Completing the planning work sheets

 

These planning work sheets demonstrate the information that you need to gather and the decisions you need to make as you prepare to configure the single sign-on function described by this scenario.

The following planning work sheets are tailored to fit this scenario based on the general single sign-on planning worksheets. To ensure a successful implementation, be able to answer Yes to all prerequisite items in the work sheet and you should gather all the information necessary to complete the work sheets before you perform any configuration tasks.

The Network Authentication Service APIs support job environments for most EBCDIC CCSIDs. However, CCSID 290 and 5026 are not supported because of the variance of lowercase letters a to z.

Table 1. Single sign-on prerequisite work sheet
Prerequisite work sheet Answers
Is your i5/OS® V5R3 (5722-SS1), or later? Yes
Are the following options and licensed programs installed on System A and System B?

  • i5/OS Host Servers (5722-SS1 Option 12)

  • Qshell Interpreter (5722-SS1 Option 30)

  • iSeries™ Access for Windows® (5722-XE1)

  • Network Authentication Enablement (5722-NAE) if you are using i5/OS V5R4, or later

  • Cryptographic Access Provider (5722-AC3) if you are running i5/OS V5R3
Yes
Have you installed an application that is enabled for single sign-on on each of the PCs that will participate in the single sign-on environment?

For this scenario, all of the participating PCs have iSeries Access for Windows (5722-XE1) installed.

Yes
Is iSeries Navigator installed on the administrator's PC?

  • Is the Network subcomponent of iSeries Navigator that is installed on the PC used to administer single sign-on?

  • Is the Security subcomponent of iSeries Navigator that is installed on the PC used to administer single sign-on?

  • Is the Users and Groups subcomponent of iSeries Navigator that is installed on the PC used to administer single sign-on?
Yes
Have you installed the latest IBM® eServer™ iSeries Access for Windows service pack? See the iSeries Access Web page for the latest service pack. Yes
Does the single sign-on administrator have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? Yes
Do you have one of the following systems acting as the Kerberos server (also known as the KDC)? If yes, specify which system.

  1. Microsoft® Windows 2000 Server

    Microsoft Windows 2000 Server uses Kerberos authentication as its default security mechanism.

  2. Windows Server 2003

  3. i5/OS PASE (V5R3 or later)

  4. AIX® server

  5. z/OS®
Yes, Windows 2000 Server
Are all your PCs in your network configured in a Windows 2000 domain? Yes
Have you applied the latest program temporary fixes (PTFs)? Yes
Is the System i™ system time within 5 minutes of the system time on the Kerberos server? If not, see Synchronizing system times. Yes

You need this information to configure EIM and network authentication service on System A.

Table 2. Single sign-on configuration planning work sheet for System A
Configuration planning work sheet for System A Answers
Use the following information to complete the EIM Configuration wizard. The information in this work sheet correlates with the information you need to supply for each page in the wizard:
How do you want to configure EIM for your system?

  • Join an existing domain

  • Create and join a new domain
Create and join a new domain
Where do you want to configure the EIM domain? On the local directory server

This will configure the directory server on the same system on which you are currently configuring EIM.

Do you want to configure network authentication service?

You must configure network authentication service to configure single sign-on.

Yes
The Network Authentication Service wizard starts from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard.
What is the name of the Kerberos default realm to which your System i product will belong?

A Windows 2000 domain is similar to a Kerberos realm. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism.

MYCO.COM
Are you using Microsoft Active Directory? Yes
What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens?

KDC: kdc1.myco.com
Port: 88

This is the default port for the Kerberos server.

Do you want to configure a password server for this default realm? If yes, answer the following questions:

What is name of the password server for this Kerberos server?
What is the port on which the password server listens?

Yes

Password server: kdc1.myco.com
Port: 464

This is the default port for the password server.

For which services do you want to create keytab entries?

  • i5/OS Kerberos Authentication

  • LDAP

  • iSeries IBM HTTP Server

  • iSeries NetServer™
i5/OS Kerberos Authentication
What is the password for your service principal or principals? systema123
Do you want to create a batch file to automate adding the service principals for System A to the Kerberos registry? Yes
Do you want to include passwords with the i5/OS service principals in the batch file? Yes
As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard:
Specify user information that the wizard should use when configuring the directory server. This is the connection user. You must specify the port number, administrator distinguished name, and a password for the administrator.

Specify the LDAP administrator's distinguished name (DN) and password to ensure the wizard has enough authority to administer the EIM domain and the objects in it.

Port: 389
Distinguished name: cn=administrator
Password: mycopwd

What is the name of the EIM domain that you want to create? MyCoEimDomain
Do you want to specify a parent DN for the EIM domain? No
Which user registries do you want to add to the EIM domain?

Local i5/OS--SYSTEMA.MYCO.COM
Kerberos--KDC1.MYCO.COM

You should not select Kerberos user identities are case sensitive when the wizard presents this option.

Which EIM user do you want System A to use when performing EIM operations? This is the system user.

If you have not configured the directory server before configuring single sign-on, the only distinguished name (DN) you can provide for the system user is the LDAP administrator's DN and password.

User type: Distinguished name
Distinguished name: cn=administrator
Password: mycopwd

You need this information to allow System B to participate in the EIM domain and to configure network authentication service on System B.

Table 3. Single sign-on configuration planning work sheet for System B
Configuration planning work sheet for System B Answers
Use the following information to complete the EIM Configuration wizard for System B:
How do you want to configure EIM on your system? Join an existing domain
Do you want to configure network authentication service?

You must configure network authentication service to configure single sign-on.

Yes
The Network Authentication Service wizard starts from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard:

You can start the Network Authentication Service wizard independently of the EIM Configuration wizard.

What is the name of the Kerberos default realm to which your System i product will belong?

A Windows 2000 domain is equivalent to a Kerberos realm. Microsoft Active Directory uses Kerberos authentication as its default security mechanism.

MYCO.COM
Are you using Microsoft Active Directory? Yes
What is the Kerberos server for this Kerberos default realm? What is the port on which the Kerberos server listens?

KDC: kdc1.myco.com
Port: 88

This is the default port for the Kerberos server.

Do you want to configure a password server for this default realm? If yes, answer the following questions:

What is name of the password server for this Kerberos server?
What is the port on which the password server listens?

Yes

Password server: kdc1.myco.com
Port: 464

This is the default port for the password server.

For which services do you want to create keytab entries?

  • i5/OS Kerberos Authentication

  • LDAP

  • iSeries IBM HTTP Server

  • iSeries NetServer
i5/OS Kerberos Authentication
What is the password for your i5/OS service principals? systemb123
Do you want to create a batch file to automate adding the service principals for System B to the Kerberos registry? Yes
Do you want to include passwords with the i5/OS service principals in the batch file? Yes
As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard for System B:
What is the name of the EIM domain controller for the EIM domain that you want to join? systema.myco.com
Do you plan on securing the connection with SSL or TLS? No
What is the port on which the EIM domain controller listens? 389
Which user do you want to use to connect to the domain controller? This is the connection user.

Specify the LDAP administrator's distinguished name (DN) and password to ensure the wizard has enough authority to administer the EIM domain and the objects in it.

User type: Distinguished name and password
Distinguished name: cn=administrator
Password: mycopwd

What is the name of the EIM domain that you want to join? MyCoEimDomain
Do you want to specify a parent DN for the EIM domain? No
What is the name of the user registry that you want to add to the EIM domain? Local i5/OS--SYSTEMB.MYCO.COM
Which EIM user do you want System B to use when performing EIM operations? This is the system user.

Earlier in this scenario, you used the EIM Configuration wizard to configure the directory server on System A. In doing so, you created a distinguished name (DN) and password for the LDAP administrator. This is currently the only DN defined for the directory server. Therefore, this is the DN and password that supply here.

User type: Distinguished name and password
Distinguished name: cn=administrator
Password: mycopwd

Table 4. Single sign-on configuration planning work sheet - user profiles
i5/OS user profile name Password is specified Special authority (Privilege class) System
SYSUSERA No User System A
SYSUSERB No User System B

Table 5. Single sign-on configuration planning work sheet - EIM domain data
Identifier name User registry User identity Association type Identifier description
John Day MYCO.COM jday Source Kerberos (Windows 2000) login user identity
John Day SYSTEMA.MYCO.COM JOHND Target i5/OS user profile on System A
John Day SYSTEMB.MYCO.COM DAYJO Target i5/OS user profile on System B
Sharon Jones MYCO.COM sjones Source Kerberos (Windows 2000) login user identity
Sharon Jones SYSTEMA.MYCO.COM SHARONJ Target i5/OS user profile on System A
Sharon Jones SYSTEMB.MYCO.COM JONESSH Target i5/OS user profile on System B

Table 6. Single sign-on configuration planning work sheet - EIM domain data - policy associations
Policy association type Source user registry Target user registry User identity Description
Default registry MYCO.COM SYSTEMA.MYCO.COM SYSUSERA Maps authenticated Kerberos user to appropriate i5/OS user profile
Default registry MYCO.COM SYSTEMB.MYCO.COM SYSUSERB Maps authenticated Kerberos user to appropriate i5/OS user profile

 

Parent topic:

Scenario: Enabling single sign-on for i5/OS
Next topic: Creating a basic single sign-on configuration for System A