Planning principal names
Principals are names of users or services in a Kerberos network. Principal names consist of the user name or service name and the name of the realm to which that user or service belongs.
If Mary Jones uses the realm MYCO.COM, her principal name might be jonesm@MYCO.COM. Mary Jones uses this principal name and its associated password to be authenticated by a centralized Kerberos server. All principals are added to the Kerberos server, which maintains a database of all users and services within a realm.
When developing a system for naming principals, you should assign principal names using a consistent naming convention that will accommodate current and future users. Use the following suggestions to establish a naming convention for your principals:
- Use family name and initial of first name
- Use first initial and full family name
- Use first name plus last initial
- Use application or service names with identifying numbers, such as database1.
IBM i principal names
- IBM i Kerberos Authentication
- When you choose to create a keytab entry for IBM i Kerberos Authentication,
the service principal is generated in the keytab file in one of these
formats: krbsvr400/IBM i fully
qualified domain name@REALM NAME or krbsvr400/IBM i host name@REALM NAME.
For example, a valid service principal for IBM i Kerberos Authentication
might be krbsvr400/systema.myco.com@MYCO.COM or krbsvr400/systema@MYCO.COM. IBM i generates the principal
based on the host name that it finds on either the DNS server or on
the IBM i platform
depending on how the IBM i platform
is configured to resolve host names.
The service principal is used for several IBM i interfaces, such as QFileSrv.400, Telnet, Distributed Relational Database Architecture™ (DRDA), and IBM i NetServer. Each of these applications might require additional configuration to enable Kerberos authentication.
- LDAP
- In addition to the IBM i service principal
name, you can optionally configure additional service principals for IBM Tivoli® Directory Server for IBM i (LDAP) during
network authentication service configuration. The LDAP principal name
is ldap/IBM i fully
qualified domain name@REALM NAME. For example, a valid LDAP principal
name might be ldap/systema.myco.com@MYCO.COM. This principal name
identifies the directory server located on that IBM i platform. Note: In past releases, the Network Authentication Service wizard created an uppercase keytab entry for LDAP service. If you have configured the LDAP principal previously, when you reconfigure network authentication service or access the wizard through the Enterprise Identity Mapping (EIM) interface, you will be prompted to change this principal name to its lowercase version.If you plan on using Kerberos authentication with the directory server, you not only need to configure network authentication service, but also change properties for the directory server to accept Kerberos authentication. When Kerberos authentication is used, directory server associates the server distinguished name (DN) with the Kerberos principal name. You can choose to have the server DN associated by using one of the following methods:
- The server can create a DN based on the Kerberos principal name. When you choose this option, a Kerberos identity of the form principal@realm generates a DN of the form ibm-kn=principal@realm. ibm-kn= is equivalent to ibm-kerberosName=.
- The server can search the directory for a distinguished name (DN) that contains an entry for the Kerberos principal and realm. When you choose this option, the server searches the directory for an entry that specifies this Kerberos identity.
See IBM Tivoli Directory Server for IBM i (LDAP) for details on the configuration of Kerberos authentication for the directory server.
- HTTP Server
- In addition to the IBM i service principal
name, you can optionally configure additional service principals for
HTTP Server powered by Apache (HTTP) during network authentication
service configuration. The HTTP principal name is HTTP/IBM i fully qualified domain
name@REALM NAME. This principal name identifies the HTTP Server
instances on the IBM i platform
that will be using Kerberos to authenticate Web users. To use Kerberos
authentication with an HTTP Server instance, you also need to complete
additional configuration steps that pertain to HTTP Server.
See the HTTP Server for IBM i: documentation home page to find information about using Kerberos authentication with HTTP Server.
- IBM i NetServer
- For IBM i NetServer,
you can also choose to create several NetServer principals
that are automatically added to the keytab file on the IBM i platform. Each of
these NetServer principals
represents all the potential clients that you might use to connect
with NetServer.
The following table shows the NetServer principal
name and the clients they represent.
Table 1. IBM i NetServer principal names Client connection IBM i NetServer principal name Windows cifs/IBM i fully qualified domain name
cifs/IBM i host name
cifs/Q IBM i host name
cifs/q IBM i host name
cifs/IP addressSee IBM i NetServer for more information about using Kerberos authentication with this application.
- Network File System Server
- In addition to the IBM i service principal name, you can optionally configure Network File System (NFS) Server during network authentication service configuration. The NFS principal name is nfs/IBM i fully qualified domain name@REALM NAME. For example, a valid principal name for the NFS Server might be nfs/systema.myco.com@MYCO.COM.
Questions | Answers |
---|---|
What is the naming convention that you plan to use for Kerberos principals that represent users in your network? | First initial followed by first five letters of the family name in lowercase, for example, mjones |
What is the naming convention for applications on your network? | Descriptive name followed by number, for example, database123 |
For which IBM i services do you plan to use Kerberos authentication? | IBM i Kerberos authentication
is used for the following services:
|
What are the IBM i principal names for each of these IBM i services? |
|