iSeries Access for Linux security

iSeries Access for Linux security

Use this information to learn more about Kerberos, single signon, and secure sockets layer (SSL).

Kerberos

iSeries™ Access for Linux^® supports authenticating to the iSeries using Kerberos. To install and configure iSeries for Kerberos, see the Single signon topic, in the Security topic collection.
To install and configure Linux for Kerberos, see one of the many "How To's" available on the Internet. For example: www.linux.com/howtos/Kerberos-Infrastructure-HOWTO/client-configure.shtml
Most Linux distributions have at least one (Heimdal and MIT) version of Kerberos 5 included with them. However, some distributions neglect to create a symbolic link for the Kerberos shared library (Heimdal /usr/lib/libgssapi.so or MIT /usr/lib/libgssapi_krb5.so). iSeries Access for Linux dynamically loads the Kerberos shared library by that name and if a symbolic link to that name is not available, you get the following error: CWBSY1015 - Kerberos not available on this version of the operating system.
To use Kerberos with iSeries Access for Linux, first authenticate to your Kerberos domain using the kinit command or by setting up your initial Linux login to authenticate with the pluggable authentication module (PAM) Kerberos plugin. After successful authentication, you should be able to do a klist -f to see the status of your Kerberos tickets.
For any iSeries Access function, you can use *kerberos in place of the iSeries user profile to use your Kerberos tickets. Any password will be ignored in this case. For example: /opt/ibm/iSeriesAccess/bin/rmtcmd CRTLIB Test /system:iSeriesSystemName /user:*kerberos.
The Kerberos principle name will be based upon the fully qualified TCP/IP name received from the reverse lookup of the TCP/IP address. If you use a hosts file to resolve TCP/IP addresses, be sure to include the fully qualified TCP/IP system name. For example: 1.2.3.4 MyiSseries.MyDomain.com MyiSeries.

Single signon
The ibm5250 emulator supports Kerberos and single signon. Using either command line options or the setup5250 configuration utility you can enable this security support.

Secure sockets layer
For enabling iSeries Access for Linux to use secure sockets layer (SSL) support, OpenSSL and stunnel must be installed and configured. An example stunnel configuration file ( /opt/ibm/iSeriesAccess/doc/iSeriesAccess.stunnel.config ) is provided to get you started.

Parent topic:
iSeries Access for Linux

Related reference

Single signon
Command line emulator options