IBM IBM i Security Network authentication service 7.1 IBM IBM i Security Network authentication service 7.1 Note Before using this information and the product it supports, read the information in “Notices,” on page 127. This edition applies to IBM i 7.1 (product number 5770-SS1) and to all subsequent releases and modifications until otherwise indicated in new editions. This version does not run on all reduced instruction set computer (RISC) models nor does it run on CISC models. © Copyright IBM Corporation 1998, 2008. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Chapter 1. Network authentication Scenario: Propagating network authentication service ............... 1 service configuration across multiple systems .. 32 PDF file for Network authentication service .... 1 Completing the planning work sheets ... 36 Network authentication service concepts ..... 2 Creating a system group ........ 38 Kerberos concepts ........... 2 Propagating system settings from the model How network authentication service works ... 3 system (System A) to System B and System C . 38 Network authentication service protocols .... 6 Configuring network authentication service on Network authentication service environment System D ............. 39 variables............... 7 Adding the principals for endpoint systems to Scenarios: Using network authentication service in a the Windows 2000 domain ....... 39 Kerberos network ............ 11 Scenario: Using Kerberos authentication between Scenario: Setting up a Kerberos server in PASE Management Central servers ....... 41 for i ................ 11 Completing the planning work sheets ... 44 Completing the planning work sheets ... 13 Setting the central system to use Kerberos Configuring Kerberos server in IBM i PASE . 15 authentication ........... 45 Changing encryption values on IBM i PASE Creating MyCo2 system group ...... 45 Kerberos server ........... 16 Collecting system values inventory .... 45 Stopping and restarting Kerberos server in Comparing and updating Kerberos settings in PASE for i ............. 16 System i Navigator .......... 46 Creating host principals for Windows 2000, Restarting Management Central server on the Windows XP, and Windows Vista central system and target systems ..... 46 workstations ............ 16 Adding Kerberos service principal to the Creating user principals on the Kerberos trusted group file for each endpoint .... 46 server .............. 17 Verifying the Kerberos principals are added to Adding System A service principal to the the trusted group file ......... 47 Kerberos server ........... 17 Allowing trusted connections for the central Configuring Windows 2000, Windows XP, and system .............. 47 Windows Vista workstations....... 17 Repeating steps 4 through 6 for target systems 47 Configuring network authentication service . 18 Testing authentication on the endpoint Creating a home directory for users on System systems.............. 48 A ................ 18 Scenario: Enabling single sign-on for IBM i ... 48 Testing network authentication service ... 19 Completing the planning work sheets ... 54 Scenario: Configuring network authentication Creating a basic single sign-on configuration service ............... 19 for System A ............ 58 Completing the planning work sheets ... 21 Configuring System B to participate in the Configuring network authentication service on EIM domain and configuring System B for System A ............. 23 network authentication service ...... 60 Adding System A principal to the Kerberos Adding both IBM i service principals to the server .............. 23 Kerberos server ........... 62 Creating a home directory for users on System Creating user profiles on Systems A and B .. 62 A ................ 24 Creating home directories on Systems A and B 63 Testing network authentication service on Testing network authentication service on System A ............. 24 Systems A and B .......... 63 Scenario: Setting up cross-realm trust ..... 25 Creating EIM identifiers for two Completing the planning work sheets ... 28 administrators, John Day and Sharon Jones .. 63 Ensuring that the Kerberos server in IBM i Creating identifier associations for John Day 64 PASE on System B has started ...... 30 Creating identifier associations for Sharon Creating a cross-realm trust principal on the Jones .............. 65 IBM i PASE Kerberos server ....... 30 Creating default registry policy associations 66 Changing encryption values on IBM i PASE Enabling registries to participate in lookup Kerberos server ........... 31 operations and to use policy associations .. 67 Configuring the Windows 2000 server to trust Testing EIM identity mappings ...... 67 SHIPDEPT.MYCO.COM ........ 31 Configuring IBM i Access for Windows Adding the SHIPDEPT.MYCO.COM realm to applications to use Kerberos authentication.. 70 System A ............. 31 Verifying network authentication service and EIM configuration .......... 70 © Copyright IBM Corp. 1998, 2008 iii Postconfiguration considerations ..... 70 Displaying credentials cache ....... 101 Planning network authentication service..... 71 klist .............. 101 Planning a Kerberos server ........ 72 Managing keytab files ......... 103 Planning realms ............ 73 keytab.............. 104 Planning principal names......... 74 Changing Kerberos passwords....... 105 Host name resolution considerations ..... 77 kpasswd ............. 106 Resolving your host names ....... 80 Deleting expired credentials cache files .... 107 Network authentication service planning work kdestroy ............. 107 sheets ............... 82 Managing Kerberos service entries in LDAP Configuring network authentication service ... 85 directories ............. 109 Configuring a Kerberos server in PASE for i .. 85 ksetup .............. 110 Changing encryption values on Kerberos Defining realms in the DNS database .... 111 server .............. 86 Defining realms in the LDAP server ..... 112 Stopping and restarting the Kerberos server 87 Defining schema on an LDAP server ... 114 Creating host, user, and service principals .. 87 Troubleshooting network authentication service .. 114 Configuring Windows 2000, Windows XP, and Network authentication service errors and Windows Vista workstations....... 87 recovery .............. 115 Configuring a secondary Kerberos server .. 88 Application connection problems and recovery 116 Configuring network authentication service .. 90 API trace tool ............ 118 Adding IBM i principals to the Kerberos Setting up the API trace tool ...... 118 server .............. 91 Accessing the API trace log file ..... 119 Creating a home directory ....... 94 Troubleshooting Kerberos server in IBM i PASE 119 Testing network authentication service Network authentication service commands ... 120 configuration ............ 94 Related information for Network authentication Managing network authentication service .... 95 service................ 121 Synchronizing system times ........ 96 Adding realms ............ 96 Chapter 2. Special terms and Deleting realms ............ 96 conditions............. 123 Adding a Kerberos server to a realm ..... 97 Adding a password server ........ 97 Creating a trust relationship between realms .. 97 Appendix. Notices ......... 127 Changing host resolution ......... 98 Programming interface information ...... 128 Adding encryption settings ........ 98 Trademarks .............. 129 Obtaining or renewing ticket-granting tickets .. 99 Terms and conditions........... 129 kinit ............... 99 iv IBM i: Security Network authentication service Chapter 1. Network authentication service Network authentication service allows the IBM® i product and several IBM i services, such as the IBM i Access for Windows licensed program, to use a Kerberos ticket as an optional replacement for a user name and password for authentication. The Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an unsecure network. Authentication of principals is completed through a centralized server called a Kerberos server or key distribution center (KDC). Note: Throughout this documentation, the generic term Kerberos server is used. A user is authenticated with a principal and a password that is stored in the Kerberos server. After a principal is authenticated, the Kerberos server issues a ticket-granting ticket (TGT) to the user. When a user needs access to an application or a service on the network, the Kerberos client application on the user's PC sends the TGT back to the Kerberos server to obtain a service ticket for the target service or application. The Kerberos client application then sends the service ticket to the service or application for authentication. When the service or application accepts the ticket, a security context is established and the user's application can then exchange data with a target service. Applications can authenticate a user and securely forward his or her identity to other services on the network. When a user is known, separate functions are needed to verify the user's authorization to use the network resources. Network authentication service implements the following specifications: v Kerberos Version 5 protocol Request for Comment (RFC) 1510 v Many of the de facto standard Kerberos protocol application programming interfaces (APIs) prevalent in the industry today v Generic Security Service (GSS) APIs as defined by