Network authentication service planning work sheets

To successfully configure network authentication service, you must understand the requirements and complete the necessary planning steps.

This topic provides a prerequisite worksheet and planning work sheet to ensure all necessary steps are completed. Use the following work sheets to aid in planning a Kerberos implementation and configuring network authentication service.

Prerequisite work sheet

Use this planning work sheet to ensure that all required prerequisites have been completed. You should be able to answer Yes to all prerequisite items before you perform any configuration tasks.

Table 1. Prerequisite work sheet
Questions Answers
Is your IBM® i at 5.4, or later (5770-SS1)?  

Is Network Authentication Enablement (5770-NAE) installed on your systems?

  
Do you have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities?  
Do you have one of the following installed on a secure system that will act as a Kerberos server? Which one?
  1. Windows server
  2. AIX Server
  3. PASE for i (5.4, or later)
  4. z/OS®
  
For Windows server Windows Support Tools (which provides the ktpass tool) installed on the system being used as the key distribution center?  
If your Kerberos server is on a Windows server, are all your PCs in your network configured in a Windows domain?  
Have you applied the latest program temporary fixes (PTFs)?  
Is the IBM i system time within five minutes of the Kerberos server's system time? If not, see Synchronizing system times.  
Table 2. Kerberos server planning work sheet
Questions Answers
On which operating system do you plan to configure your Kerberos server?
  • Windows server
  • AIX® Server
  • PASE for i (5.4, or later)
  • z/OS
  
What is the fully qualified domain name for the Kerberos server?  
Are times between the PCs and systems that connect to the Kerberos server synchronized? What is the maximum clock skew?  
Table 3. Kerberos realm planning work sheet
Questions Answers
How many realms do you need?  
How do you plan to organize realms?  
What will be the naming convention used for realms?  
Table 4. Principal planning work sheet
Questions Answers
What is the naming convention that you plan to use for Kerberos principals that represent users in your network?  
What is the naming convention for applications on your network?  
For which IBM i services do you plan to use Kerberos authentication?  
What are the IBM i principal names for each of these IBM i services?  
Table 5. Host name resolution considerations work sheet
Question Answer
Are the PCs and IBM i platform using the same DNS server to resolve host names?  
Are you using a local host table on the IBM i platform to resolve host names?  
Do your PC and your IBM i platform resolve the same host name for the IBM i platform? See Host name resolution considerations for assistance.  

The following planning work sheet illustrates the type of information you need before you begin configuring the Kerberos server in PASE for i and network authentication service. All answers on the prerequisite work sheet should be answered before you proceed with configuring the Kerberos server in PASE for i.

Table 6. PASE for i planning work sheet
Questions Answers
Do you have PASE installed?  
What is the name of the default realm?  
What is the Kerberos server for this Kerberos default realm? What is the port on which the Kerberos server listens?  
What is the naming convention for your principals that represent users in your network?  
What are the principal names for your users in your network?  

Use the following planning work sheet to gather the information that you need before you begin configuring network authentication service. All answers on the prerequisite work sheet should be answered before you proceed with network authentication service configuration.

Table 7. Network authentication service planning work sheet
Questions Answers
What is the name of the Kerberos default realm to which your system will belong?
Note: A Windows domain is similar to a Kerberos realm.
  
Are you using Microsoft Active Directory?  
What is the Kerberos server for this Kerberos default realm? What is the port on which the Kerberos server listens?  
Do you want to configure a password server for this default realm? If yes, answer the following questions:
What is name of the password server for this Kerberos server?
What is the port on which the password server listens?
  
For which services do you want to create keytab entries?
  • IBM i Kerberos Authentication
  • LDAP
  • IBM HTTP Server
  • IBM i NetServer
  • Network File System Server
  
If you plan to create a service principal for IBM i Kerberos Authentication, what is its password?  
If you plan to create a service principal for LDAP, what is its password?  
If you plan to create a service principal for HTTP Server, what is its password?  
If you plan to create a service principal for IBM i NetServer, what is its password?
Note: When you see the Network Authentication Service wizard, several principals will be created for IBM i NetServer. Write these down here as they are displayed in the wizard. They will be needed when you add these principals to the Kerberos server.
  
If you plan to create a service principal for Network File System Server, what is its password?  
Do you want to create a batch file to automate adding the service principals to Microsoft Active Directory?  
Do you want to include passwords with the IBM i service principals in the batch file?