Configuring System B to participate in the EIM domain and configuring System B for network authentication service
After you have created a new domain and configured network authentication service on System A, you need to configure System B to participate in the EIM domain and configure network authentication service on System B.
Use the information from your work sheets to complete this
step.
- In IBM® Navigator for i on System B, expand IBM i Management > Security > All Tasks > Enterprise Identity Mapping > Configuration.
- Click Configure to start the EIM Configuration wizard.
- On the Welcome page, select Join an existing domain. Click Next.
- Complete these tasks to configure network authentication
service.
- On the Configure Network Authentication Service page,
select Yes. Note: This starts the Network Authentication Service wizard. This wizard allows you to configure several IBM i interfaces and services to participate in a Kerberos network.
- On the Specify Realm Information page, enter MYCO.COM in the Default realm field and select Microsoft Active Directory is used for Kerberos authentication. Click Next.
- On the Specify KDC Information page, enter kdc1.myco.com for the name of the Kerberos server in the KDC field and enter 88 in the Port field. Click Next.
- On the Specify Password Server Information page, select Yes. Enter kdc1.myco.com in the Password server field and 464 in the Port field. Click Next.
- On the Select Keytab Entries page, select IBM i Kerberos Authentication. Click Next.
- On the Create IBM i Keytab Entry page, enter and confirm a password, and click Next, for example, type systema123. This password will be used when the System A service principal is added to the Kerberos server.
- Optional: On the Create Batch File page,
select Yes, specify the following information,
and click Next:
- Batch file: Add the text systemb to the end of the default batch file name. For example, type /QIBM/UserData/OS400/iSeriesNavigator/config/NASConfig_systemb.bat.
- Select Include password. This ensures that
all passwords associated with the IBM i service principal
are included in the batch file. It is important to note that passwords
are displayed in clear text and can be read by anyone with read access
to the batch file. Therefore, it is recommended that you delete the
batch file from the Kerberos server and from the IBM i immediately after
use.Note: If you do not include the password, you will be prompted for the password when the batch file is run.
- On the Summary page, review the network authentication service configuration details. Click Finish.
- On the Configure Network Authentication Service page,
select Yes.
- On the Specify Domain Controller page, specify the following
information, and click Next:
- Domain controller name: systema.myco.com
- Port: 389
- On the Specify User for Connection page, specify the following
information, and click Next: Note: Specify the LDAP administrator's DN and password that you created earlier in this scenario on System A.
- User type: Distinguished name and password
- Distinguished name: cn=administrator
- Password: mycopwd
- On the Specify Domain page, select the name of the domain that you want to join. Click Next. For example, MyCoEimDomain.
- On the Registry Information page, select Local
IBM i and deselect Kerberos registry.
(The Kerberos registry was created when you created the MyCoEimDomain
domain.) Click Next. Write down the registry
names. You will need these registry names when you create associations
to EIM identifiers. Notes:
- Registry names must be unique to the domain.
- You can enter a specific registry definition name for the user registry if you want to use a specific registry definition naming plan. However, for this scenario you can accept the default values.
- On the Specify EIM System User page, select the user the
operating system uses when performing EIM operations on behalf of
operating system functions, and click Next:
Note: Specify the LDAP administrator's DN and password that you created earlier in this scenario on System A.
- User type: Distinguished name and password
- Distinguished name: cn=administrator
- Password: mycopwd
- On the Summary page, confirm the EIM configuration. Click Finish.