Creating and joining a new local domain

When you use the EIM Configuration wizard to create and join a new domain, you can choose to configure the EIM domain controller on the local system as part of creating your EIM configuration.

1. From IBM Navigator for i on the system for which you want to configure EIM, expand Security > All Tasks > Enterprise Identity Mapping > Configuration.
2. Click Configure to start the EIM Configuration wizard.
3. On the Welcome page of the wizard, select Create and join a new domain, and click Next.
4. On the Specify EIM Domain Location page, select On the local Directory server and click Next.
   Note: This option configures the local directory server to act as the EIM domain controller. Because this directory server stores all EIM data for the domain, it must be active and remain active to support EIM mapping lookups and other operations.

   If network authentication service is not currently configured on the IBM i platform, or additional network authentication configuration information is needed to configure a single sign-on environment, the Network Authentication Services Configuration page displays. This page allows you start the Network Authentication Service Configuration wizard so that you can configure network authentication service. Or, you can configure Network Authentication Service at a later time by using the configuration wizard for this service through IBM Navigator for i. When you complete network authentication service configuration, the EIM Configuration wizard continues.

5. To configure network authentication service, complete these steps:
   1. On the Configure Network Authentication Service page, select Yes to start the Network Authentication Service Configuration wizard. With this wizard, you can configure several IBM i interfaces and services to participate in a Kerberos realm as well as configure a single signon environment that uses both EIM and network authentication service.
   2. On the Specify Realm Information page, specify the name of the default realm in the Default realm field. If you are using Microsoft Active Directory for Kerberos authentication, select Microsoft Active Directory is used for Kerberos authentication, and click Next.
   3. On the Specify KDC Information page, specify the fully qualified name of the Kerberos server for this realm in the KDC field, specify 88 in the Port field, and click Next.
   4. On the Specify Password Server Information page, select either Yes or No for setting up a password server. The password server allows principals to change passwords on the Kerberos server. If you select Yes, enter the password server name in the Password server field. In the Port field, accept the default value of 464, and click Next.
   5. On the Select Keytab Entries page, select IBM i Kerberos Authentication, and click Next.
      Note: In addition you can also create keytab entries for the IBM Tivoli® Directory Server for IBM i, IBM i NetServer, and IBM HTTP Server for i if you want these services to use Kerberos authentication. You may need to perform additional configuration for these services before they can use Kerberos authentication.
   6. On the Create IBM i Keytab Entry page, enter and confirm a password, and click Next. This is the same password you will use when you add the IBM i principals to the Kerberos server.
   7. Optional: On the Create Batch File page, select Yes, specify the following information, and click Next:
      • In the Batch file field, update the directory path. Click Browse to locate the appropriate directory path, or edit the path in the Batch file field.
      • Select Include password in the batch file. This ensures that all passwords associated with the IBM i service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file. Therefore, it is essential that you delete the batch file from the Kerberos server and from the IBM i platform immediately after you use it. If you do not include the password, you will be prompted for the password when you run the batch file.
        Note: You can also manually add the service principals that are generated by the wizard to Microsoft Active Directory. To learn how to do this, review Add IBM i principals to the Kerberos server
      • On the Summary page, review the network authentication service configuration details, and click Finish to return to the EIM Configuration wizard.
6. If the local directory server is not currently configured, the Configure Directory Server page displays when the EIM Configuration wizard resumes. Provide the following information to configure the local directory server:
   Note: If you configure the local directory server before you use the EIM Configuration wizard, the Specify User for Connection page displays instead. Use this page to specify the distinguished name and password for the LDAP administrator to ensure that the wizard has enough authority to administer the EIM domain and the objects in it and continue with the next step in this procedure. Click ? for help, if necessary, to determine what information to provide for this page.
   1. In the Port field, accept the default port number 389, or specify a different port number to use for nonsecure EIM communications with the directory server.
   2. In the Distinguished name field, specify the LDAP distinguished name (DN) that identifies the LDAP administrator for the directory server. The EIM Configuration wizard creates this LDAP administrator DN and uses it to configure the directory server as the domain controller for the new domain that you are creating.
   3. In the Password field, specify the password for the LDAP administrator.
   4. In the Confirm password field, specify the password a second time for validation purposes.
   5. Click Next.
7. On the Specify Domain page, provide the following information:
   1. In the Domain field, specify the name of the EIM domain that you want to create. Accept the default name of EIM, or use any string of characters that makes sense to you. However, you cannot use special characters such as = + < > , # ; \ and *.
   2. In the Description field, enter text to describe the domain.
   3. Click Next.
8. On the Specify Parent DN for Domain page, select Yes to specify a parent DN for the domain that you are creating, or specify No to have EIM data stored in a directory location with a suffix whose name is derived from the EIM domain name.
   Note: When you create a domain on a local directory server, a parent DN is optional. By specifying a parent DN, you can specify where in the local LDAP namespace EIM data should reside for the domain. When you do not specify a parent DN, EIM data resides in its own suffix in the namespace. If you select Yes, use the list box to select the local LDAP suffix to use as the parent DN, or enter text to create and name a new parent DN. It is not necessary to specify a parent DN for the new domain. Click ? for further information about using a parent DN.
9. On the Registry Information page, specify whether to add the local user registries to the EIM domain as registry definitions. Select one or both of these user registry types:
   Note: You do not have to create the registry definitions at this time. If you choose to create the registry definitions later, you need to add the system registry definitions and update the EIM configuration properties.
   1. Select Local IBM i to add a registry definition for the local registry.
      In the field provide, accept the default value for the registry definition name or specify a different value for the registry definition name. The EIM registry name is an arbitrary string that represents the registry type and specific instance of that registry.
   2. Select Kerberos to add a registry definition for a Kerberos registry. In the field provided, accept the default value for the registry definition name or specify a different value for the registry definition name.
      The default registry definition name is the same as the realm name. By accepting the default name and using the same Kerberos registry name as the realm name, you can increase performance in retrieving information from the registry. Select Kerberos user identities are case sensitive, if necessary.
   3. Click Next.
10. On the Specify EIM System User page, select a User type that you want the system to use when performing EIM operations on behalf of operating system functions.
    These operations include mapping lookup operations and deletion of associations when deleting a local IBM i user profile. You can select one of the following types of users: Distinguished name and password, Kerberos keytab file and principal, or Kerberos principal and password. Which user types you can select vary based on the current system configuration. For example, if Network Authentication Service is not configured for the system, then Kerberos user types may not be available for selection. The user type that you select determines the other information that you must provide to complete the page as follows:

    Note: You must specify a user that is currently defined in the directory server which is hosting the EIM domain controller. The user that you specify must have privileges to perform mapping lookup and registry administration for the local user registry at a minimum. If the user that you specify does not have these privileges, then certain operating system functions related to the use of single sign-on and the deletion of user profiles may fail.

    If you have not configured the directory server prior to running this wizard, the only user type you can select is Distinguished name and password and the only distinguished name you can specify is the LDAP administrator's DN.

    • If you select Distinguished name and password, provide the following information:
      • In the Distinguished name field, specify the LDAP distinguished name that identifies the user for the system to use when performing EIM operations.
      • In the Password field, specify the password for the distinguished name.
      • In the Confirm password field, specify the password a second time for verification purposes.
    • If you select Kerberos principal and password, provide the following information:
      • In the Principal field, specify the Kerberos principal name for the system to use when performing EIM operations
      • In the Realm field, specify the fully qualified Kerberos realm name for which the principal is a member. The name of the principal and realm uniquely identify the Kerberos users in the keytab file. For example, the principal jsmith in the realm ordept.myco.com is represented in the keytab file as jsmith@ordept.myco.com.
      • In the Password field, enter the password for the user.
      • In the Confirm password field, specify the password a second time for verification purposes.
    • If you select Kerberos keytab file and principal, provide the following information:
      • In the Keytab file field, specify the fully qualified path and keytab file name that contains the Kerberos principal for the system to use when performing EIM operations. Or, click Browse to browse through directories in the IBM i integrated file system to select a keytab file.
      • In the Principal field, specify the Kerberos principal name for the system to use when performing EIM operations.
      • In the Realm field, specify the fully qualified Kerberos realm name for which the principal is a member. The name of the principal and realm uniquely identify the Kerberos users in the keytab file. For example, the principal jsmith in the realm ordept.myco.com is represented in the keytab file as jsmith@ordept.myco.com.
    • Click Verify Connection to ensure that the wizard can use the specified user information to successfully establish a connection to the EIM domain controller.
    • Click Next.
11. In the Summary panel, review the configuration information that you have provided. If all information is correct, click Finish.