Completing the planning work sheets
The following planning work sheets are tailored to fit this scenario based on the general single sign-on planning worksheets.
These planning work sheets demonstrate the information
that you need to gather and the decisions you need to make as you
prepare to configure the single sign-on implementation described by
this scenario. To ensure a successful implementation, you must be
able to answer Yes to all prerequisite items in the work sheet and
you should gather all the information necessary to complete the work
sheets before you perform any configuration tasks.
Note: You need to
thoroughly understand the concepts related to single sign-on, which
include network authentication service and Enterprise Identity Mapping
(EIM) concepts, before you implement this scenario.
Prerequisite work sheet | Answers |
---|---|
Is your system running IBM® i 5.4, or later? | Yes |
Are the following options and licensed
programs installed on System A and System B?
|
Yes |
Have you installed an application that is enabled
for single sign-on on each of the PCs that will participate in the
single sign-on environment? Note: For this scenario, all of the participating
PCs have IBM i
Access Client Solutions (5733-XJ1) installed. See IBM i
Access Client Solutions: Getting Started
|
Yes |
Do you, the administrator, have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? | Yes |
Do you have one of the following
systems acting as the Kerberos server (also known as the KDC)? If
yes, specify which system.
|
Yes, Windows server |
Are all your PCs in your network configured in a Windows domain? | Yes |
Have you applied the latest program temporary fixes (PTFs)? | Yes |
Is the IBM i model time within 5 minutes of the system time on the Kerberos server? If not see, Synchronize system times. | Yes |
Are you running IBM i PASE for the Kerberos server? | You must have IBM Network Authentication Enablement for i (5770-NAE) installed. |
You need this information to configure EIM and network authentication service on System A
Configuration planning work sheet for System A | Answers |
---|---|
Use the following information to complete the EIM Configuration wizard. The information in this work sheet correlates with the information you need to supply for each page in the wizard: | |
How do you want to configure EIM for your system?
|
Create and join a new domain |
Where do you want to configure the EIM domain? | On the local directory server Note: This will
configure the directory server on the same system on which you are
currently configuring EIM.
|
Do you want to configure network authentication
service? Note: You must configure network authentication service to
configure single sign-on.
|
Yes |
The Network Authentication Service wizard launches from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard. | |
What is the name of the Kerberos default realm
to which your IBM i model
will belong? Note: A Windows server domain
is similar to a Kerberos realm.
|
MYCO.COM |
Are you using Microsoft Active Directory? | Yes |
What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens? | KDC: kdc1.myco.com
Port: 88 Note: This is the
default port for the Kerberos server.
|
Do you want to configure a password
server for this default realm? If yes, answer the following questions: What is name of the password server for this Kerberos server?
What is the port on which the password server listens? |
Yes Password server: kdc1.myco.com
Port: 464 Note: This is the
default port for the password server.
|
For which services do you want to create keytab
entries?
|
IBM i Kerberos Authentication |
What is the password for your service principal or principals? | systema123 Note: Any and
all passwords specified in this scenario are for example purposes
only. To prevent a compromise to your system or network security,
you should never use these passwords as part of your own configuration.
|
Do you want to create a batch file to automate adding the service principals for System A to the Kerberos registry? | Yes |
Do you want to include passwords with the IBM i service principals in the batch file? | Yes |
As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard: | |
Specify user information that the wizard should
use when configuring the directory server. This is the connection
user. You must specify the port number, administrator distinguished
name, and a password for the administrator. Note: Specify the LDAP
administrator's distinguished name (DN) and password to ensure the
wizard has enough authority to administer the EIM domain and the objects
in it.
|
Port: 389
Distinguished name: cn=administrator Password: mycopwd Note: Any
and all passwords specified in this scenario are for example purposes
only. To prevent a compromise to your system or network security,
you should never use these passwords as part of your own configuration.
|
What is the name of the EIM domain that you want to create? | MyCoEimDomain |
Do you want to specify a parent DN for the EIM domain? | No |
Which user registries do you want to add to the EIM domain? | Local IBM i
--SYSTEMA.MYCO.COM Kerberos--KDC1.MYCO.COM Note: You should not select Kerberos
user identities are case sensitive when the wizard presents this
option.
|
Which EIM user do you want System A to use when
performing EIM operations? This is the system user. Note: If you have
not configured the directory server prior to configuring single sign-on,
the only distinguished name (DN) you can provide for the system user
is the LDAP administrator's DN and password.
|
User type: Distinguished name
Distinguished name: cn=administrator Password: mycopwd Note: Any
and all passwords specified in this scenario are for example purposes
only. To prevent a compromise to your system or network security,
you should never use these passwords as part of your own configuration.
|
You need this information to allow System B to participate in the EIM domain and to configure network authentication service on System B
Configuration planning work sheet for System B | Answers |
---|---|
Use the following information to complete the EIM Configuration wizard for System B: | |
How do you want to configure EIM on your system? | Join an existing domain |
Do you want to configure network authentication
service? Note: You must configure network authentication service to
configure single sign-on.
|
Yes |
The Network Authentication Service
wizard launches from the EIM Configuration wizard. Use the following
information to complete the Network Authentication Service wizard: Note: You
can launch the Network Authentication Service wizard independently
of the EIM Configuration wizard.
|
|
What is the name of the Kerberos
default realm to which your IBM i model
will belong? Note: A Windows server domain
is equivalent to a Kerberos realm.
|
MYCO.COM |
Are you using Microsoft Active Directory? | Yes |
What is the Kerberos server for this Kerberos default realm? What is the port on which the Kerberos server listens? | KDC: kdc1.myco.com
Port: 88 Note: This is the
default port for the Kerberos server.
|
Do you want to configure a password
server for this default realm? If yes, answer the following questions: What is name of the password server for this Kerberos server?
What is the port on which the password server listens? |
Yes Password server: kdc1.myco.com
Port: 464 Note: This is the
default port for the password server.
|
For which services do you want to create keytab
entries?
|
IBM i Kerberos Authentication |
What is the password for your IBM i service principals? | systemb123 Note: Any and all passwords specified in this scenario
are for example purposes only. To prevent a compromise to your system
or network security, you should never use these passwords as part
of your own configuration.
|
Do you want to create a batch file to automate adding the service principals for System B to the Kerberos registry? | Yes |
Do you want to include passwords with the IBM i service principals in the batch file? | Yes |
As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard for System B: | |
What is the name of the EIM domain controller for the EIM domain that you want to join? | systema.myco.com |
Do you plan on securing the connection with SSL or TLS? | No |
What is the port on which the EIM domain controller listens? | 389 |
Which user do you want to use to connect to
the domain controller? This is the connection user. Note: Specify the
LDAP administrator's distinguished name (DN) and password to ensure
the wizard has enough authority to administer the EIM domain and the
objects in it.
|
User type: Distinguished name and password
Distinguished name: cn=administrator Password: mycopwd Note: Any
and all passwords specified in this scenario are for example purposes
only. To prevent a compromise to your system or network security,
you should never use these passwords as part of your own configuration.
|
What is the name of the EIM domain that you want to join? | MyCoEimDomain |
Do you want to specify a parent DN for the EIM domain? | No |
What is the name of the user registry that you want to add to the EIM domain? | Local IBM i --SYSTEMB.MYCO.COM |
Which EIM user do you want System B to use when
performing EIM operations? This is the system user. Note: Earlier in
this scenario, you used the EIM Configuration wizard to configure
the directory server on System A. In doing so, you created a DN and
password for the LDAP administrator. This is currently the only DN
defined for the directory server. Therefore, this is the DN and password
you must supply here.
|
User type: Distinguished name and password
Distinguished name: cn=administrator Password: mycopwd Note: Any
and all passwords specified in this scenario are for example purposes
only. To prevent a compromise to your system or network security,
you should never use these passwords as part of your own configuration.
|
IBM i user profile name | Password is specified | Special authority (Privilege class) | System |
---|---|---|---|
SYSUSERA | No | User | System A |
SYSUSERB | No | User | System B |
Identifier name | User registry | User identity | Association type | Identifier description |
---|---|---|---|---|
John Day | MYCO.COM | jday | Source | Kerberos (Windows) login user identity |
John Day | SYSTEMA.MYCO.COM | JOHND | Target | IBM i user profile on System A |
John Day | SYSTEMB.MYCO.COM | DAYJO | Target | IBM i user profile on System B |
Sharon Jones | MYCO.COM | sjones | Source | Kerberos (Windows) login user identity |
Sharon Jones | SYSTEMA.MYCO.COM | SHARONJ | Target | IBM i user profile on System A |
Sharon Jones | SYSTEMB.MYCO.COM | JONESSH | Target | IBM i user profile on System B |
Policy association type | Source user registry | Target user registry | User identity | Description |
---|---|---|---|---|
Default registry | MYCO.COM | SYSTEMA.MYCO.COM | SYSUSERA | Maps authenticated Kerberos user to appropriate IBM i user profile |
Default registry | MYCO.COM | SYSTEMB.MYCO.COM | SYSUSERB | Maps authenticated Kerberos user to appropriate IBM i user profile |