Completing the planning work sheets

 

Before configuring the Kerberos server and network authentication service in i5/OS® PASE, complete these planning work sheets.

All answers on the prerequisite sheet should be Yes before you proceed with network authentication service setup.

Table 1. Prerequisite planning work sheet
Questions Answers
Is your i5/OS V5R3, or later (5722-SS1)? Yes
Are the following options and licensed programs installed on System A:

  • i5/OS Host Servers (5722-SS1 Option 12)

  • i5/OS PASE (5722-SS1 Option 33)

  • Qshell Interpreter (5722-SS1 Option 30)

  • Network Authentication Enablement (5722-NAE) if you are using V5R4, or later

  • Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3

  • iSeries™ Access for Windows® (5722-XE1)
Yes
Have you installed Windows 2000 or Windows XP on all of your PCs? Yes
Have you installed Windows 2000 Support Tools (which provides the ksetup command) on all of your PCs? Yes
Is iSeries Access for Windows (5722-XE1) installed on the administrator's PC? Yes
Have you installed iSeries Navigator on the administrator's PC?

  • Is the Security subcomponent of iSeries Navigator installed on the administrator's PC?

  • Is the Network subcomponent of iSeries Navigator installed on the administrator's PC?

Yes
Yes
Yes

Have you installed the latest iSeries Access for Windows service pack? See iSeries Access for the latest service pack. Yes
Do you have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? You must have these special authorities to use the Network Authentication Service wizard for this scenario. Yes
Do you have your DNS configured and do you have the correct host names for your System i™ product and Kerberos server? Yes
On which operating system do you want to configure the Kerberos server?

  1. Windows 2000 Server

  2. Windows Server 2003

  3. AIX® Server

  4. i5/OS PASE (V5R3, or later)

  5. z/OS®
i5/OS PASE
Have you applied the latest program temporary fixes (PTFs)? Yes
Is the System i system time within five minutes of the Kerberos server's system time? If not, see Synchronizing system times. Yes

For this scenario, specify a number of different passwords. The following planning worksheet provides a list of the passwords you need to use for this scenario. Refer to this table as you perform the configuration steps for setting up the Kerberos server in i5/OS PASE.

Table 2. Password planning work sheet
Entity Password
i5/OS PASE administrator: admin/admin

i5/OS PASE specifies admin/admin as the default user name for the administrator.

secret
i5/OS PASE Database Master pasepwd
Windows 2000 workstations:

  • pc1.myco.com (John Day's PC)

  • pc2.myco.com (Karen Jones' PC)

secret1
secret2

Kerberos user principals:

  • day@MYCO.COM

  • jones@MYCO.COM

123day
123jones

i5/OS service principal for System A:
krbsvr400/systema.myco.com@MYCO.COM

systema123

The following planning work sheet illustrates the type of information you need before you begin configuring the Kerberos server in i5/OS PASE and network authentication service. All answers on the prerequisite work sheet and password planning work sheet should be answered before you proceed with configuring the Kerberos server in i5/OS PASE.

Table 3. Planning work sheet for configuring a Kerberos server in i5/OS PASE and configuring network authentication service
Questions Answers
What is the name of the Kerberos default realm? MYCO.COM
Is this default realm located on Microsoft® Active Directory? No
What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens?

KDC: kdc1.myco.com
Port: 88

This is the default port for the Kerberos server.

Do you want to configure a password server for this default realm? No

Currently password servers are not supported by i5/OS PASE or AIX.

For which services do you want to create keytab entries?

  • i5/OS Kerberos Authentication

  • LDAP

  • iSeries IBM® HTTP Server

  • iSeries NetServer™
i5/OS Kerberos Authentication
Do you want to create a batch file to automate adding the service principals to Microsoft Active Directory? Not applicable
What is the default user name for the i5/OS PASE administrator?

What is the password you want to specify for the i5/OS PASE administrator?

User name: admin/admin
Password: secret

What is the naming convention for your principals that represent users in your network? Principals that represent users will be lowercase family name followed by the uppercase realm name
What are the Kerberos user principal names for these users:

  • John Day

  • Karen Jones

day@MYCO.COM
jones@MYCO.COM

What are the i5/OS user profile names for these users:

  • John Day

  • Karen Jones

JOHND
KARENJ

What are the Windows 2000 user names for these users:

  • John Day

  • Karen Jones

johnday
karenjones

What are the host names for these Windows 2000 workstations:

  • John Day's PC

  • Karen Jones' PC

pc1.myco.com
pc2.myco.com

What is the name of the i5/OS service principal for System A? krbsvr400/systema.myco.com@MYCO.COM

The name of this service principal is for example purposes only. In your configuration, specify the host name and domain of your i5/OS in the name of the service principal.

 

Parent topic:

Scenario: Setting up a Kerberos server in i5/OS PASE
Next topic: Configuring Kerberos server in i5/OS PASE