Planning realms

Understanding your enterprise can help you plan for realms in your environment.

In the Kerberos protocol, realms consist of a collection of machines and services that use a single authentication server called a Kerberos server or key distribution center (KDC). Realms are managed individually. Applications and services within the realm typically share some common use or purpose. The following general questions can help you plan realms in your enterprise:

How large is my current environment?: The size of your environment determines the number of realms you need. In a larger enterprise, you might consider several realms that are based on organizational boundaries or how certain systems are used within the enterprise. For example, you establish realms that represent different organizations in your company, such as realms for your human resource department, customer service department, or shipping department. You can also create realms for a collection of systems or services that perform similar functions. Typically, smaller enterprises might need only one or two realms.
How quickly do I anticipate my environment to grow?: If you plan for your enterprise to grow quickly, you might want to set up several realms representing smaller organizational units in your enterprise. If you anticipate that your enterprise will grow more slowly, you can set up only one or two realms based on your organization now.
How many administrators will I need to manage these realms?: No matter how large or small your enterprise is, you need to make sure you have knowledgeable personnel to set up and administer the realms that you need.

Naming realms

According to the conventions of the Kerberos protocol, realm names are typically comprised of an uppercase version of the domain name, such as MYCO.COM. In networks with multiple realms, you can create a realm name that includes an uppercase descriptive name and domain name. For example, you might have two realms, one called HR.MYCO.COM and the other named SHIPPING.MYCO.COM, each representing a particular department in your organization.

It is not necessary to use uppercase; however, some implementations of Kerberos enforce this convention. For example, realm names are strictly uppercase in a Microsoft Active Directory. If you are configuring network authentication service on the IBM® i platform to participate in a Kerberos realm configured in Microsoft Active Directory, you must enter the realm name in uppercase.

For a Kerberos server that is configured in IBM i PASE, you can create either upper or lowercase realm names. However, if you plan to create trust relationships between a Kerberos server configured with Microsoft Active Directory and a Kerberos server configured in IBM i PASE, the realm names should be uppercase.

Table 1. Example planning work sheet for Kerberos realms
Questions	Answers
How many realms do you need?	Two
How do you plan to organize realms?	Currently our company has aWindows server that authenticates users in our Order Receiving Department. Our Shipping Department use a Kerberos server in IBM i PASE. Each of these departments will have its own realm.
What will be the naming convention used for realms?	We will use an uppercase shortened name that indicates the department followed by an uppercase version of the Windows domain name. For example, ORDEPT.MYCO.COM will represent the Order Receiving Department and SHIPDEPT.MYCO.COM will represent the Shipping Department.