236 lines
16 KiB
HTML
236 lines
16 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Scenario: Create a single signon test environment" />
|
|
<meta name="abstract" content="In this scenario, you want to configure network authentication service and EIM to create a basic single signon test environment. Use this scenario to gain a basic understanding of what configuring a single signon environment involves on a small scale before implementing single signon across an entire enterprise." />
|
|
<meta name="description" content="In this scenario, you want to configure network authentication service and EIM to create a basic single signon test environment. Use this scenario to gain a basic understanding of what configuring a single signon environment involves on a small scale before implementing single signon across an entire enterprise." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzscenarios.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzcompletetheplanningworksheets.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzaddiseriesaserviceprincipaltothekerberosserver.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzcreatehomedirectoryforjohndayoniseriesa.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamztestnetworkauthenticationserviceconfigurationoniseriesa.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzcreateeimidentifierforjohnday.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzcreatesourceassociationandtargetassociationfortheneweimidentifier.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamztesteimidentitymappings.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzconfigureiseriesaccess.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzverifynetworkauthenticationserviceandeimconfiguration.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamzoptionalpostconfigurationconsiderations.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhpdns.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveservercncpts.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconcept.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzamzenablesso" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Scenario: Create a single signon test environment</title>
|
|
</head>
|
|
<body id="rzamzenablesso"><a name="rzamzenablesso"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Scenario: Create a single signon test environment</h1>
|
|
<div><p>In this scenario, you want to configure network authentication
|
|
service and EIM to create a basic single signon test environment. Use this
|
|
scenario to gain a basic understanding of what configuring a single signon
|
|
environment involves on a small scale before implementing single signon across
|
|
an entire enterprise.</p>
|
|
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You,
|
|
John Day, are a network administrator for a large wholesale company. Currently
|
|
you spend much of your time troubleshooting password and user identity problems,
|
|
such as forgotten passwords. Your network is comprised of several <span class="keyword">iSeries™</span> systems and a <span class="keyword">Windows<sup>®</sup> 2000</span> server,
|
|
where your users are registered in Microsoft<sup>®</sup> Windows Active Directory. Based on your
|
|
research, you know that Microsoft Active Directory uses the
|
|
Kerberos protocol to authenticate Windows users. You also know that the <span class="keyword">iSeries</span> provides a single signon solution
|
|
based on an implementation of Kerberos authentication, called network authentication
|
|
service, in conjunction with EIM. </p>
|
|
<p>You are excited about the benefits
|
|
of using single signon. However, you want to thoroughly understand single
|
|
signon configuration and usage before you begin using it across your entire
|
|
enterprise. Consequently, you decide to configure a test environment first.</p>
|
|
<p>After
|
|
considering the various groups in your company, you decide to create the test
|
|
environment for the Order Receiving department. The employees in the Order
|
|
Receiving department use multiple applications on one <span class="keyword">iSeries</span> system
|
|
to handle incoming customer orders. Consequently, the Order Receiving department
|
|
provides an excellent opportunity for you to create a single signon test environment
|
|
that you can use to better understand how single signon works and how to plan
|
|
a single signon implementation across your enterprise.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Scenario advantages</h4><ul><li>Allows you to see some of the benefits of single signon on a small scale
|
|
to better understand how you can take full advantage of it before you create
|
|
a large-scale, single signon environment.</li>
|
|
<li>Provides you with a better understanding of the planning process you need
|
|
to use to successfully and to more quickly implement single signon across
|
|
your entire enterprise.</li>
|
|
<li>Minimizes the learning curve of implementing single signon across your
|
|
enterprise.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>As the
|
|
network administrator at MyCo, Inc., you want to create a small single signon
|
|
environment for testing that includes a small number of users and a single <span class="keyword">iSeries</span> system. You want to perform
|
|
thorough testing to ensure that user identities are correctly mapped within
|
|
your test environment. Based on this configuration, you eventually want to
|
|
expand the test environment to include the other systems and users in your
|
|
enterprise.</p>
|
|
<p>The objectives of this scenario are as follows:</p>
|
|
<ul><li>The <span class="keyword">iSeries</span> system, known
|
|
as <span class="keyword">iSeries</span> A, must be able
|
|
to use Kerberos within the MYCO.COM realm to authenticate the users and services
|
|
that are participating in this single signon test environment. To enable the
|
|
system to use Kerberos, <span class="keyword">iSeries</span> A
|
|
must be configured for network authentication service.</li>
|
|
<li>The directory server on <span class="keyword">iSeries</span> A
|
|
must function as the domain controller for the new EIM domain.<div class="note"><span class="notetitle">Note:</span> Refer
|
|
to <a href="rzamzdomains.htm">Domains</a> to learn how an EIM
|
|
domain and a <span class="keyword">Windows 2000</span> domain
|
|
both fit into the single signon environment.</div>
|
|
</li>
|
|
<li>One user profile on <span class="keyword">iSeries</span> A
|
|
and one Kerberos principal must each be mapped to a single EIM identifier.</li>
|
|
<li>A Kerberos service principal must be used to authenticate the user to
|
|
the <span class="keyword">iSeries Access for Windows</span> applications.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
|
|
figure illustrates the network environment for this scenario.</p>
|
|
<p><br /><img src="rzamz501.gif" alt=" Single signon test environment diagram" /><br /></p>
|
|
<p>The figure illustrates the following points relevant to this
|
|
scenario.</p>
|
|
<p><span class="uicontrol">EIM domain data defined for the enterprise</span></p>
|
|
<ul><li>An EIM registry definition for <span class="keyword">iSeries</span> A
|
|
called ISERIESA.MYCO.COM.</li>
|
|
<li>An EIM registry definition for the Kerberos registry called MYCO.COM.</li>
|
|
<li>An EIM identifier called John Day. This identifier uniquely identifies
|
|
John Day, the administrator for MyCo.</li>
|
|
<li>A source association for the jday Kerberos principal on the <span class="keyword">Windows 2000</span> server.</li>
|
|
<li>A target association for the JOHND user profile on <span class="keyword">iSeries</span> A.</li>
|
|
</ul>
|
|
<p><strong><span class="keyword">Windows 2000</span> server</strong></p>
|
|
<ul><li>Acts as the Kerberos server (kdc1.myco.com), also known as a key distribution
|
|
center (KDC), for the network.</li>
|
|
<li>The default realm for the Kerberos server is <tt>MYCO.COM</tt>.</li>
|
|
<li>A Kerberos principal of jday is registered with the Kerberos server on
|
|
the <span class="keyword">Windows 2000</span> server. This principal
|
|
will be used to create a source association to the EIM identifier, John Day.</li>
|
|
</ul>
|
|
<p><strong><span class="keyword">iSeries</span> A</strong></p>
|
|
<ul><li>Runs <span class="keyword">i5/OS™</span> Version
|
|
5 Release 4 (V5R4) with the following options and licensed products installed:<ul><li><span class="keyword">i5/OS</span> Host Servers
|
|
(5722-SS1 Option 12)</li>
|
|
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
|
|
<li><span class="keyword">iSeries Access for Windows</span> (5722-XE1)</li>
|
|
</ul>
|
|
<div class="note"><span class="notetitle">Note:</span> You can implement this scenario using a server that runs <span class="keyword">OS/400<sup>®</sup></span> V5R2 or <span class="keyword">i5/OS</span> V5R3.
|
|
However, some of the configuration steps will be slightly different due to <span class="keyword">i5/OS</span> V5R4 enhancements. </div>
|
|
</li>
|
|
<li>The IBM<sup>®</sup> Directory
|
|
Server for <span class="keyword">iSeries</span> (LDAP) on <span class="keyword">iSeries</span> A will be configured to be the
|
|
EIM domain controller for the new EIM domain, MyCoEimDomain.</li>
|
|
<li><span class="keyword">iSeries</span> A participates
|
|
in the EIM domain, MyCoEimDomain.</li>
|
|
<li>The principal name for <span class="keyword">iSeries</span> A
|
|
is <tt>krbsvr400/iseriesa.myco.com@MYCO.COM</tt>.</li>
|
|
<li>The user profile of JOHND exists on <span class="keyword">iSeries</span> A.
|
|
You will create a target association between this user profile and the EIM
|
|
identifier, John Day.</li>
|
|
<li>The home directory for the <span class="keyword">i5/OS</span> user
|
|
profile, JOHND, (/home/JOHND) is defined on <span class="keyword">iSeries</span> A.</li>
|
|
</ul>
|
|
<p><span class="uicontrol">Client PC used for single signon administration</span></p>
|
|
<ul><li>Runs Microsoft <span class="keyword">Windows 2000</span> operating
|
|
system.</li>
|
|
<li>Runs <span class="keyword">i5/OS</span> V5R4 iSeries Access
|
|
for Windows (5722-XE1).</li>
|
|
<li>Runs <span class="keyword">iSeries Navigator</span> with the
|
|
following subcomponents installed:<ul><li>Network</li>
|
|
<li>Security</li>
|
|
</ul>
|
|
</li>
|
|
<li>Serves as the primary logon system for administrator John Day.</li>
|
|
<li>Configured to be part of the MYCO.COM realm (Windows domain).</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><p>Successful
|
|
implementation of this scenario requires that the following assumptions and
|
|
prerequisites are met:</p>
|
|
<ol><li>All system requirements, including software and operating system installation,
|
|
have been verified.<div class="p">To verify that the licensed programs have been installed,
|
|
complete the following:<ol type="a"><li>In <span class="keyword">iSeries Navigator</span>, expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Configuration and Service</span> > <span class="uicontrol">Software</span> > <span class="uicontrol">Installed Products</span></span>.</li>
|
|
<li>Ensure that all the necessary licensed programs are installed.</li>
|
|
</ol>
|
|
</div>
|
|
</li>
|
|
<li>All necessary hardware planning and setup is complete.</li>
|
|
<li>TCP/IP and basic system security are configured and tested on each system.</li>
|
|
<li>The directory server and EIM should not be previously configured on <span class="keyword">iSeries</span> A.<div class="note"><span class="notetitle">Note:</span> Instructions in this
|
|
scenario are based on the assumption that the directory server has not been
|
|
previously configured on <span class="keyword">iSeries</span> A.
|
|
However, if you already configured the directory server, you can still use
|
|
these instructions with only slight differences. These differences are noted
|
|
in the appropriate places within the configuration steps.</div>
|
|
</li>
|
|
<li>A single DNS server is used for host name resolution for the network.
|
|
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
|
|
with Kerberos authentication may result in name resolution errors or other
|
|
problems..</div>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectionscenariobar">Configuration steps</h4><div class="note"><span class="notetitle">Note:</span> You
|
|
need to thoroughly understand the concepts related to single signon which
|
|
include network authentication service and Enterprise Identity Mapping (EIM)
|
|
concepts, before you implement this scenario. If you are ready to continue
|
|
with this scenario complete the following steps: </div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<ol>
|
|
<li class="olchildlink"><a href="rzamzcompletetheplanningworksheets.htm">Complete the planning work sheets</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzcreateabasicsinglesignonconfigurationforiseriesa.htm">Create a basic single signon configuration for iSeries A</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzaddiseriesaserviceprincipaltothekerberosserver.htm">Add iSeries A service principal to the Kerberos server</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzcreatehomedirectoryforjohndayoniseriesa.htm">Create home directory for John Day on iSeries A</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamztestnetworkauthenticationserviceconfigurationoniseriesa.htm">Test network authentication service configuration on iSeries A</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzcreateeimidentifierforjohnday.htm">Create EIM identifier for John Day</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzcreatesourceassociationandtargetassociationfortheneweimidentifier.htm">Create source association and target association for the new EIM identifier</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamztesteimidentitymappings.htm">Test EIM identity mappings</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzconfigureiseriesaccess.htm">Configure iSeries Access for Windows applications to use Kerberos authentication</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzverifynetworkauthenticationserviceandeimconfiguration.htm">Verify network authentication service and EIM configuration</a><br />
|
|
</li>
|
|
<li class="olchildlink"><a href="rzamzoptionalpostconfigurationconsiderations.htm">(Optional) Post configuration considerations</a><br />
|
|
</li>
|
|
</ol>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzscenarios.htm" title="Use this information to review scenarios that illustrate typical single signon implementation situations to help you plan your own certificate implementation as part of your server security policy.">Scenarios</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="../rzakh/rzakhpdns.htm">Host name resolution considerations</a></div>
|
|
<div><a href="../rzalv/rzalveservercncpts.htm">Enterprise Identity Mapping (EIM)</a></div>
|
|
<div><a href="../rzakh/rzakhconcept.htm">Network authentication service</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |