Testing authentication on the endpoint systems

 

After the servers are restarted, the systems use Kerberos for authentication and the trusted group for authorization. For a system to accept and carry out a request, that system verifies not only that the requesting system has a valid Kerberos principal, but also that it trusts that Kerberos principal by checking if that principal is in its trusted group list.

You need to repeat these steps on each of the target systems, using the following i5/OS® service principals:

To verify that Kerberos authentication is working on the endpoint systems, complete the following tasks:

Be sure you have created a home directory for your i5/OS user profile before performing these tasks.

  1. Close any sessions of iSeries™ Navigator.

  2. On a command line, enter QSH to start the Qshell Interpreter.

  3. Enter keytab list to display a list of principals registered in the keytab file. You should see results that are similar to this display: 
    Principal: krbsvr400/systema.myco.com@MYCO.COM      
  Key version: 2                                                       
  Key type: 56-bit DES using key derivation                            
  Entry timestamp: 200X/05/29-11:02:58

  4. Enter kinit -k krbsvr400/systema.myco.com@MYCO.COM to request a ticket-granting ticket from the Kerberos server. This command verifies that your system has been configured properly and the password in the keytab file matches the password stored on the Kerberos server. If this is successful, the QSH command displays without errors.

  5. Enter klist to verify that the default principal is krbsvr400/systema.myco.com@MYCO.COM. This command displays the contents of a Kerberos credentials cache and verifies that a valid ticket has been created for the i5/OS service principal and placed within the credentials cache on the system. 
     Ticket cache: FILE:/QIBM/USERDATA/OS400/NETWORKAUTHENTICATION/creds/krbcred                                                                     
 Default principal: krbsvr400/systema.myco.com@MYCO.COM  
                                                                            
Server: krbtgt/MYCO.COM@MYCO.COM              
  Valid 200X/06/09-12:08:45 to 20XX/11/05-03:08:45                          
$
You have now completed the tasks required to configure your Management Central server jobs to use Kerberos authentication between endpoint systems.

 

Parent topic:

Scenario: Using Kerberos authentication between Management Central servers
Previous topic: Repeating steps 4 through 6 for target systems