To provide an integrated runtime environment
for AIX® applications, configure
and manage a Kerberos server from your IBM® i platform.
IBM i supports
a Kerberos server in IBM Portable
Application Solutions Environment for i Portable
Application Solutions Environment (PASE for i). PASE for i provides an integrated
runtime environment for AIX applications.
You can configure and manage a Kerberos server from your IBM i platform.
To configure a Kerberos server in PASE for i, complete the
following steps:
- In a character-based interface, type call
QP2TERM at the command prompt.
This command opens
an interactive shell environment where you can work with PASE for i applications.
- At the command line, enter export PATH=$PATH:/usr/krb5/sbin.
This command points to the Kerberos scripts that are necessary
to run the executable files.
- At the command line, enter config.krb5
-S -d systema.myco.com -r MYCO.COM, where -d is the
DNS of your network and -r is the realm name. (In this example,
myco.com is the DNS name and MYCO.COM is the realm name.)
This command updates the krb5.config file with the domain name
and realm for the Kerberos server, creates the Kerberos database within
the integrated file system, and configures the Kerberos server in PASE for i.
You
will be prompted to add a database Master Password and a password
for the admin/admin principal, which is used to administer the Kerberos
server.
Note: For V5R3 and V5R4, only the existing database
is supported for storing Kerberos principals. The LDAP directory plug-in
is currently not supported.
- Optional: If you want the Kerberos server and
the administration server to automatically start during an initial
program load (IPL), you need to perform two additional steps. You
must create a job description and add an autostart job entry.
To configure IBM i to
automatically start the Kerberos server and administration server
during an IPL, follow these steps:
- Create a job description.
At an IBM i command line, type
the following command where xxxxxx is the IBM i user profile with
*ALLOBJ user authority:
CRTJOBD JOBD(QGPL/KRB5PASE)
JOBQ(QSYS/QSYSNOMAX) TEXT('Start KDC and admin server in PASE') USER(xxxxxx)
RQSDTA('QSYS/CALL PGM(QSYS/QP2SHELL) PARM(''/usr/krb5/sbin/start.krb5'')')
SYNTAX(*NOCHK) INLLIBL(*SYSVAL) ENDSEV( 30)
- Add an autostart job entry. At the command line, type
the following command:
ADDAJE SBSD(QSYS/QSYSWRK) JOB(KRB5PASE) JOBD(QGPL/KRB5PASE).
Note: As an alternative to starting the servers during an IPL,
you can manually start the servers after the IPL by following these
steps:
- In a character-based interface, type call QP2TERM to
open the PASE for iinteractive
shell environment.
- At the command line, enter /usr/krb5/sbin/start.krb5 to
start the servers.
What do I do next?
If you
use Windows, workstations with a Kerberos server
that is not configured through Windows Active
Directory (such as a Kerberos server in PASE for i), you must perform
several configuration steps on both the Kerberos server and the workstation
to ensure that Kerberos authentication works properly.