ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice.htm

151 lines
12 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure iSeries B to participate in the EIM domain and configure iSeries B for network authentication service" />
<meta name="DC.Relation" scheme="URI" content="rzamzenablessoos400.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzaddbothos400serviceprincipalstothekerberosserver.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure iSeries B
to participate in the EIM domain and configure iSeries B for network authentication
service</title>
</head>
<body id="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice"><a name="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure iSeries B
to participate in the EIM domain and configure iSeries B for network authentication
service</h1>
<div><div class="section"><p>After you have created a new domain and configured network authentication
service on <span class="keyword">iSeries™</span> A, you need
to configure <span class="keyword">iSeries</span> B to participate
in the EIM domain and configure network authentication service on <span class="keyword">iSeries</span> B. Use the information from
your work sheets to complete this step.</p>
</div>
<ol><li class="stepexpand"><span>In <span class="keyword">iSeries Navigator</span>,
expand <span class="menucascade"><span class="uicontrol">iSeries B</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span></span>.</span></li>
<li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure</span> to
start the configuration wizard.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page, select <span class="uicontrol">Join
an existing domain</span>. Click <span class="uicontrol">Next</span>.</span></li>
<li class="stepexpand"><span>Complete these tasks to configure network authentication service:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page,
select <span class="uicontrol">Yes</span>. </span> <div class="note"><span class="notetitle">Note:</span> This launches the Network
Authentication Service wizard. This wizard allows you to configure several <span class="keyword">i5/OS™</span> interfaces and services to
participate in a Kerberos network.</div>
</li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Realm Information</span> page,
enter <tt>MYCO.COM</tt> in the <span class="uicontrol">Default realm</span> field
and select <span class="uicontrol">Microsoft Active Directory is used for Kerberos authentication</span>.
Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page,
enter <tt>kdc1.myco.com</tt> for the name of the Kerberos server in the <span class="uicontrol">KDC</span> field
and enter <tt>88</tt> in the <span class="uicontrol">Port</span> field. Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page,
select <span class="uicontrol">Yes</span>. Enter <tt>kdc1.myco.com</tt> in the <span class="uicontrol">Password
server</span> field and <tt>464</tt> in the <span class="uicontrol">Port</span> field.
Click <span class="uicontrol">Next</span>. </span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS
Kerberos Authentication</span>. Click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Create i5/OS Keytab Entry</span> page,
enter and confirm a password, and click <span class="uicontrol">Next</span>. For example, <tt>iseriesa123</tt>.
This password will be used when the <span class="keyword">iSeries</span> A
service principal is added to the Kerberos server. </span> <div class="note"><span class="notetitle">Note:</span> Any and
all passwords specified in this scenario are for example purposes only. To
prevent a compromise to your system or network security, you should never
use these passwords as part of your own configuration.</div>
</li>
<li class="substepexpand"><span>On the <span class="uicontrol">Create Batch File</span> page, select <span class="uicontrol">Yes</span>,
specify the following information, and click <span class="uicontrol">Next</span>.</span> <ul><li><span class="uicontrol">Batch file:</span> Add the text <tt>iseriesb</tt> to the
end of the default batch file name. For example, <tt>C:\Documents and Settings\All
Users\Documents\IBM\Client Access\NASConfigiseriesb.bat</tt>.</li>
<li>Select <span class="uicontrol">Include password</span>. This ensures that all
passwords associated with the <span class="keyword">i5/OS</span> service
principal are included in the batch file. It is important to note that passwords
are displayed in clear text and can be read by anyone with read access to
the batch file. Therefore, it is recommended that you delete the batch file
from the Kerberos server and from your PC immediately after use.<div class="note"><span class="notetitle">Note:</span> If you
do not include the password, you will be prompted for the password when the
batch file is run.</div>
</li>
</ul>
</li>
<li class="substepexpand"><span>On the <span class="uicontrol">Summary</span> page, review the network
authentication service configuration details. Click <span class="uicontrol">Finish</span>.</span></li>
</ol>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain Controller</span> page, specify
the following information, and click <span class="uicontrol">Next</span>.</span> <ul><li><span class="uicontrol">Domain controller name</span>: <tt>iseriesa.myco.com</tt></li>
<li><span class="uicontrol">Port</span>: <tt>389</tt></li>
</ul>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify User for Connection</span> page,
specify the following information, and click <span class="uicontrol">Next</span></span> <div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's DN and password that you created
earlier in this scenario on <span class="keyword">iSeries</span> A.</div>
<ul><li><span class="uicontrol">User type</span>: <tt>Distinguished name and password</tt></li>
<li><span class="uicontrol">Distinguished name</span>: <tt>cn=administrator</tt></li>
<li><span class="uicontrol">Password</span>: <tt>mycopwd </tt><div class="note"><span class="notetitle">Note:</span> Any and all passwords
specified in this scenario are for example purposes only. To prevent a compromise
to your system or network security, you should never use these passwords as
part of your own configuration.</div>
</li>
</ul>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain</span> page, select the name
of the domain that you want to join. Click <span class="uicontrol">Next</span>. For
example, <tt>MyCoEimDomain</tt>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, select <span class="uicontrol">Local
i5/OS</span> and deselect <span class="uicontrol">Kerberos registry</span>. (The
Kerberos registry was created when you created the MyCoEimDomain domain.)
Click <span class="uicontrol">Next</span>. Write down the registry names. You will
need these registry names when you create associations to EIM identifiers. </span> <div class="note"><span class="notetitle">Note:</span> <ul><li>Registry names must be unique to the domain.</li>
<li>You can enter a specific registry definition name for the user registry
if you want to use a specific <a href="../rzalv/rzalv_reg_plan.htm ">registry definition naming plan</a>. However, for this scenario
you can accept the default values.</li>
</ul>
</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select
the user the operating system uses when performing EIM operations on behalf
of operating system functions, and click <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> Specify the LDAP administrator's DN and password that you created
earlier in this scenario on <span class="keyword">iSeries</span> A.</div>
<ul><li><span class="uicontrol">User type</span>: <tt>Distinguished name and password</tt></li>
<li><span class="uicontrol">Distinguished name</span>: <tt>cn=administrator</tt></li>
<li><span class="uicontrol">Password</span>: <tt>mycopwd </tt><div class="note"><span class="notetitle">Note:</span> Any and all passwords
specified in this scenario are for example purposes only. To prevent a compromise
to your system or network security, you should never use these passwords as
part of your own configuration.</div>
</li>
</ul>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Summary</span> page, confirm the EIM configuration.
Click <span class="uicontrol">Finish</span>.</span></li>
</ol>
<div class="section"><p>You have now configured <span class="keyword">iSeries</span> B
to participate in the domain and to use network authentication service.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzenablessoos400.htm" title="View this scenario to learn how to configure network authentication service and EIM to create a single signon environment across multiple systems in an enterprise. This scenario expands on the concepts and tasks presented in the previous scenario which demonstrates how to create a simple single signon test environment.">Scenario: Enable single signon for i5/OS</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzamzcreateabasicsinglesignonconfigurationforiseriesa2.htm">Create a basic single signon configuration for iSeries A</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzamzaddbothos400serviceprincipalstothekerberosserver.htm">Add both i5/OS service principals to the Kerberos server</a></div>
</div>
</div>
</body>
</html>