Scenario: Setting up a Kerberos server in i5/OS PASE

 

Here are the goals, objectives, prerequisites, and configuration steps for setting up a Kerberos server.

 

Situation

You are an administrator that manages security for a medium-sized network for your company. You want to authenticate users from a central system. You have decided to create a Kerberos server that will authenticate users to resources across your entire enterprise. You have researched many options for implementing a Kerberos solution on your network. You know that Windows® 2000 server uses Kerberos to authenticate users to a Windows domain; however, this adds additional costs to your small IT budget. Instead of using a Windows 2000 domain to authenticate users, you have decided to configure a Kerberos server in your System i™ environment in the i5/OS® Portable Application Solutions Environment (PASE). i5/OS PASE provides an integrated runtime environment for AIX® applications. You want to use the flexibility of i5/OS PASE to configure your own Kerberos server. You want the Kerberos server in i5/OS PASE to authenticate users in your network, who use Windows 2000 and Windows XP workstations.

 

Objectives

In this scenario, MyCo, Inc. wants to establish a Kerberos server in i5/OS PASE by completing the following objectives:

 

Details

The following figure illustrates the network environment for this scenario.

System A

  • Acts as the Kerberos server (kdc1.myco.com), also known as a key distribution center (KDC), for the network.

  • Runs i5/OS Version 5 Release 3 (V5R3) or later with the following options and licensed programs installed:

    • i5/OS Host Servers (5722-SS1 Option 12)

    • i5/OS PASE (5722-SS1 Option 33)

    • Qshell Interpreter (5722-SS1 Option 30)

    • Network Authentication Enablement (5722-NAE) if you are running V5R4, or later

    • Cryptographic Access Provider (5722-AC3) if you are running V5R3

    • iSeries™ Access for Windows (5722-XE1)

  • Has the fully qualified host name of systema.myco.com.

Client PCs

  • For all PCs in this scenario:

    • Run Windows 2000 and Windows XP operating systems.

    • Windows 2000 Support Tools (which provides the ksetup command) installed.

  • For administrator's PC:

 

Prerequisites and assumptions

This scenario focuses on the tasks that involve configuring a Kerberos server in i5/OS PASE.

  1. All system requirements, including software and operating system installation, have been verified.

    To verify that the required licensed programs have been installed, follow these steps:

    1. In iSeries Navigator, expand your system > Configuration and Service > Software > Installed Products.

    2. Ensure that all the necessary licensed programs are installed.

  2. All necessary hardware planning and setup have been completed.

  3. TCP/IP connections have been configured and tested on your network.

  4. A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.

    The use of host tables with Kerberos authentication might result in name resolution errors or other problems. For more detailed information about how host name resolution works with Kerberos authentication, see Host name resolution considerations.

 

Configuration steps

To configure a Kerberos server in i5/OS PASE and to configure network authentication service, complete these steps.

  1. Completing the planning work sheets
    Before configuring the Kerberos server and network authentication service in i5/OS PASE, complete these planning work sheets.
  2. Configuring Kerberos server in i5/OS PASE
    To configure a Kerberos server on i5/OS PASE on System A, use the information from your planning work sheets.
  3. Changing encryption values on i5/OS PASE Kerberos server
    To operate with Windows workstations, you need to change the default encryption settings on the Kerberos server so that clients can be authenticated to the i5/OS PASE Kerberos server.
  4. Stopping and restarting Kerberos server in i5/OS PASE
    You must stop and restart the Kerberos server in i5/OS PASE to update the encryption values that you just changed.
  5. Creating host principals for Windows 2000 and Windows XP workstations
    You must create the host principals that Kerberos uses to authenticate the PC users.
  6. Creating user principals on the Kerberos server
    For users to be authenticated to services in your network, add them to the Kerberos server as principals.
  7. Adding System A service principal to the Kerberos server
    For i5/OS interfaces to accept Kerberos tickets, add them to the Kerberos server as principals.
  8. Optional: Configuring Windows 2000 and Windows XP workstations
    This step is optional for configuring a Kerberos server in i5/OS PASE. If you intend to create a single sign-on environment after configuring the Kerberos server, complete this step. If not, skip to Step 9 (Configuring network authentication service).
  9. Configuring network authentication service
    To configure network authentication service, complete these steps.
  10. Creating a home directory for users on System A
    Each user that connects to the i5/OS operating system and i5/OS applications needs a directory in the /home directory. This directory contains the name of the user's Kerberos credentials cache.
  11. Testing network authentication service
    To test the network authentication service configuration, request a ticket-granting ticket for your i5/OS principal and other principals within your network.

 

Parent topic:

Scenarios: Using network authentication service in a Kerberos network