Adding Kerberos service principal to the trusted group file for each endpoint

 

After all the Management Central servers have been restarted, you need to add the central system's Kerberos service principal to the trusted group file for each of the endpoint systems. From the central system, run a remote command, such as Display Library List (DSPLIBL), to all the endpoint systems. Each endpoint system automatically adds the central system's Kerberos service principal to its individual trusted group file because Add to trusted group is selected as the authentication level on each endpoint system. You can run any remote command from the central system to an endpoint system to cause the Management Central server job on the endpoint system to record the necessary Kerberos service principals in the trusted group file. The DSPLIBL command is used for example purposes only.

If you use a model or source system to run tasks, such as send fixes, send users, synchronize time, you should run these tasks so that the correct Kerberos service principals are added to the correct trusted group files.

For this scenario, you decide to run a remote command to all the endpoint systems to add the Kerberos service principal to the trusted group file on each endpoint system. To run a remote command, follow these steps:

  1. In iSeries™ Navigator, expand Management Central (System A) > System Groups.

  2. Right-click MyCo2 system group and select Run Command.

  3. On the Run Command-MyCo2 system group page, enter dsplibl in the Commands to run field and click OK to start the command task immediately. You can also click Previous Commands to select from a list of commands you have previously run, or you can click Prompt to get assistance in entering or selecting an i5/OS® command.

  4. By default, a dialog box is displayed that indicates the Run Command task has started. However, if you have changed the default setting, this dialog box is not displayed. Click OK.

  5. On the Run Command Status dialog box, verify that the command completes on each system and close the dialog box.

 

Parent topic:

Scenario: Using Kerberos authentication between Management Central servers
Previous topic: Restarting Management Central server on the central system and target systems
Next topic: Verifying the Kerberos principals are added to the trusted group file