Plan principal names

Planning principal names

Principals are names of users or services in a Kerberos network. Principal names consist of the user name or service name and the name of the realm to which that user or service belongs.

If Mary Jones uses the realm MYCO.COM, her principal name might be jonesm@MYCO.COM. Mary Jones uses this principal name and its associated password to be authenticated by a centralized Kerberos server. All principals are added to the Kerberos server, which maintains a database of all users and services within a realm.

When developing a system for naming principals, you should assign principal names using a consistent naming convention that will accommodate current and future users. Use the following suggestions to establish a naming convention for your principals:

Use family name and initial of first name

Use first initial and full family name

Use first name plus last initial

Use application or service names with identifying numbers, such as database1.

i5/OS principal names

When you configure network authentication service on System i™ platforms, the principal names can be optionally created. Each of these principals represents services located on the i5/OS^® operating system. During the configuration of network authentication service, a key table entry is created on the system for each of the service principals that you choose to create. This key table entry stores the service principal name and the encrypted password that you specified during configuration. It is important to note that all i5/OS service principals need to be added to the Kerberos server after network authentication service is configured. The methods of adding the i5/OS principal to the Kerberos server varies based on the Kerberos server that you have configured in your enterprise. For instructions on how to add the i5/OS principal name to either a Windows^® 2000 domain or a Kerberos server in i5/OS PASE, see Adding i5/OS principals to the Kerberos server. The following information describes each of the i5/OS service principals that are created during network authentication service configuration:

i5/OS Kerberos Authentication

When you choose to create a keytab entry for i5/OS Kerberos Authentication, the service principal is generated in the keytab file in one of these formats: krbsvr400/System i fully qualified domain name@REALM NAME or krbsvr400/System i host name@REALM NAME. For example, a valid service principal for i5/OS Kerberos Authentication might be krbsvr400/systema.myco.com@MYCO.COM or krbsvr400/systema@MYCO.COM. i5/OS generates the principal based on the host name that it finds on either the DNS server or on the System i platform depending on how the System i platform is configured to resolve host names.

The service principal is used for several i5/OS interfaces, such as QFileSrv.400, Telnet, Distributed Relational Database Architecture™ (DRDA^®), iSeries™ NetServer™, and IBM^® eServer™ iSeries Access for Windows including iSeries Navigator. Each of these applications might require additional configuration to enable Kerberos authentication.

LDAP

In addition to the i5/OS service principal name, you can optionally configure additional service principals for IBM Directory Server for iSeries (LDAP) during network authentication service configuration. The LDAP principal name is ldap/System i fully qualified domain name@REALM NAME. For example, a valid LDAP principal name might be ldap/systema.myco.com@MYCO.COM. This principal name identifies the directory server located on that System i platform.

In past releases, the Network Authentication Service wizard created an uppercase keytab entry for LDAP service. If you have configured the LDAP principal previously, when you reconfigure network authentication service or access the wizard through the Enterprise Identity Mapping (EIM) interface, you will be prompted to change this principal name to its lowercase version.

If you plan on using Kerberos authentication with the directory server, you not only need to configure network authentication service, but also change properties for the directory server to accept Kerberos authentication. When Kerberos authentication is used, directory server associates the server distinguished name (DN) with the Kerberos principal name. You can choose to have the server DN associated by using one of the following methods:

The server can create a DN based on the Kerberos principal name. When you choose this option, a Kerberos identity of the form principal@realm generates a DN of the form ibm-kn=principal@realm. ibm-kn= is equivalent to ibm-kerberosName=.
The server can search the directory for a distinguished name (DN) that contains an entry for the Kerberos principal and realm. When you choose this option, the server searches the directory for an entry that specifies this Kerberos identity.

See IBM Directory Server for iSeries (LDAP) for details on the configuration Kerberos authentication for the directory server.

HTTP Server powered by Apache

In addition to the i5/OS service principal name, you can optionally configure additional service principals for HTTP Server powered by Apache (HTTP) during network authentication service configuration. The HTTP principal name is HTTP/System i fully qualified domain name@REALM NAME. This principal name identifies the HTTP Server instances on the System i platform that will be using Kerberos to authenticate Web users. To use Kerberos authentication with an HTTP Server instance, you also need to complete additional configuration steps that pertain to HTTP Server.

See the HTTP Server for i5/OS: documentation home page to find information about using Kerberos authentication with HTTP Server.

iSeries NetServer

For iSeries NetServer, you can also choose to create several NetServer principals that are automatically added to the keytab file on the System i platform. Each of these NetServer principals represents all the potential clients that you might use to connect with iSeries NetServer. The following table shows the iSeries NetServer principal name and the clients they represent:

Table 1. iSeries NetServer principal names
Client connection	iSeries NetServer principal name
Windows XP	cifs/System i fully qualified domain name cifs/System i host name cifs/QSystem i host name cifs/qSystem i host name cifs/IP address
Windows 2000	HOST/System i fully qualified domain name HOST/System i host name HOST/QSystem i host name HOST/qSystem i host name HOST/IP address

See iSeries NetServer for more information about using Kerberos authentication with this application.

Example planning work sheet

Table 2. Example principal planning work sheet
Questions	Answers
What is the naming convention that you plan to use for Kerberos principals that represent users in your network?	First initial followed by first five letters of the family name in lowercase, for example, mjones
What is the naming convention for applications on your network?	Descriptive name followed by number, for example, database123
For which i5/OS services do you plan to use Kerberos authentication?	i5/OS Kerberos authentication will be used for the following services: iSeries Access for Windows, iSeries Navigator, NetServer, and Telnet HTTP Server powered by Apache LDAP
What are the i5/OS principal names for each of these i5/OS services?	krbsvr400/systema.myco.com@MYCO.COM HTTP/systema.myco.com@MYCO.COM ldap/systema.myco.com@MYCO.COM

Parent topic:

Planning network authentication service

Previous topic: Planning realms

Next topic: Host name resolution considerations