Configuring a Kerberos server in i5/OS PASE

To provide an integrated runtime environment for AIX^® applications, configure and manage a Kerberos server from your System i™ platform. i5/OS^® supports a Kerberos server in i5/OS Portable Application Solutions Environment (PASE). i5/OS PASE provides an integrated runtime environment for AIX applications. You can configure and manage a Kerberos server from your System i platform. To configure a Kerberos server in i5/OS PASE, complete the following steps:

1. In a character-based interface, type call QP2TERM at the command prompt. This command opens an interactive shell environment where you can work with i5/OS PASE applications.

2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin. This command points to the Kerberos scripts that are necessary to run the executable files.

3. At the command line, enter config.krb5 -S -d systema.myco.com -r MYCO.COM, where -d is the DNS of your network and -r is the realm name. (In this example, myco.com is the DNS name and MYCO.COM is the realm name.) This command updates the krb5.config file with the domain name and realm for the Kerberos server, creates the Kerberos database within the integrated file system, and configures the Kerberos server in i5/OS PASE. You will be prompted to add a database Master Password and a password for the admin/admin principal, which is used to administer the Kerberos server.

   For V5R3 and V5R4, only the existing database is supported for storing Kerberos principals. The LDAP directory plug-in is currently not supported.

4. Optional: If you want the Kerberos server and the administration server to automatically start during an initial program load (IPL), you need to perform two additional steps. You must create a job description and add an autostart job entry. To configure i5/OS to automatically start the Kerberos server and administration server during an IPL, follow these steps:
   1. Create a job description.

      At an i5/OS command line, type the following command where xxxxxx is the i5/OS user profile with *ALLOBJ user authority:

      CRTJOBD JOBD(QGPL/KRB5PASE) JOBQ(QSYS/QSYSNOMAX) TEXT('Start KDC and admin server in PASE') USER(xxxxxx) RQSDTA('QSYS/CALL PGM(QSYS/QP2SHELL) PARM(''/usr/krb5/sbin/start.krb5'')') SYNTAX(*NOCHK) INLLIBL(*SYSVAL) ENDSEV( 30)

   2. Add an autostart job entry. At the command line, type the following command:

      ADDAJE SBSD(QSYS/QSYSWRK) JOB(KRB5PASE) JOBD(QGPL/KRB5PASE).

   As an alternative to starting the servers during an IPL, you can manually start the servers after the IPL by following these steps:

   1. In a character-based interface, type call QP2TERM to open the i5/OS PASE interactive shell environment.

   2. At the command line, enter /usr/krb5/sbin/start.krb5 to start the servers.

What do I do next?

If you are using Windows^® 2000 or Windows XP workstations with a Kerberos server that is not configured through Windows 2000 Active Directory, (such as a Kerberos server in i5/OS PASE), perform several configuration steps on both the Kerberos server and the workstation to ensure that Kerberos authentication works properly.

1. Changing encryption values on Kerberos server
   To operate with Windows workstations, the Kerberos server default encryption settings need to be changed so that clients can be authenticated to the i5/OS PASE Kerberos server.
2. Stopping and restarting the Kerberos server
   You must stop and restart the Kerberos server in i5/OS PASE to update the encryption values that you just changed.
3. Creating host, user, and service principals
   Here is the procedure for creating host principals for your Windows 2000 and Windows XP workstations and for creating user and service principals on your Kerberos server.
4. Configuring Windows 2000 and Windows XP workstations
   To configure your client workstations, set the Kerberos realm and the Kerberos server.
5. Configuring a secondary Kerberos server
   After you have configured the primary Kerberos server in i5/OS PASE, you can optionally configure a secondary Kerberos server to use as a backup server in case your primary Kerberos server goes down or is too busy to handle requests.

Parent topic: