Completing the planning work sheets

 

Before setting up cross-realm trust, complete these planning work sheets.

All answers on the prerequisite work sheet should be Yes before you proceed with setting up cross-realm trust.

Table 1. Prerequisite planning work sheet
Questions Answers
Is your i5/OS® V5R3, or later (5722-SS1)? Yes
Are the following options and licensed programs installed on System A:

  • i5/OS Host Servers (5722-SS1 Option 12)

  • iSeries™ Access for Windows® (5722-XE1)

  • Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later

  • Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3
Yes
Are the following licensed programs installed on System B:

  • iSeries Access for Windows (5722-XE1)

  • Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later

  • Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3

  • i5/OS PASE (5722-SS1 Option 33)
Yes
Have you installed Windows 2000 on all of your PCs? Yes
Is iSeries Access for Windows (5722-XE1) installed on the PC used to administer network authentication service? Yes
Have you installed iSeries Navigator and the following subcomponents on the PC used to administer network authentication service?

  • Security

  • Network
Yes
Have you installed the latest iSeries Access for Windows service pack? See iSeries Access for the latest service pack. Yes
Do you have *ALLOBJ special authority on the systems? Yes
Do you have administrative authorities on the Windows 2000 server? Yes
Do you have your DNS configured and do you have the correct host names for your System i™ platform and Kerberos server? Yes
On which operating system do you want to configure the Kerberos server?

  1. Windows 2000 Server

  2. Windows Server 2003

  3. AIX® Server

  4. i5/OS PASE (V5R3 or later)

  5. z/OS®
i5/OS PASE
Have you applied the latest program temporary fixes (PTFs)? Yes
Is the System i system time within five minutes of the Kerberos server's system time? If not, see Synchronizing system times. Yes

The following planning work sheet illustrates the type of information you need before you begin setting up cross-realm trust.

Planning work sheet for cross-realm trust
Table 2. Planning work sheet for cross-realm trust
Answers
What are the names of the realms for which you want to establish a trusted relationship?

  • The Kerberos realm using the Windows 2000 server as its Kerberos server

  • The Kerberos realm using System B as its Kerberos server (configured in i5/OS PASE)

ORDEPT.MYCO.COM
SHIPDEPT.MYCO.COM

Have all i5/OS service principals and user principals been added to their respective Kerberos servers? Yes
What is the default user name for the i5/OS PASE administrator?

What is the password you want to specify for the i5/OS PASE administrator?

This must be the same password you used when you created the Kerberos server in i5/OS PASE.

User name: admin/admin
Password: secret

What are the names of the principals that will be used to set up cross realm trust?

What is the password for each of these principals?

Principal:
krbtgt/SHIPDEPT.MYCO.COM@ORDEPT.MYCO.COM

Password: shipord1

Principal:
krbtgt/ORDEPT.MYCO.COM@SHIPDEPT.MYCO
.COM

Password: shipord2

What are the fully qualified host names for each of the Kerberos servers for these realms?

  • ORDEPT.MYCO.COM

  • SHIPDEPT.MYCO.COM

kdc1.ordept.myco.com
systemb.shipdept.myco.com

Are the system times for all systems within five minutes of one another? If not, see Synchronizing system times. Yes

 

Parent topic:

Scenario: Setting up cross-realm trust
Next topic: Ensuring that the Kerberos server in i5/OS PASE on System B has started