When you use the EIM Configuration wizard to create and
join a new domain, you can choose to configure the EIM domain controller
on the local system as part of creating your EIM configuration.
If necessary, the EIM Configuration wizard
ensures that you provide basic configuration information for the directory
server. Also, if Kerberos is not currently configured on the System i® platform, the wizard
prompts you to launch the Network Authentication Service Configuration
wizard.
When you complete the EIM Configuration wizard, you
can accomplish these tasks:
- Create a new EIM domain.
- Configure the local directory server to act as the EIM domain
controller.
- Configure network authentication service for the system.
- Create EIM registry definitions for the local i5/OS registry and the Kerberos registry.
- Configure the system to participate in the new EIM domain.
To configure your system to create and join a new EIM
domain, you must have all the following special authorities:
- Security administrator (*SECADM).
- All object (*ALLOBJ).
- System configuration (*IOSYSCFG).
To use the EIM Configuration wizard to create and join a new
local domain, complete these steps:
- In System
i Navigator,
select the system for which you want to configure EIM and expand Network
> Enterprise Identity Mapping.
- Right-click Configuration and select
Configure to start the EIM Configuration wizard.
Note: This option is labeled Reconfigure if
EIM has been previously configured on the system.
- On the Welcome page of the wizard,
select Create and join a new domain, and click Next.
- On the Specify EIM Domain Location page,
select On the local Directory server and click Next.
Note: This option configures the local directory server to act
as the EIM domain controller. Because this directory server stores
all EIM data for the domain, it must be active and remain active to
support EIM mapping lookups and other operations.
If
network authentication service is not currently configured on the System
i platform, or additional
network authentication configuration information is needed to configure
a single sign-on environment, the Network Authentication
Services Configuration page displays. This page allows
you start the Network Authentication Service Configuration wizard
so that you can configure network authentication service. Or,
you can configure Network Authentication Service at a later time by
using the configuration wizard for this service through System
i Navigator. When you complete
network authentication service configuration, the EIM Configuration
wizard continues.
- To configure network authentication service, complete these
steps:
- On the Configure Network Authentication Service page,
select Yes to start the Network Authentication
Service Configuration wizard. With this wizard, you can configure
several i5/OS interfaces and
services to participate in a Kerberos realm as well as configure a
single signon environment that uses both EIM and network authentication
service.
- On the Specify Realm Information page,
specify the name of the default realm in the Default realm field.
If you are using Microsoft Active
Directory for Kerberos authentication, select Microsoft
Active Directory is used for Kerberos authentication,
and click Next.
- On the Specify KDC Information page,
specify the fully qualified name of the Kerberos server for this realm
in the KDC field, specify 88 in the Port field,
and click Next.
- On the Specify Password Server Information page,
select either Yes or No for
setting up a password server. The password server allows principals
to change passwords on the Kerberos server. If you select Yes,
enter the password server name in the Password server field.
In the Port field, accept the default value
of 464, and click Next.
- On the Select Keytab Entries page,
select i5/OS Kerberos Authentication, and cllick Next.
Note: In addition you can also create keytab entries for the IBM® Tivoli® Directory
Server for i5/OS, IBM i NetServer, and IBM HTTP
Server for i if you want these
services to use Kerberos authentication. You may need to perform additional
configuration for these services before they can use Kerberos authentication.
- On the Create i5/OS Keytab Entry page,
enter and confirm a password, and click Next.
This is the same password you will use when you add the i5/OS principals to the Kerberos server.
- Optional: On the Create Batch
File page, select Yes, specify
the following information, and click Next:
- In the Batch file field, update the directory
path. Click Browse to locate the appropriate
directory path, or edit the path in the Batch file field.
- In the Include password field, select Yes.
This ensures that all passwords associated with the i5/OS service principal are included in the
batch file. It is important to note that passwords are displayed in
clear text and can be read by anyone with read access to the batch
file. Therefore, it is essential that you delete the batch file from
the Kerberos server and from the PC immediately after you use it.
If you do not include the password, you will be prompted for the password
when you run the batch file.
- On the Summary page, review the network
authentication service configuration details, and click Finish to
return to the EIM Configuration wizard.
- If the local directory server is not currently configured,
the Configure Directory Server page displays
when the EIM Configuration wizard resumes. Provide the following information
to configure the local directory server:
Note: If you configure
the local directory server before you use the EIM Configuration wizard,
the Specify User for Connection page displays
instead. Use this page to specify the distinguished name and password
for the LDAP administrator to ensure that the wizard has enough authority
to administer the EIM domain and the objects in it and continue with
the next step in this procedure. Click Help,
if necessary, to determine what information to provide for this page.
- In the Port field, accept the
default port number 389, or specify a different port
number to use for nonsecure EIM communications with the directory
server.
- In the Distinguished name field,
specify the LDAP distinguished name (DN) that identifies the LDAP
administrator for the directory server. The EIM Configuration wizard
creates this LDAP administrator DN and uses it to configure the directory
server as the domain controller for the new domain that you are creating.
- In the Password field, specify
the password for the LDAP administrator.
- In the Confirm password field,
specify the password a second time for validation purposes.
- Click Next.
- On the Specify Domain page, provide
the following information:
- In the Domain field, specify
the name of the EIM domain that you want to create. Accept the default
name of EIM, or use any string of characters that
makes sense to you. However, you cannot use special characters such
as = + < > , # ; \ and *.
- In the Description field, enter
text to describe the domain.
- Click Next.
- On the Specify Parent DN for Domain page, select Yes to
specify a parent DN for the domain that you are creating, or specify No to
have EIM data stored in a directory location with a suffix whose name
is derived from the EIM domain name.
Note: When you create
a domain on a local directory server, a parent DN is optional. By
specifying a parent DN, you can specify where in the local LDAP namespace
EIM data should reside for the domain. When you do not specify a parent
DN, EIM data resides in its own suffix in the namespace. If you select Yes,
use the list box to select the local LDAP suffix to use as the parent
DN, or enter text to create and name a new parent DN. It is not necessary
to specify a parent DN for the new domain. Click Help for
further information about using a parent DN.
- On the Registry Information page,
specify whether to add the local user registries to the EIM domain
as registry definitions. Select one or both of these user registry
types:
- Select Local i5/OS to add a registry
definition for the local registry. In the field provide,
accept the default value for the registry definition name or specify
a different value for the registry definition name. The EIM registry
name is an arbitrary string that represents the registry type and
specific instance of that registry.
- Select Kerberos to add a registry
definition for a Kerberos registry. In the field provided, accept
the default value for the registry definition name or specify a different
value for the registry definition name. The default registry
definition name is the same as the realm name. By accepting the default
name and using the same Kerberos registry name as the realm name,
you can increase performance in retrieving information from the registry.
Select Kerberos user identities are case sensitive,
if necessary.
- Click Next.
- On the Specify EIM System User page,
select a User type that you want the system
to use when performing EIM operations on behalf of operating system
functions. These operations include mapping lookup operations
and deletion of associations when deleting a local i5/OS user profile. You can select one of the
following types of users: Distinguished name and password, Kerberos
keytab file and principal, or Kerberos principal
and password. Which user types you can select vary based
on the current system configuration. For example, if Network Authentication
Service is not configured for the system, then Kerberos user types
may not be available for selection. The user type that you select
determines the other information that you must provide to complete
the page as follows:
Note: You must specify a user that is currently
defined in the directory server which is hosting the EIM domain controller.
The user that you specify must have privileges to perform mapping
lookup and registry administration for the local user registry at
a minimum. If the user that you specify does not have these privileges,
then certain operating system functions related to the use of single
sign-on and the deletion of user profiles may fail.
If you have
not configured the directory server prior to running this wizard,
the only user type you can select is Distinguished name
and password and the only distinguished name you can specify
is the LDAP administrator's DN.
- If you select Distinguished name and password,
provide the following information:
- In the Distinguished name field, specify
the LDAP distinguished name that identifies the user for the system
to use when performing EIM operations.
- In the Password field, specify the password
for the distinguished name.
- In the Confirm password field, specify
the password a second time for verification purposes.
- If you select Kerberos principal and password,
provide the following information:
- In the Principal field, specify the Kerberos
principal name for the system to use when performing EIM operations
- In the Realm field, specify the fully qualified
Kerberos realm name for which the principal is a member. The name
of the principal and realm uniquely identify the Kerberos users in
the keytab file. For example, the principal jsmith in
the realm ordept.myco.com is represented in the keytab
file as jsmith@ordept.myco.com.
- In the Password field, enter the password
for the user.
- In the Confirm password field, specify
the password a second time for verification purposes.
- If you select Kerberos keytab file and principal,
provide the following information:
- In the Keytab file field, specify the fully
qualified path and keytab file name that contains the Kerberos principal
for the system to use when performing EIM operations. Or, click Browse to
browse through directories in the System
i integrated file system
to select a keytab file.
- In the Principal field, specify the Kerberos
principal name for the system to use when performing EIM operations.
- In the Realm field, specify the fully qualified
Kerberos realm name for which the principal is a member. The name
of the principal and realm uniquely identify the Kerberos users in
the keytab file. For example, the principal jsmith in
the realm ordept.myco.com is represented in the keytab
file as jsmith@ordept.myco.com.
- Click Verify Connection to ensure that
the wizard can use the specified user information to successfully
establish a connection to the EIM domain controller.
- Click Next.
- In the Summary panel, review the
configuration information that you have provided. If all information
is correct, click Finish.