Scenario: Propagating network authentication service configuration across multiple systems

 

Here are the prerequisites and objectives for propagating your network authentication service configuration across multiple systems.

 

Situation

You are a systems administrator for a large automobile parts manufacturer. You currently manage five System i™ platforms with iSeries™ Navigator. One system operates as the central system, which stores data and manages these other systems. The security administrator for your company has just configured network authentication service on a new system to participate in a Windows® 2000 domain, which authenticates users to the enterprise. The security administrator has tested the network authentication service configuration on this system and has successfully obtained a service ticket for this System i platform. You want to simplify the configuration of network authentication service among these systems that you manage.

Using the Synchronize Functions wizard, you want to take the network authentication service configuration on the model system and apply it to your other systems. The Synchronize Functions wizard makes network authentication service configuration throughout your network quicker and easier because you do not need to configure each system separately.

Because one of the systems runs OS/400® Version 5 Release 2 (V5R2) and this release does not support the Synchronize Functions wizard, you will need to configure your V5R2 system using the network authentication service wizard. You will need to configure this system to match the current network authentication service configuration on your model system.

 

Objectives

In this scenario, MyCo, Inc has three distinct goals:

  1. To simplify configuration of network authentication service in the network.

  2. To have all System i platforms point to the same Kerberos server.

  3. To configure a V5R2 system to also participate in the Kerberos realm.

 

Details

The following graphic shows the details for this scenario.

SystemMC1: Central system

  • Runs i5/OS® V5R3, or later, with the following options and licensed programs installed:

    • i5/OS Host Servers (5722-SS1 Option 12)

    • iSeries Access for Windows (5722-XE1)

    • Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later

    • Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3

  • Stores, schedules and runs synchronization setting tasks for each of the endpoint systems.

System A: Model system

  • Runs i5/OS V5R3, or later, with the following options and licensed programs installed:

    • i5/OS Host Servers (5722-SS1 Option 12)

    • iSeries Access for Windows (5722-XE1)

    • Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later

    • Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3

  • Is the model system for propagating network authentication service configuration to endpoint systems.

System B: Endpoint system

  • Runs i5/OS V5R3, or later, with the following options and licensed programs installed:

    • i5/OS Host Servers (5722-SS1 Option 12)

    • iSeries Access for Windows (5722-XE1)

    • Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later

    • Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3

  • Is one of the endpoint systems for the propagation of network authentication service configuration.

System C: Endpoint system

  • Runs i5/OS V5R3 with the following options and licensed programs installed:

  • Is one of the endpoint systems for the propagation of network authentication service configuration.

System D: Endpoint system

  • Runs OS/400 V5R2 with the following options and licensed programs installed:

  • Has the following V5R2 PTFs (program temporary fixes) applied:

    • SI08977

    • SI08979

  • Requires separate configuration of network authentication service using the Network Authentication Service wizard in iSeries Navigator.

Client PC

  • Runs iSeries Access for Windows (5722-XE1).

  • Runs iSeries Navigator with the following subcomponents:

    Only required for PC used to administer network authentication service.

    • Network

    • Security

Windows 2000 server (not shown in graphic)

  • Operates as the Kerberos server for the network (kdc1.myco.com).

  • All users have been added to Microsoft® Windows Active Directory.

The KDC server name, kdc1.myco.com, is a fictitious name used in this scenario.

 

Prerequisites and assumptions

SystemMC1: Central system prerequisites

  1. All system requirements, including software and operating system installation, have been verified.

    To verify that these licensed programs have been installed, follow these steps:

    1. In iSeries Navigator, expand your system > Configuration and Service > Software > Installed Products.

    2. Ensure that all the necessary licensed programs are installed.

  2. All necessary hardware planning and setup have been completed.

  3. TCP/IP and basic system security have been configured and tested on System A.

  4. No one has changed the default settings in iSeries Navigator to disable the Task Status window from opening when a task starts. To verify that the default setting has not been changed, follow these steps:

    1. In iSeries Navigator, right-click your central system and select User Preferences.

    2. On the General page, verify that Automatically open a task status window when one of my tasks starts is selected.

  5. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these systems.

    When you propagate network authentication service configuration among systems, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your local area network (LAN). See Scenario: Securing all connections to your Management Central server with SSL for details.

System A: Model system prerequisites

  1. This scenario assumes that Network authentication service is properly configured on the model system (System A).

  2. All system requirements, including software and operating system installation, have been verified.

    To verify that these licensed programs have been installed, follow these steps:

    1. In iSeries Navigator, expand your system > Configuration and Service > Software > Installed Products.

    2. Ensure that all the necessary licensed programs are installed.

  3. All necessary hardware planning and setup have been completed.

  4. TCP/IP and basic system security have been configured and tested on your system.

  5. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these systems.

    When you propagate network authentication service configuration among systems, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your local area network (LAN). See Scenario: Securing all connections to your Management Central server with SSL for details.

System B, System C, and System D: Endpoint system prerequisites

  1. All system requirements, including software and operating system installation, have been verified.

    To verify that these licensed programs have been installed, follow these steps:

    1. In iSeries Navigator, expand your system > Configuration and Service > Software > Installed Products.

    2. Ensure that all the necessary licensed programs are installed.

  2. All necessary hardware planning and setup have been completed.

  3. TCP/IP and basic system security have been configured and tested on your system.

  4. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these systems.

    When you propagate network authentication service configuration among systems, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your local area network (LAN). See Scenario: Securing all connections to your Management Central server with SSL for details.

Windows 2000 server (not shown in graphic)

  1. All necessary hardware planning and setup have been completed.

  2. TCP/IP has been configured and tested on the server.

  3. Windows domain has been configured and tested.

  4. All users within your network have been added to a Windows domain through Active Directory.

 

Configuration steps

To use the Synchronize Functions wizard to propagate network authentication service configuration to endpoint systems, complete the following steps.

  1. Completing the planning work sheets
    Before you begin using iSeries Navigator to propagate the configuration on a model system to target systems, complete these planning work sheets.
  2. Creating a system group
    Before you can propagate the network authentication service configuration to a target system, create a system group for all the endpoint systems.
  3. Propagating system settings from the model system (System A) to System B and System C
    To propagate system settings to multiple endpoint systems, use the Synchronize Functions wizard in iSeries Navigator. The wizard can propagate system settings such as a network authentication service configuration.
  4. Configuring network authentication service on System D
    You need to configure network authentication service on System D so that it matches the configuration settings on System A.
  5. Adding the principals for endpoint systems to the Windows 2000 domain
    Here are the steps for adding principals for endpoint systems.

 

Parent topic:

Scenarios: Using network authentication service in a Kerberos network