Completing the planning work sheets

 

Before you begin using iSeries™ Navigator to propagate the configuration on a model system to target systems, complete these planning work sheets.

All answers should be Yes before you proceed with propagating network authentication service.

Table 1. Propagating network authentication service - prerequisite work sheet
Prerequisite work sheet Answers
Is your i5/OS® V5R3 (5722-SS1), or later, for the following systems:

Yes
Have you applied the latest program temporary fixes (PTFs)? Yes
Is OS/400® V5R2 (5722-SS1), or later, running on System D? Yes
For System D, have you applied the latest program temporary fixes (PTFs), including the following fixes?

  • SI08977

  • SI08979
Are the following options and licensed programs installed on all your System i™ models?

  • i5/OS Host Servers (5722-SS1 Option 12)

  • iSeries Access for Windows® (5722-XE1)

  • Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later

  • Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3
Yes
Is iSeries Access for Windows (5722-XE1) installed on the administrator's PC? Yes
Is iSeries Navigator installed on the administrator's PC?

  • Is the Network subcomponent of iSeries Navigator installed on the administrator's PC?

  • Is the Security subcomponent of iSeries Navigator installed on the administrator's PC?
Yes
Have you installed the latest IBM® eServer™ iSeries Access for Windows service pack? See iSeries Access for the latest service pack. Yes
Do you have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? Yes
Do you have one of the following systems acting as the Kerberos server? If yes, specify which system.

  1. Microsoft® Windows 2000 Server

    Microsoft Windows 2000 Server uses Kerberos authentication as its default security mechanism.

  2. Windows Server 2003

  3. i5/OS PASE (V5R3, or later)

  4. AIX® server

  5. z/OS®
Yes, Windows 2000 Server
For Windows 2000 Server and Windows Server 2003, do you have Windows Support Tools (which provides the ktpass tool) installed? Yes
Is the System i system time within 5 minutes of the system time on the Kerberos server? If not, see Synchronizing system times. Yes

Questions
Table 2. Synchronize functions planning work sheet
Answers
What is the name of the system group? MyCo system group
What systems will be included in this system group? System B, System C, System D
What functions do you plan to propagate to this system group? Network authentication service
For which services do you want to create keytab entries?

  • i5/OS Kerberos Authentication

  • LDAP

  • iSeries IBM HTTP Server

  • iSeries NetServer™
i5/OS Kerberos Authentication
What are the service principal names for the systems to which you want to propagate configuration?

krbsvr400/systema.myco.com@MYCO.COM
krbsvr400/systemb.myco.com@MYCO.COM
krbsvr400/systemc.myco.com@MYCO.COM
krbsvr400/systemd.myco.com@MYCO.COM

What are the passwords that are associated with each of these principals?

The password for the principals for Systems A, B, and C will be systema123. The password for the principal for System D will be systemd123.

What is the fully qualified host name for each System i platform?

systema.myco.com
systemb.myco.com
systemc.myco.com
systemd.myco.com

What is the name of the Windows 2000 domain?

A Windows 2000 domain is similar to a Kerberos realm. Microsoft Active Directory uses Kerberos authentication as its default security mechanism.

MYCO.COM

Table 3. Network authentication service planning work sheet for System D
Questions Answers
What is the name of the Kerberos default realm to which your System i platform belongs?

A Windows 2000 domain is similar to a Kerberos realm. Microsoft Active Directory uses Kerberos authentication as its default security mechanism.

MYCO.COM
Are you using Microsoft Active Directory? Yes
What is the Kerberos server for this Kerberos default realm? What is the port on which the Kerberos server listens?

KDC: kdc1.myco.com
Port: 88

This is the default port for the Kerberos server.

Do you want to configure a password server for this default realm? If yes, answer the following questions:

What is the name of the password server for this Kerberos server?
What is the port on which the password server listens?

Yes

Password server: kdc1.myco.com
Port: 464

This is the default port for the password server.

For which services do you want to create keytab entries?

  • i5/OS Kerberos Authentication

  • LDAP

  • iSeries IBM HTTP Server

  • iSeries NetServer
i5/OS Kerberos Authentication
What is the password for your i5/OS service principals? systemd123

 

Parent topic:

Scenario: Propagating network authentication service configuration across multiple systems
Next topic: Creating a system group