 |
 |
 |
of 6:
Complete the planning worksheets. The following prerequisite checklists illustrate the type of information you will need before you begin enabling single sign-on in your OS/400 environment. To open these checklists as a printer-friendly file so you can fill out your own answers, click here.
| Prerequisite checklist | Answers |
| Is your OS/400 V5R2 (5722-SS1) or later? | Yes |
| Is Cryptographic Access Provider (5722-AC3) installed on your iSeries systems? | Yes |
| Is iSeries Access for Windows (5722-XE1) installed on the PC that you will use to configure NAS? | Yes |
| Is the Security subcomponent of iSeries Navigator installed on the PC that you will use to configure NAS? | Yes |
| Is the Network subcomponent of iSeries Navigator installed on the PC that you will use to configure NAS? | Yes |
| Do you have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? | Yes |
| Is your
system value set to *VERIFY? To change the value, use either the iSeries
command line or iSeries Navigator.
Using the iSeries
command line, take the following steps: To use iSeries Navigator,
take the following steps: |
Yes |
| Have
you confirmed that your iSeries software clock is synchronized with a specified
time server? The Simple Network Time Protocol (SNTP) client allows you to
do this. You can specify an amount of time that the iSeries software clock
must be near the time server before the SNTP client will adjust the time
of day on your software clock. This function is particularly important when
using Network Authentication Service (NAS).
In iSeries Navigator, you can start and stop your SNTP client. You can also specify the time server to compare the iSeries software clock, and select when you would like SNTP activity to be logged. To start or stop the SNTP client in iSeries Navigator, follow these steps: 1. Expand your iSeries
server > Network > Servers > TCP/IP. To adjust the SNTP
client parameters in iSeries Navigator, follow these steps: Note: The remote time server host must be configured before the SNTP client can start. |
Yes |
|
Do you have one of the following installed on the secure system that will act as the KDC? If so, which one?
|
Yes Windows 2000 Server |
| For Windows 2000 Server and Windows XP Server, do you have Windows Support Tools, which provides the ktpass tool, installed on the system being used as the key distribution center? | Yes |
| Are all your PCs in your network configured in a Windows 2000 domain? | Yes |
| Have you applied the latest program temporary fixes (PTFs)? (The latest PTFs are located on the IBM eServer iSeries support site at http://www.ibm.com/servers/eserver/support/iseries/.) | Yes |
| Is the iSeries system time within five minutes of the KDC’s system time? | Yes |
| You need this information to configure NAS | Answers |
| What is the name of the Kerberos default realm to which iSeries-A and iSeries-B will belong? | ORDEPT.MYCO.COM |
| What
is the KDC for this Kerberos default realm? What is the port on which the KDC listens? |
kdc1.ordept.myco.com 88 |
| Do
you want to configure a password server for this default realm? If yes,
answer the following questions: What is name of the password server for this KDC? What is the port on which the password server listens? |
YES |
| What is the host name of the iSeries servers on which you are configuring NAS? | iSeries-A and iSeries-B |
| What is the password for your iSeries service principal(s)? | iseriesa123
|
| What additional realms will your iSeries systems interact with? | N/A |
| For each realm, what is the host name of the KDC? | N/A |
| You need this information to configure EIM | Answers |
| What is the host name of the iSeries server on which you are configuring EIM? | iSeries-B |
| What is the LDAP administrator's distinguished name and password? |
distinguished name:
cn=administrator
|
| What is the name if the Directory Services (LDAP) server? | iseriesb.ordept.myco.com |
| What is the port number of the Directory Services (LDAP) server? |
389 |
Click Next begin enabling single sign-on in your OS/400 environment.