151 lines
12 KiB
HTML
151 lines
12 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="task" />
|
|
<meta name="DC.Title" content="Configure iSeries B to participate in the EIM domain and configure iSeries B for network authentication service" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzenablessoos400.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa2.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzaddbothos400serviceprincipalstothekerberosserver.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Configure iSeries B
|
|
to participate in the EIM domain and configure iSeries B for network authentication
|
|
service</title>
|
|
</head>
|
|
<body id="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice"><a name="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Configure iSeries B
|
|
to participate in the EIM domain and configure iSeries B for network authentication
|
|
service</h1>
|
|
<div><div class="section"><p>After you have created a new domain and configured network authentication
|
|
service on <span class="keyword">iSeries™</span> A, you need
|
|
to configure <span class="keyword">iSeries</span> B to participate
|
|
in the EIM domain and configure network authentication service on <span class="keyword">iSeries</span> B. Use the information from
|
|
your work sheets to complete this step.</p>
|
|
</div>
|
|
<ol><li class="stepexpand"><span>In <span class="keyword">iSeries Navigator</span>,
|
|
expand <span class="menucascade"><span class="uicontrol">iSeries B</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">Enterprise Identity Mapping</span></span>.</span></li>
|
|
<li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure</span> to
|
|
start the configuration wizard.</span></li>
|
|
<li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page, select <span class="uicontrol">Join
|
|
an existing domain</span>. Click <span class="uicontrol">Next</span>.</span></li>
|
|
<li class="stepexpand"><span>Complete these tasks to configure network authentication service:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page,
|
|
select <span class="uicontrol">Yes</span>. </span> <div class="note"><span class="notetitle">Note:</span> This launches the Network
|
|
Authentication Service wizard. This wizard allows you to configure several <span class="keyword">i5/OS™</span> interfaces and services to
|
|
participate in a Kerberos network.</div>
|
|
</li>
|
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Realm Information</span> page,
|
|
enter <tt>MYCO.COM</tt> in the <span class="uicontrol">Default realm</span> field
|
|
and select <span class="uicontrol">Microsoft Active Directory is used for Kerberos authentication</span>.
|
|
Click <span class="uicontrol">Next</span>.</span></li>
|
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page,
|
|
enter <tt>kdc1.myco.com</tt> for the name of the Kerberos server in the <span class="uicontrol">KDC</span> field
|
|
and enter <tt>88</tt> in the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li>
|
|
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page,
|
|
select <span class="uicontrol">Yes</span>. Enter <tt>kdc1.myco.com</tt> in the <span class="uicontrol">Password
|
|
server</span> field and <tt>464</tt> in the <span class="uicontrol">Port</span> field.
|
|
Click <span class="uicontrol">Next</span>. </span></li>
|
|
<li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS
|
|
Kerberos Authentication</span>. Click <span class="uicontrol">Next</span>.</span></li>
|
|
<li class="substepexpand"><span>On the <span class="uicontrol">Create i5/OS Keytab Entry</span> page,
|
|
enter and confirm a password, and click <span class="uicontrol">Next</span>. For example, <tt>iseriesa123</tt>.
|
|
This password will be used when the <span class="keyword">iSeries</span> A
|
|
service principal is added to the Kerberos server. </span> <div class="note"><span class="notetitle">Note:</span> Any and
|
|
all passwords specified in this scenario are for example purposes only. To
|
|
prevent a compromise to your system or network security, you should never
|
|
use these passwords as part of your own configuration.</div>
|
|
</li>
|
|
<li class="substepexpand"><span>On the <span class="uicontrol">Create Batch File</span> page, select <span class="uicontrol">Yes</span>,
|
|
specify the following information, and click <span class="uicontrol">Next</span>.</span> <ul><li><span class="uicontrol">Batch file:</span> Add the text <tt>iseriesb</tt> to the
|
|
end of the default batch file name. For example, <tt>C:\Documents and Settings\All
|
|
Users\Documents\IBM\Client Access\NASConfigiseriesb.bat</tt>.</li>
|
|
<li>Select <span class="uicontrol">Include password</span>. This ensures that all
|
|
passwords associated with the <span class="keyword">i5/OS</span> service
|
|
principal are included in the batch file. It is important to note that passwords
|
|
are displayed in clear text and can be read by anyone with read access to
|
|
the batch file. Therefore, it is recommended that you delete the batch file
|
|
from the Kerberos server and from your PC immediately after use.<div class="note"><span class="notetitle">Note:</span> If you
|
|
do not include the password, you will be prompted for the password when the
|
|
batch file is run.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="substepexpand"><span>On the <span class="uicontrol">Summary</span> page, review the network
|
|
authentication service configuration details. Click <span class="uicontrol">Finish</span>.</span></li>
|
|
</ol>
|
|
</li>
|
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain Controller</span> page, specify
|
|
the following information, and click <span class="uicontrol">Next</span>.</span> <ul><li><span class="uicontrol">Domain controller name</span>: <tt>iseriesa.myco.com</tt></li>
|
|
<li><span class="uicontrol">Port</span>: <tt>389</tt></li>
|
|
</ul>
|
|
</li>
|
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify User for Connection</span> page,
|
|
specify the following information, and click <span class="uicontrol">Next</span></span> <div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's DN and password that you created
|
|
earlier in this scenario on <span class="keyword">iSeries</span> A.</div>
|
|
<ul><li><span class="uicontrol">User type</span>: <tt>Distinguished name and password</tt></li>
|
|
<li><span class="uicontrol">Distinguished name</span>: <tt>cn=administrator</tt></li>
|
|
<li><span class="uicontrol">Password</span>: <tt>mycopwd </tt><div class="note"><span class="notetitle">Note:</span> Any and all passwords
|
|
specified in this scenario are for example purposes only. To prevent a compromise
|
|
to your system or network security, you should never use these passwords as
|
|
part of your own configuration.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain</span> page, select the name
|
|
of the domain that you want to join. Click <span class="uicontrol">Next</span>. For
|
|
example, <tt>MyCoEimDomain</tt>.</span></li>
|
|
<li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, select <span class="uicontrol">Local
|
|
i5/OS</span> and deselect <span class="uicontrol">Kerberos registry</span>. (The
|
|
Kerberos registry was created when you created the MyCoEimDomain domain.)
|
|
Click <span class="uicontrol">Next</span>. Write down the registry names. You will
|
|
need these registry names when you create associations to EIM identifiers. </span> <div class="note"><span class="notetitle">Note:</span> <ul><li>Registry names must be unique to the domain.</li>
|
|
<li>You can enter a specific registry definition name for the user registry
|
|
if you want to use a specific <a href="../rzalv/rzalv_reg_plan.htm ">registry definition naming plan</a>. However, for this scenario
|
|
you can accept the default values.</li>
|
|
</ul>
|
|
</div>
|
|
</li>
|
|
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select
|
|
the user the operating system uses when performing EIM operations on behalf
|
|
of operating system functions, and click <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's DN and password that you created
|
|
earlier in this scenario on <span class="keyword">iSeries</span> A.</div>
|
|
<ul><li><span class="uicontrol">User type</span>: <tt>Distinguished name and password</tt></li>
|
|
<li><span class="uicontrol">Distinguished name</span>: <tt>cn=administrator</tt></li>
|
|
<li><span class="uicontrol">Password</span>: <tt>mycopwd </tt><div class="note"><span class="notetitle">Note:</span> Any and all passwords
|
|
specified in this scenario are for example purposes only. To prevent a compromise
|
|
to your system or network security, you should never use these passwords as
|
|
part of your own configuration.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="stepexpand"><span>On the <span class="uicontrol">Summary</span> page, confirm the EIM configuration.
|
|
Click <span class="uicontrol">Finish</span>.</span></li>
|
|
</ol>
|
|
<div class="section"><p>You have now configured <span class="keyword">iSeries</span> B
|
|
to participate in the domain and to use network authentication service.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzenablessoos400.htm" title="View this scenario to learn how to configure network authentication service and EIM to create a single signon environment across multiple systems in an enterprise. This scenario expands on the concepts and tasks presented in the previous scenario which demonstrates how to create a simple single signon test environment.">Scenario: Enable single signon for i5/OS</a></div>
|
|
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzamzcreateabasicsinglesignonconfigurationforiseriesa2.htm">Create a basic single signon configuration for iSeries A</a></div>
|
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzamzaddbothos400serviceprincipalstothekerberosserver.htm">Add both i5/OS service principals to the Kerberos server</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |