Scenario: Propagating network authentication service configuration across multiple systems

Here are the prerequisites and objectives for propagating your network authentication service configuration across multiple systems.

Situation

You are a systems administrator for a large automobile parts manufacturer. You currently manage four IBM® i platforms with System i® Navigator. One system operates as the central system, which stores data and manages these other systems. The security administrator for your company has just configured network authentication service on a new system to participate in a Windows domain, which authenticates users to the enterprise. The security administrator has tested the network authentication service configuration on this system and has successfully obtained a service ticket for this IBM i platform. You want to simplify the configuration of network authentication service among these systems that you manage.

Using the Synchronize Functions wizard, you want to take the network authentication service configuration on the model system and apply it to your other systems. The Synchronize Functions wizard makes network authentication service configuration throughout your network quicker and easier because you do not need to configure each system separately.

Objectives

In this scenario, MyCo, Inc has two distinct goals:
  1. To simplify configuration of network authentication service in the network.
  2. To have all IBM i platforms point to the same Kerberos server.

Details

The following graphic shows the details for this scenario. System D, shown in graphic, will not be used.

Management Central Synchronize Network Authentication Service settings
SystemMC1: Central system
  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers (5770-SS1 Option 12)
    • IBM i Access for Windows (5770-XE1)
    • Network Authentication Enablement (5770-NAE)
  • Stores, schedules and runs synchronization setting tasks for each of the endpoint systems.
System A: Model system
  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers (5770-SS1 Option 12)
    • IBM i Access for Windows (5770-XE1)
    • Network Authentication Enablement (5770-NAE)
  • Is the model system for propagating network authentication service configuration to endpoint systems.
System B: Endpoint system
  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers (5770-SS1 Option 12)
    • IBM i Access for Windows (5770-XE1)
    • Network Authentication Enablement (5770-NAE)
  • Is one of the endpoint systems for the propagation of network authentication service configuration.
System C: Endpoint system
  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers (5770-SS1 Option 12)
    • IBM i Access for Windows (5770-XE1)
    • Network Authentication Enablement (5770-NAE)
  • Is one of the endpoint systems for the propagation of network authentication service configuration.
Client PC
  • Runs IBM i Access for Windows (5770-XE1).
  • Runs System i Navigator with the following subcomponents:
    Note: These subcomponents are only required for a PC that is used to administer network authentication service.
    • Network
    • Security

Windows server (not shown in graphic)

  • Operates as the Kerberos server for the network (kdc1.myco.com).
  • All users have been added to Microsoft Active Directory.
Note: The KDC server name, kdc1.myco.com, is a fictitious name used in this scenario.

Prerequisites and assumptions

SystemMC1: Central system prerequisites
  1. All system requirements, including software and operating system installation, have been verified.
    To verify that these licensed programs have been installed, follow these steps:
    1. In System i Navigator, expand your system > Configuration and Service > Software > Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup have been completed.
  3. TCP/IP and basic system security have been configured and tested on System A.
  4. No one has changed the default settings in System i Navigator to disable the Task Status window from opening when a task starts. To verify that the default setting has not been changed, follow these steps:
    1. In System i Navigator, right-click your central system and select User Preferences.
    2. On the General page, verify that Automatically open a task status window when one of my tasks starts is selected.
  5. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these systems.
    Note: When you propagate network authentication service configuration among systems, sensitive information, like passwords, is sent across the network. You should use SSL to protect this information, especially if it is being sent outside your local area network (LAN). See Scenario: Securing all connections to your Management Central server with SSL for details.
System A: Model system prerequisites
  1. This scenario assumes that Network authentication service is properly configured on the model system (System A).
  2. All system requirements, including software and operating system installation, have been verified.
    To verify that these licensed programs have been installed, follow these steps:
    1. In System i Navigator, expand your system > Configuration and Service > Software > Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  3. All necessary hardware planning and setup have been completed.
  4. TCP/IP and basic system security have been configured and tested on your system.
  5. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these systems.
    Note: When you propagate network authentication service configuration among systems, sensitive information, like passwords, is sent across the network. You should use SSL to protect this information, especially if it is being sent outside your local area network (LAN). See Scenario: Securing all connections to your Management Central server with SSL for details.
System B and System C: Endpoint system prerequisites
  1. All system requirements, including software and operating system installation, have been verified.
    To verify that these licensed programs have been installed, follow these steps:
    1. In System i Navigator, expand your system > Configuration and Service > Software > Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup have been completed.
  3. TCP/IP and basic system security have been configured and tested on your system.
  4. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these systems.
    Note: When you propagate network authentication service configuration among systems, sensitive information, like passwords, is sent across the network. You should use SSL to protect this information, especially if it is being sent outside your local area network (LAN). See Scenario: Securing all connections to your Management Central server with SSL for details.
Windows server (not shown in graphic)
  1. All necessary hardware planning and setup have been completed.
  2. TCP/IP has been configured and tested on the server.
  3. Windows domain has been configured and tested.
  4. All users within your network have been added to a Windows domain through Active Directory.

Configuration steps

To use the Synchronize Functions wizard to propagate network authentication service configuration to endpoint systems, you must complete the following steps.