After you have configured the primary Kerberos server
in IBM® i PASE, you can
optionally configure a secondary Kerberos server to use as a backup server
in case your primary Kerberos server goes down or is too busy to handle requests.
For example, you currently use System A as your Kerberos
server. Now you want to configure System B to be your secondary (backup) Kerberos
server.
Note: A Kerberos server is also known as a key distribution center
(KDC).
The following figure illustrates the
IBM i products described in the
following instructions.
Details
- The figure illustrates the IBM i products
as they appear after you have completed the steps for configuring a secondary
Kerberos server:
- System A acts as the primary Kerberos server configured in IBM i PASE.
- System B acts as the secondary Kerberos server configured in IBM i PASE.
- System C acts as the client enabled to use System B as its Kerberos server.
To configure System B to be a secondary Kerberos server
in IBM i PASE, follow these
steps:
- Configure System B as a client.
- In a character-based interface on System B, type call
QP2TERM.
This command opens an interactive shell environment
where you can work with IBM i PASE
applications.
- At the command line, enter the following command:
export PATH=$PATH:/usr/krb5/sbin
This command points to the Kerberos scripts that are necessary to run
the executable files.
- At the command line, enter:
config.krb5 -E -d rchland.ibm.com -r MYCO.COM -s lp16b1b.rchland.ibm.com
- Enter the administrator password; for example: secret
The config.krb5 command configures
the client, primary server, and secondary server. The -C flag
configures the client on System C. The -s flag configures
the primary Kerberos server on System A. The -E flag
configures the secondary Kerberos server on System B.
- Add an IBM i principal
for Systems A and B to the Kerberos server on System A.
- In a character-based interface on System A, enter call
QP2TERM.
This command opens an interactive shell environment
where you can work with IBM i PASE
applications.
- At the command line, enter:
export PATH=$PATH:/usr/krb5/sbin
This
command points to the Kerberos scripts that are necessary to run the executable
files.
- At the command line, enter kadmin -p admin/admin.
- Sign in with administrator's password. For example, secret.
- At the command line, enter the following command:
addprinc -randkey -clearpolicy host/systema.myco.com
- At the command line, enter the following command:
addprinc -randkey -clearpolicy host/systemb.myco.com
- Propagate the master database from the primary Kerberos
server to the secondary Kerberos server.
- In a character-based interface on System A, enter call
QP2TERM.
This command opens an interactive shell environment
where you can work with IBM i PASE
applications.
- At the command line, enter the following command:
export PATH=$PATH:/usr/krb5/sbin
This command points to the Kerberos scripts that are necessary to run the
executable files.
- At the command line, enter:
/usr/krb5/sbin/config.krb5 -P -r MYCO.COM -d rchland.ibm.com -e rchasrc2.rchland.ibm.com
Tip: You can cut and paste the command in the message
on the primary Kerberos system.
The -P flag
propagates the master database from the primary Kerberos server to the secondary
Kerberos server. The -r flag specifies the realm name.
The -d flag specifies the name of the DNS domain. The -e flag
specifies the host name of the secondary Kerberos server.
- On the secondary Kerberos server, verify that the master database
has been propagated successfully.
- On the secondary Kerberos server, answer Y to
the following prompt: Have you successfully run the above command?
- Enter the database master password; for example: pasepwd.
This command picks up the master key.