Completing the planning work sheets

 

The following planning work sheets are tailored to fit this scenario based on the general single signon planning worksheets. These planning work sheets demonstrate the information that you need to gather and the decisions you need to make to prepare the single signon implementation described by this scenario. To ensure a successful implementation, be able to answer Yes to all prerequisite items in the work sheet and you should gather all the information necessary to complete the work sheets before you perform any configuration tasks.

You need to thoroughly understand the concepts related to single signon which include network authentication service and Enterprise Identity Mapping (EIM) concepts, before you implement this scenario.

Table 1. Single signon prerequisite work sheet
Prerequisite work sheet Answers
Is your i5/OS® V5R4 (5722-SS1)? Yes
Are the following options and licensed products installed on System A?

  • i5/OS Host Servers (5722-SS1 Option 12)

  • Qshell Interpreter (5722-SS1 Option 30)

  • iSeries™ Access for Windows® (5722-XE1)
Yes
Have you installed an application that is enabled for single signon on each of the PCs that will participate in the single signon environment?

For this scenario, all of the participating PC's have iSeries Access for Windows (5722-XE1) installed.

Yes
Is iSeries Navigator installed on the administrator's PC?

  • Is the Security subcomponent of iSeries Navigator installed on the administrator's PC?

  • Is the Network subcomponent of iSeries Navigator installed on the administrator's PC?
Yes
Have you installed the latest iSeries Access for Windows service pack? For the latest service pack see iSeries Access. Yes
Do you, the administrator, have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? Yes
Do you have one of the following systems acting as the Kerberos server (also known as the KDC)? If yes, specify which system.

  1. Windows (R) 2000 Server

    Microsoft® Windows 2000 Server uses Kerberos authentication as its default security mechanism.

  2. Windows (R) Server 2003

  3. i5/OS PASE (V5R3 or later)

  4. AIX® server

  5. zSeries®
Yes, Windows 2000 Server
Are all your PCs in your network configured in a Windows 2000 domain? Yes
Have you applied the latest program temporary fixes (PTFs)? Yes
Is the System i™ model time within 5 minutes of the system time on the Kerberos server? If not see rzakhsync.htm. Yes

You need this information to configure EIM and network authentication service to create a single signon test environment.

Table 2. Single signon configuration planning work sheet for System A
Configuration planning work sheet for System A Answers
Use the following information to complete the EIM Configuration wizard. The information in this work sheet correlates with the information you need to supply for each page in the wizard:
How do you want to configure EIM for your system?

  • Join an existing domain

  • Create and join a new domain
Create and join a new domain
Where do you want to configure your EIM domain? On the local directory server

This will configure the directory server on the same system on which you are currently configuring EIM.

Do you want to configure network authentication service?

You must configure network authentication service to configure single signon.

Yes
The Network Authentication Service wizard launches from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard:

You can launch the Network Authentication Service wizard independently of the EIM Configuration wizard.

What is the name of the Kerberos default realm to which your System i model will belong?

A Windows 2000 domain is similar to a Kerberos realm. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism.

MYCO.COM
Are you using Microsoft Active Directory? Yes
What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens?

KDC: kdc1.myco.com
Port: 88

This is the default port for the Kerberos server.

Do you want to configure a password server for this default realm? If yes, answer the following questions:

What is name of the password server for this Kerberos server?
What is the port on which the password server listens?

Yes

Password server: kdc1.myco.com
Port: 464

This is the default port for the password server.

For which services do you want to create keytab entries?

  • i5/OS Kerberos Authentication

  • LDAP

  • iSeries IBM® HTTP Server

  • iSeries NetServer™
i5/OS Kerberos Authentication
What is the password for your service principal or principals? systema123

Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.

Do you want to create a batch file to automate adding the service principals for System A to the Kerberos registry? Yes
Do you want to include passwords with the i5/OS service principals in the batch file? Yes
As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard:
Specify user information that the wizard should use when configuring the directory server. This is the connection user. You must specify the port number, administrator distinguished name, and a password for the administrator.

Specify the LDAP administrator's distinguished name (DN) and password to ensure the wizard has enough authority to administer the EIM domain and the objects in it.

Port: 389
Distinguished name: cn=administrator
Password: mycopwd

Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.

What is the name of the EIM domain that you want to create? MyCoEimDomain
Do you want to specify a parent DN for the EIM domain? No
Which user registries do you want to add to the EIM domain?

Local i5/OS--SYSTEMA.MYCO.COM
Kerberos--MYCO.COM

The Kerberos principals stored on the Windows 2000 server are not case sensitive; therefore you should not select Kerberos user identities are case sensitive.

Which EIM user do you want System A to use when performing EIM operations? This is the system user.

If you have not configured the directory server before configuring single signon, the only distinguished name (DN) you can provide for the system user is the LDAP administrator's DN and password.

User type: Distinguished name and password
User: cn=administrator
Password: mycopwd

Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.

After you complete the EIM Configuration wizard, use the following information to complete the remaining steps required for configuring single signon:
What is the i5/OS user profile name for the user? JOHND
What is the name of the EIM identifier that you want to create? John Day
What kinds of associations do you want to create?

Source association: Kerberos principal jday
Target association: i5/OS user profile JOHND

What is the name of the user registry that contains the Kerberos principal for which you are creating the source association? MYCO.COM
What is the name of the user registry that contains the i5/OS user profile for which you are creating the target association? SYSTEMA.MYCO.COM
What information do you need to supply to test EIM identity mapping?

Source registry: MYCO.COM
Source user: jday
Target registry: SYSTEMA.MYCO.COM

 

Parent topic:

Scenario: Creating a single signon test environment
Next topic: Creating a basic single signon configuration for System A
Related information
Enterprise Identity Mapping (EIM)