The following planning work sheets are tailored to fit this scenario based on the general single signon planning worksheets. These planning work sheets demonstrate the information that you need to gather and the decisions you need to make as you prepare to configure the single signon implementation described by this scenario. To ensure a successful implementation, be able to answer Yes to all prerequisite items in the work sheet and you should gather all the information necessary to complete the work sheets before you perform any configuration tasks.
You need to thoroughly understand the concepts related to single signon, which include network authentication service and Enterprise Identity Mapping (EIM) concepts, before you implement this scenario.
| Prerequisite work sheet | Answers | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Is your i5/OS® V5R4 (5722-SS1)? | Yes | ||||||||||||||
| Are the following options and licensed products installed on System A and System B?
| Yes | ||||||||||||||
| Have you installed an application that is enabled for single signon on each of the PCs that will participate in the single signon environment? For this scenario, all of the participating PCs have iSeries Access for Windows (5722-XE1) installed. Yes
| Is iSeries Navigator installed on the administrator's PC?
|
Yes
| Have you installed the latest IBM iSeries Access for Windows service pack? For the latest service pack see iSeries Access web page.
| Yes
| Does the single signon administrator have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities?
| Yes
| Do you have one of the following systems acting as the Kerberos server (also known as the KDC)? If yes, specify which system.
|
|
You need this information to configure EIM and network authentication service on System A
| Configuration planning work sheet for System A | Answers | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Use the following information to complete the EIM Configuration wizard. The information in this work sheet correlates with the information you need to supply for each page in the wizard: | |||||||||||||||||||||||||||||||||
| How do you want to configure EIM for your system?
| Create and join a new domain | ||||||||||||||||||||||||||||||||
| Where do you want to configure the EIM domain? | On the local directory server This will configure the directory server on the same system on which you are currently configuring EIM. Do you want to configure network authentication service? | You must configure network authentication service to configure single signon. Yes
| The Network Authentication Service wizard launches from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard.
| What is the name of the Kerberos default realm to which your System i model will belong? | A Windows 2000 domain is similar to a Kerberos realm. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism. MYCO.COM
| Are you using Microsoft Active Directory?
| Yes
| What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens?
|
| KDC: kdc1.myco.com
This is the default port for the Kerberos server. Do you want to configure a password server for this default realm? If yes, answer the following questions:
| What is name of the password server for this Kerberos server?
Yes
| Password server: kdc1.myco.com
This is the default port for the password server. For which services do you want to create keytab entries?
|
i5/OS Kerberos Authentication
| What is the password for your service principal or principals?
| systema123 | Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration. Do you want to create a batch file to automate adding the service principals for System A to the Kerberos registry?
| Yes
| Do you want to include passwords with the i5/OS service principals in the batch file?
| Yes
| As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard:
| Specify user information that the wizard should use when configuring the directory server. This is the connection user. You must specify the port number, administrator distinguished name, and a password for the administrator. | Specify the LDAP administrator's distinguished name (DN) and password to ensure the wizard has enough authority to administer the EIM domain and the objects in it.
| Port: 389
Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration. What is the name of the EIM domain that you want to create?
| MyCoEimDomain
| Do you want to specify a parent DN for the EIM domain?
| No
| Which user registries do you want to add to the EIM domain?
|
| Local i5/OS--SYSTEMA.MYCO.COM
You should not select Kerberos user identities are case sensitive when the wizard presents this option. Which EIM user do you want System A to use when performing EIM operations? This is the system user. | If you have not configured the directory server prior to configuring single signon, the only distinguished name (DN) you can provide for the system user is the LDAP administrator's DN and password.
| User type: Distinguished name
Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration. | ||
You need this information to allow System B to participate in the EIM domain and to configure network authentication service on System B
| Configuration planning work sheet for System B | Answers | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Use the following information to complete the EIM Configuration wizard for System B: | |||||||||||||||||||||||||||||||||||||
| How do you want to configure EIM on your system? | Join an existing domain | ||||||||||||||||||||||||||||||||||||
| Do you want to configure network authentication service? You must configure network authentication service to configure single signon. Yes
| The Network Authentication Service wizard launches from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard: | You can launch the Network Authentication Service wizard independently of the EIM Configuration wizard. What is the name of the Kerberos default realm to which your System i model will belong? | A Windows 2000 domain is equivalent to a Kerberos realm. Microsoft Active Directory uses Kerberos authentication as its default security mechanism. MYCO.COM
| Are you using Microsoft Active Directory?
| Yes
| What is the Kerberos server for this Kerberos default realm? What is the port on which the Kerberos server listens?
|
| KDC: kdc1.myco.com
This is the default port for the Kerberos server. Do you want to configure a password server for this default realm? If yes, answer the following questions:
| What is name of the password server for this Kerberos server?
Yes
| Password server: kdc1.myco.com
This is the default port for the password server. For which services do you want to create keytab entries?
|
i5/OS Kerberos Authentication
| What is the password for your i5/OS service principal(s)?
| systemb123 | Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration. Do you want to create a batch file to automate adding the service principals for System B to the Kerberos registry?
| Yes
| Do you want to include passwords with the i5/OS service principals in the batch file?
| Yes
| As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard for System B:
| What is the name of the EIM domain controller for the EIM domain that you want to join?
| systema.myco.com
| Do you plan on securing the connection with SSL or TLS?
| No
| What is the port on which the EIM domain controller listens?
| 389
| Which user do you want to use to connect to the domain controller? This is the connection user. | Specify the LDAP administrator's distinguished name (DN) and password to ensure the wizard has enough authority to administer the EIM domain and the objects in it.
| User type: Distinguished name and password
Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration. What is the name of the EIM domain that you want to join?
| MyCoEimDomain
| Do you want to specify a parent DN for the EIM domain?
| No
| What is the name of the user registry that you want to add to the EIM domain?
| Local i5/OS--SYSTEMB.MYCO.COM
| Which EIM user do you want System B to use when performing EIM operations? This is the system user. | Earlier in this scenario, you used the EIM Configuration wizard to configure the directory server on System A. In doing so, you created a DN and password for the LDAP administrator. This is currently the only DN defined for the directory server. Therefore, this is the DN and password supply here.
| User type: Distinguished name and password
Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration. | ||
| i5/OS user profile name | Password is specified | Special authority (Privilege class) | System |
|---|---|---|---|
| SYSUSERA | No | User | System A |
| SYSUSERB | No | User | System B |
| Identifier name | User registry | User identity | Association type | Identifier description |
|---|---|---|---|---|
| John Day | MYCO.COM | jday | Source | Kerberos (Windows 2000) login user identity |
| John Day | SYSTEMA.MYCO.COM | JOHND | Target | i5/OS user profile on System A |
| John Day | SYSTEMB.MYCO.COM | DAYJO | Target | i5/OS user profile on System B |
| Sharon Jones | MYCO.COM | sjones | Source | Kerberos (Windows 2000) login user identity |
| Sharon Jones | SYSTEMA.MYCO.COM | SHARONJ | Target | i5/OS user profile on System A |
| Sharon Jones | SYSTEMB.MYCO.COM | JONESSH | Target | i5/OS user profile on System B |
| Policy association type | Source user registry | Target user registry | User identity | Description |
|---|---|---|---|---|
| Default registry | MYCO.COM | SYSTEMA.MYCO.COM | SYSUSERA | Maps authenticated Kerberos user to appropriate i5/OS user profile |
| Default registry | MYCO.COM | SYSTEMB.MYCO.COM | SYSUSERB | Maps authenticated Kerberos user to appropriate i5/OS user profile |