Scenario: Using Kerberos authentication between Management Central servers

Here are the prerequisites and objectives for using Kerberos authentication between Management Central servers.

Situation

You are a network administrator for a medium-sized parts manufacturer. You currently manage four System i™ products using iSeries™ Navigator on a client PC. You want your Management Central server jobs to use Kerberos authentication instead of other authentication methods that you have used in the past, namely password synchronization.

Objectives

In this scenario, the goal for MyCo, Inc. is to use Kerberos authentication among Management Central servers.

Details

The following graphic shows the details for this scenario.

System A: Model system and central system

Runs i5/OS^® V5R3, or later, with the following options and licensed programs installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows^® (5722-XE1)
- Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later
- Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3
i5/OS service principal, krbsvr400/systema.myco.com@MYCO.COM, and associated password have been added to the keytab file.
Stores, schedules, and runs synchronization setting tasks for each of the endpoint systems.

System B: Endpoint system

Runs i5/OS V5R3, or later, with the following options and licensed programs installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows (5722-XE1)
- Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later
- Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3
i5/OS service principal, krbsvr400/systemb.myco.com@MYCO.COM, and associated password have been added to the keytab file.

System C: Endpoint system

Runs i5/OS V5R4 with the following options and licensed programs installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows (5722-XE1)
- Network Authentication Enablement (5722-NAE)
i5/OS service principal, krbsvr400/systemc.myco.com@MYCO.COM, and associated password have been added to the keytab file.

System D: Endpoint system

Runs i5/OS V5R3, or later, with the following options and licensed programs installed:
- i5/OS Host Servers (5722-SS1 Option 12)
- iSeries Access for Windows (5722-XE1)
- Cryptographic Access Provider (5722-AC3)
i5/OS service principal, krbsvr400/systemd.myco.com@MYCO.COM, and associated password have been added to the keytab file.

Windows 2000 server

Operates as the Kerberos server for these systems.
The following i5/OS service principals have been added to the Windows 2000 server:
- krbsvr400/systema.myco.com@MYCO.COM
- krbsvr400/systemb.myco.com@MYCO.COM
- krbsvr400/systemc.myco.com@MYCO.COM
- krbsvr400/systemd.myco.com@MYCO.COM

Client PC

Runs iSeries Access for Windows (5722-XE1).
Runs iSeries Navigator with the following subcomponents:
Only required for PC used to administer network authentication service.
- Network
- Security

Prerequisites and assumptions

All system requirements, including software and operating system installation, have been verified.
To verify that the licensed programs have been installed, follow these steps:
1. In iSeries Navigator, expand your system > Configuration and Service > Software > Installed Products.
2. Ensure that all the necessary licensed programs are installed.
All necessary hardware planning and setup have been completed.
TCP/IP and basic system security have been configured and tested on each of these systems.
No one has changed the default settings in iSeries Navigator to stop the Task Status window from opening when a task starts. To verify that the default setting has not been changed, follow these steps:
1. In iSeries Navigator, right-click your central system and select User Preferences.
2. On the General page, verify that Automatically open a task status window when one of my tasks starts is selected.
This scenario is based on the assumption that network authentication service has been configured on each system using the Synchronize Functions wizard in iSeries Navigator. This wizard propagates network authentication service configuration from a model system to multiple target systems. See Scenario: Propagating network authentication service configuration across multiple systems for details on how to use the Synchronize Functions wizard.

Configuration steps

To configure Kerberos authentication between Management Central servers, perform these steps.

Completing the planning work sheets
These planning work sheets illustrate the type of information you need before you enable your systems to use Kerberos authentication.
Setting the central system to use Kerberos authentication
System A is the model system and central system for the other target systems.
Creating MyCo2 system group
A system group is a collection of systems that you can manage and to which you can apply similar settings and attributes, such as the network authentication service configuration.
Collecting system values inventory
You need to use the Collect Inventory function in iSeries Navigator to add the Kerberos authentication settings to an inventory for the target systems in the MyCo2 system group.
Comparing and updating Kerberos settings in iSeries Navigator
After collecting system values inventory, you need to take the Kerberos settings that were selected on the central system and apply them to each of the target systems in the MyCo2 system group.
Restarting Management Central server on the central system and target systems
After completing the update for each of the target systems within the MyCo2 system group, you need to restart all the Management Central servers on the central and target systems.
Adding Kerberos service principal to the trusted group file for each endpoint
After all the Management Central servers have been restarted, you need to add the central system's Kerberos service principal to the trusted group file for each of the endpoint systems.
Verifying the Kerberos principals are added to the trusted group file
After running the remote command, you can verify that the central system's Kerberos service principal is in the trusted group file on each of the target systems.
Allowing trusted connections for the central system
After the remote command runs successfully to the endpoint systems, you need to allow trusted connections among Management Central servers.
Repeating steps 4 through 6 for target systems
After allowing trusted connections for the central system, repeat steps 4 through 6 in this scenario to apply these changes to the target systems in the MyCo2 system group. This ensures that the target systems are configured to allow trusted connections.
Testing authentication on the endpoint systems
After the servers are restarted, the systems use Kerberos for authentication and the trusted group for authorization. For a system to accept and carry out a request, that system verifies not only that the requesting system has a valid Kerberos principal, but also that it trusts that Kerberos principal by checking if that principal is in its trusted group list.

Parent topic:

Scenarios: Using network authentication service in a Kerberos network