Configuring a Kerberos server in PASE for i

To provide an integrated runtime environment for AIX® applications, configure and manage a Kerberos server from your IBM® i platform.

IBM i supports a Kerberos server in IBM Portable Application Solutions Environment for i Portable Application Solutions Environment (PASE for i). PASE for i provides an integrated runtime environment for AIX applications. You can configure and manage a Kerberos server from your IBM i platform. To configure a Kerberos server in PASE for i, complete the following steps:
  1. In a character-based interface, type call QP2TERM at the command prompt.
    This command opens an interactive shell environment where you can work with PASE for i applications.
  2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin.
    This command points to the Kerberos scripts that are necessary to run the executable files.
  3. At the command line, enter config.krb5 -S -d systema.myco.com -r MYCO.COM, where -d is the DNS of your network and -r is the realm name. (In this example, myco.com is the DNS name and MYCO.COM is the realm name.)
    This command updates the krb5.config file with the domain name and realm for the Kerberos server, creates the Kerberos database within the integrated file system, and configures the Kerberos server in PASE for i.
    You will be prompted to add a database Master Password and a password for the admin/admin principal, which is used to administer the Kerberos server.
    Note: For V5R3 and V5R4, only the existing database is supported for storing Kerberos principals. The LDAP directory plug-in is currently not supported.
  4. Optional: If you want the Kerberos server and the administration server to automatically start during an initial program load (IPL), you need to perform two additional steps. You must create a job description and add an autostart job entry.
    To configure IBM i to automatically start the Kerberos server and administration server during an IPL, follow these steps:
    1. Create a job description.

      At an IBM i command line, type the following command where xxxxxx is the IBM i user profile with *ALLOBJ user authority:

      CRTJOBD JOBD(QGPL/KRB5PASE) JOBQ(QSYS/QSYSNOMAX) TEXT('Start KDC and admin server in PASE') USER(xxxxxx) RQSDTA('QSYS/CALL PGM(QSYS/QP2SHELL) PARM(''/usr/krb5/sbin/start.krb5'')') SYNTAX(*NOCHK) INLLIBL(*SYSVAL) ENDSEV( 30)

    2. Add an autostart job entry. At the command line, type the following command:
      ADDAJE SBSD(QSYS/QSYSWRK) JOB(KRB5PASE) JOBD(QGPL/KRB5PASE).
    Note: As an alternative to starting the servers during an IPL, you can manually start the servers after the IPL by following these steps:
    1. In a character-based interface, type call QP2TERM to open the PASE for iinteractive shell environment.
    2. At the command line, enter /usr/krb5/sbin/start.krb5 to start the servers.

What do I do next?

If you use Windows, workstations with a Kerberos server that is not configured through Windows Active Directory (such as a Kerberos server in PASE for i), you must perform several configuration steps on both the Kerberos server and the workstation to ensure that Kerberos authentication works properly.