
to learn about the terms and concepts related to single signon:<ul><li><a href="../rzalv/rzalveservercncpts.htm">Enterprise
|
|
Identity Mapping (EIM)</a></li>
|
|
<li><a href="rzakhconcept.htm#rzakhconcept">Network authentication service</a></li>
|
|
</ul>
|
|
</div>
|
|
<p>To configure single signon on your system, complete
|
|
these steps.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<ol>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_completeplanningworksheets.htm">Complete the planning work sheets</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_createassoconfiguration.htm">Create a basic single signon configuration for iSeries A</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_configureiseriesbeim.htm">Configure iSeries B to participate in the EIM domain and configure iSeries B for network authentication service</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_addi5principals.htm">Add both i5/OS service principals to the Kerberos server</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_createuserprofilesseries.htm">Create user profiles on iSeries A and iSeries B</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_createhomedirectorie.htm">Create home directories on iSeries A and iSeries B</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_testnas.htm">Test network authentication service on iSeries A and iSeries B</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_createeimidentifiers.htm">Create EIM identifiers for two administrators, John Day and Sharon Jones</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_createidentifierassociations.htm">Create identifier associations for John Day</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_createidentifierassociations2.htm">Create identifier associations for Sharon Jones</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_createfegistrypolicy.htm">Create default registry policy associations</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_enableregistrieslookup.htm">Enable registries to participate in lookup operations and to use policy associations</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_testeimidentitymappings.htm">Test EIM identity mappings</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_configureiseriesaccessforwinapps.htm">Configure iSeries Access for Windows applications to use Kerberos authentication</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_verifynaseimconfiguration.htm">Verify network authentication service and EIM configuration</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhssoscenario_postconfigurationconsiderations.htm">Post configuration considerations</a><br />
|
|
</li>
|
|
</ol>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen.htm" title="Use these scenarios to learn about network authentication service.">Scenarios</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |