Creating a basic single signon configuration for System A

 

The EIM Configuration wizard helps you create a basic EIM configuration and also opens the Network Authentication Service wizard to allow you to create a basic network authentication service configuration.

Instructions in this scenario are based on the assumption that the directory server has not been previously configured on System A. However, if you already configured the directory server, you can still use these instructions with only slight differences. These differences are noted in the appropriate places within the configuration steps.

When you have finished this step, you will have completed the following tasks:

  1. In iSeries™ Navigator, expand System A > Network > Enterprise Identity Mapping.

  2. Right-click Configuration and select Configure to start the EIM Configuration wizard.

  3. On the Welcome page, select Create and join a new domain. Click Next.

  4. On the Specify EIM Domain Location page, select On the local Directory server. Click Next and the Network Authentication Service wizard is displayed.

    The Network Authentication Service wizard only displays when the system determines that you need to enter additional information to configure network authentication service for the single signon implementation.

  5. Complete these tasks to configure network authentication service:

    1. On the Configure Network Authentication Service page, select Yes.

      This launches the Network Authentication Service wizard. With this wizard, you can configure several i5/OS interfaces and services to participate in a Kerberos realm.

    2. On the Specify Realm Information page, enter MYCO.COM in the Default realm field and select Microsoft Active Directory is used for Kerberos authentication. Click Next.
    3. On the Specify KDC Information page, enter kdc1.myco.com in the KDC field and enter 88 in the Port field. Click Next.
    4. On the Specify Password Server Information page, select Yes. Enter kdc1.myco.com in the Password server field and 464 in the Port field. Click Next.
    5. On the Select Keytab Entries page, select i5/OS Kerberos Authentication. Click Next.
    6. On the Create i5/OS Keytab Entry page, enter and confirm a password, and click Next. For example, systema123. This password will be used when System A is added to the Kerberos server.

      Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.

    7. Optional: On the Create Batch File page, select Yes, specify the following information, and click Next:

      • Batch file: Add the text systema to the end of the default batch file name. For example, C:\Documents and Settings\All Users\Documents\IBM\Client Access\NASConfigsystema.bat.

      • Select Include password. This ensures that all passwords associated with the i5/OS service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file. Therefore, it is recommended that you delete the batch file from the Kerberos server and from your PC immediately after use.

        If you do not include the password, you will be prompted for the password when the batch file is run.

    8. On the Summary page, review the network authentication service configuration details and click Finish to complete the Network Authentication Service wizard and return to the EIM Configuration wizard.

  6. On the Configure Directory Server page, enter the following information, and click Next:

    If you configured the directory server before you started this scenario, you will see the Specify User for Connection page instead of the Configure Directory Server page. In that case, specify the distinguished name and password for the LDAP administrator.

    • Port: 389

    • Distinguished name: cn=administrator

    • Password: mycopwd

      Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.

  7. On the Specify Domain page, enter the name of the domain in the Domain field, and click Next. For example, MyCoEimDomain.

  8. On the Specify Parent DN for Domain page, select No, and click Next.

    If the directory server is active, a message is displayed that indicates you need to end and restart the directory server for the changes to take effect. Click Yes to restart the directory server.

  9. On the Registry Information page, select Local i5/OS and Kerberos, and click Next. Write down the registry names. You will need these registry names when you create associations to EIM identifiers.

    • Registry names must be unique to the domain.

    • You can enter a specific registry definition name for the user registry if you want to use a specific registry definition naming plan. However, for this scenario you can accept the default values.

  10. On the Specify EIM System User page, select the user the operating system uses when performing EIM operations on behalf of operating system functions, and click Next

    Because you did not configure the directory server prior to performing the steps in this scenario, the only distinguished name (DN) that you can choose is the LDAP administrator's DN.

    • User type: Distinguished name and password

    • Distinguished name: cn=administrator

    • Password: mycopwd

      Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.

  11. On the Summary page, confirm the EIM configuration information. Click Finish.

Now that you have completed a basic EIM and network authentication service configuration on System A, you can add the service principal for System A to the Kerberos server.

 

Parent topic:

Scenario: Creating a single signon test environment
Previous topic: Completing the planning work sheets