Configuring a secondary Kerberos server

 

After you have configured the primary Kerberos server in i5/OS® PASE, you can optionally configure a secondary Kerberos server to use as a backup server in case your primary Kerberos server goes down or is too busy to handle requests.

For example, you currently use System A as your Kerberos server. Now you want to configure System B to be your secondary (backup) Kerberos server.

A Kerberos server is also known as a key distribution center (KDC).

The following figure illustrates the System i™ products described in the following instructions.

Details

To configure System B to be a secondary Kerberos server in i5/OS PASE, follow these steps:

  1. Configure System B as a client.

    1. In a character-based interface on System B, type call QP2TERM. This command opens an interactive shell environment where you can work with i5/OS PASE applications.
    2. At the command line, enter the following command:

      export PATH=$PATH:/usr/krb5/sbin

      This command points to the Kerberos scripts that are necessary to run the executable files.

    3. At the command line, enter:

      config.krb5 -E -d rchland.ibm.com -r MYCO.COM -s lp16b1b.rchland.ibm.com

    4. Enter the administrator password; for example: secret

    The config.krb5 command configures the client, primary server, and secondary server. The -C flag configures the client on System C. The -s flag configures the primary Kerberos server on System A. The -E flag configures the secondary Kerberos server on System B.

  2. Add an i5/OS principal for Systems A and B to the Kerberos server on System A.

    1. In a character-based interface on System A, enter call QP2TERM. This command opens an interactive shell environment where you can work with i5/OS PASE applications.
    2. At the command line, enter:

      export PATH=$PATH:/usr/krb5/sbin

      This command points to the Kerberos scripts that are necessary to run the executable files.

    3. At the command line, enter kadmin -p admin/admin.
    4. Sign in with administrator's password. For example, secret.
    5. At the command line, enter the following command:

      addprinc -randkey -clearpolicy host/systema.myco.com

    6. At the command line, enter the following command:

      addprinc -randkey -clearpolicy host/systemb.myco.com

  3. Propagate the master database from the primary Kerberos server to the secondary Kerberos server.

    1. In a character-based interface on System A, enter call QP2TERM. This command opens an interactive shell environment where you can work with i5/OS PASE applications.
    2. At the command line, enter the following command:

      export PATH=$PATH:/usr/krb5/sbin

      This command points to the Kerberos scripts that are necessary to run the executable files.

    3. At the command line, enter:

      /usr/krb5/sbin/config.krb5 -P -r MYCO.COM -d rchland.ibm.com -e rchasrc2.rchland.ibm.com

      Tip: You can cut and paste the command in the message on the primary Kerberos system.

      The -P flag propagates the master database from the primary Kerberos server to the secondary Kerberos server. The -r flag specifies the realm name. The -d flag specifies the name of the DNS domain. The -e flag specifies the host name of the secondary Kerberos server.

  4. On the secondary Kerberos server, verify that the master database has been propagated successfully.

    1. On the secondary Kerberos server, answer Y to the following prompt: Have you successfully run the above command?

    2. Enter the database master password; for example: pasepwd. This command picks up the master key.

 

Parent topic:

Configuring a Kerberos server in i5/OS PASE
Previous topic: Configuring Windows 2000 and Windows XP workstations