213 lines
12 KiB
HTML
213 lines
12 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="reference" />
|
|
<meta name="DC.Title" content="Scenario: Use Kerberos authentication between Management Central servers" />
|
|
<meta name="abstract" content="Use the following scenario to become familiar with the prerequisites and objectives for using Kerberos authentication between Management Central servers." />
|
|
<meta name="description" content="Use the following scenario to become familiar with the prerequisites and objectives for using Kerberos authentication between Management Central servers." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhscen.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_completeplanningworksheets.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_setcentralsystem.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_createmyco2systemgroup.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_collectsystemvalues.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_compareandupdatekerberos.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_restartmanagementcentral.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_addkerberosserviceprincipal.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_verifykerberosprincipal.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_allowtrustedconnections.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_repeatsteps4through6.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakhkerberosscenario_testauthenticationon.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakhscenmc2" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Scenario: Use Kerberos authentication between Management Central servers</title>
|
|
</head>
|
|
<body id="rzakhscenmc2"><a name="rzakhscenmc2"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Scenario: Use Kerberos authentication between Management Central servers</h1>
|
|
<div><p>Use the following scenario to become familiar with the prerequisites
|
|
and objectives for using Kerberos authentication between Management Central
|
|
servers.</p>
|
|
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are
|
|
a network administrator for a medium-sized parts manufacturer. You currently
|
|
manage four iSeries™ systems
|
|
using iSeries Navigator
|
|
on a client PC. You want your Management Central server jobs to use Kerberos
|
|
authentication instead of other authentication methods you have used in the
|
|
past, namely password synchronization.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
|
|
scenario, the goal for MyCo, Inc. is to use Kerberos authentication among
|
|
Management Central servers.</p>
|
|
</div>
|
|
<div class="section" id="rzakhscenmc2__details"><a name="rzakhscenmc2__details"><!-- --></a><h4 class="sectionscenariobar">Details</h4><p>The
|
|
following graphic shows the details for this scenario. </p>
|
|
<br /><img src="rzakh513.gif" longdesc="rzakh513_desc.htm" alt="Use Kerberos authentication between endpoint systems" /><br /><div class="p"><strong>iSeries A
|
|
- Model system and central system</strong><ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS™ Version 5 Release 3 (V5R3) or later with the
|
|
following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host
|
|
Servers (5722-SS1 Option 12)</li>
|
|
<li>iSeries Access
|
|
for Windows<sup>®</sup> (5722-XE1)</li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE) if you are using
|
|
V5R4 or later<img src="./deltaend.gif" alt="End of change" /></li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3) if you are running
|
|
V5R3<img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
</li>
|
|
<li>i5/OS service
|
|
principal, krbsvr400/iseriesa.myco.com@MYCO.COM, and associated password have
|
|
been added to the keytab file.</li>
|
|
<li>Stores, schedules and runs synchronize setting tasks for each of the endpoint
|
|
systems.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>iSeries B
|
|
- Endpoint system</strong><ul><li><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) or later with the
|
|
following options and licensed products installed:<ul><li>i5/OS Host
|
|
Servers (5722-SS1 Option 12)</li>
|
|
<li>iSeries Access
|
|
for Windows (5722-XE1)</li>
|
|
<li>Network Authentication Enablement (5722-NAE) if you are using V5R4 or
|
|
later</li>
|
|
<li>Cryptographic Access Provider (5722-AC3) if you are running
|
|
V5R3</li>
|
|
</ul>
|
|
<img src="./deltaend.gif" alt="End of change" /></li>
|
|
<li>i5/OS service
|
|
principal, krbsvr400/iseriesb.myco.com@MYCO.COM, and associated password have
|
|
been added to the keytab file.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>iSeries C
|
|
- Endpoint system</strong><ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 4 (V5R4) with the following
|
|
options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host
|
|
Servers (5722-SS1 Option 12)</li>
|
|
<li>iSeries Access
|
|
for Windows (5722-XE1)</li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Network Authentication Enablement (5722-NAE)<img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
</li>
|
|
<li>i5/OS service
|
|
principal, krbsvr400/iseriesc.myco.com@MYCO.COM, and associated password have
|
|
been added to the keytab file.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>iSeries D
|
|
- Endpoint system</strong><ul><li><span><img src="./delta.gif" alt="Start of change" />Runs i5/OS Version 5 Release 3 (V5R3) or later with the
|
|
following options and licensed products installed:<img src="./deltaend.gif" alt="End of change" /></span><ul><li>i5/OS Host
|
|
Servers (5722-SS1 Option 12)</li>
|
|
<li>iSeries Access
|
|
for Windows (5722-XE1)</li>
|
|
<li><img src="./delta.gif" alt="Start of change" />Cryptographic Access Provider (5722-AC3)<img src="./deltaend.gif" alt="End of change" /></li>
|
|
</ul>
|
|
</li>
|
|
<li>i5/OS service
|
|
principal, krbsvr400/iseriesd.myco.com@MYCO.COM, and associated password have
|
|
been added to the keytab file.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p"><strong>Windows 2000 server</strong><ul><li>Operates as the Kerberos server for these systems.</li>
|
|
<li>The following i5/OS service principals have been added to the Windows 2000
|
|
server:<ul><li>krbsvr400/iseriesa.myco.com@MYCO.COM</li>
|
|
<li>krbsvr400/iseriesb.myco.com@MYCO.COM</li>
|
|
<li>krbsvr400/iseriesc.myco.com@MYCO.COM</li>
|
|
<li>krbsvr400/iseriesd.myco.com@MYCO.COM</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<p><strong>Client PC</strong></p>
|
|
<ul><li>Runs iSeries Access
|
|
for Windows (5722-XE1).</li>
|
|
<li>Runs iSeries Navigator
|
|
with the following subcomponents:<div class="note"><span class="notetitle">Note:</span> Only required for PC used to administer
|
|
network authentication service.</div>
|
|
<ul><li>Network</li>
|
|
<li>Security</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />The KDC server name, <strong>kdc1.myco.com</strong>, and the
|
|
hostname, <strong>iseriesa.myco.com</strong> are fictitious names used in this scenario.<img src="./deltaend.gif" alt="End of change" /></div>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><ol><li>All system requirements, including software and operating system installation,
|
|
have been verified.<div class="p">To verify that the licensed programs have been installed,
|
|
complete the following:<ol type="a"><li>In iSeries Navigator,
|
|
expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Configuration
|
|
and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed
|
|
Products</span></span>.</li>
|
|
<li>Ensure that all the necessary licensed programs are installed.</li>
|
|
</ol>
|
|
</div>
|
|
</li>
|
|
<li>All necessary hardware planning and setup have been completed.</li>
|
|
<li>TCP/IP and basic system security have been configured and tested on each
|
|
of these servers.</li>
|
|
<li>No one has changed the default settings in iSeries Navigator to stop the Task Status
|
|
window from opening when a task starts. To verify that the default setting
|
|
has not been changed, follow these steps:<ol type="a"><li>In iSeries Navigator,
|
|
right-click <span class="menucascade"><span class="uicontrol">your central system</span></span> and
|
|
select <span class="uicontrol">User Preferences</span>.</li>
|
|
<li>On the <span class="uicontrol">General</span> page, verify that <span class="uicontrol">Automatically
|
|
open a task status window when one of my tasks starts</span> is selected.</li>
|
|
</ol>
|
|
</li>
|
|
<li>This scenario is based on the assumption that network authentication service
|
|
has been configured on each system using the Synchronize Functions wizard
|
|
in iSeries Navigator.
|
|
This wizard propagates network authentication service configuration from a
|
|
model system to multiple target systems. See <a href="rzakhscenmc.htm#rzakhscenmc">Scenario: Propagate network authentication service configuration across multiple systems</a> for
|
|
details on how to use the Synchronize Functions wizard.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Configuration steps</h4><p>To
|
|
configure Kerberos authentication between Management Central servers, perform
|
|
these steps.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<ol>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_completeplanningworksheets.htm">Complete the planning work sheets</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_setcentralsystem.htm">Set central system to use Kerberos authentication</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_createmyco2systemgroup.htm">Create MyCo2 system group</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_collectsystemvalues.htm">Collect system values inventory</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_compareandupdatekerberos.htm">Compare and update Kerberos settings in iSeries Navigator</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_restartmanagementcentral.htm">Restart Management Central server on the central system and target systems</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_addkerberosserviceprincipal.htm">Add Kerberos service principal to the trusted group file for each endpoint</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_verifykerberosprincipal.htm">Verify the Kerberos principals are added to the trusted group file</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_allowtrustedconnections.htm">Allow trusted connections for the central system</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_repeatsteps4through6.htm">Repeat Steps 4 through 6 for target systems</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzakhkerberosscenario_testauthenticationon.htm">Test authentication on the endpoint systems</a><br />
|
|
</li>
|
|
</ol>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhscen.htm" title="Use these scenarios to learn about network authentication service.">Scenarios</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |