L’installation d’EIM sur sytem i consiste en les étapes suivantes:
Installation des pré-requis EIM pour System i
• Configurer ‘Network Authentication Service’ en utilisant iSeries Navigator
• Exportation du ’keytab’ sur le système Kerberos du réseau d’entreprise (généralement le contrôleur de domaine Microsoft Windows server).
• Configurer les utilisateurs OS/400 EIM via IBM iSeries Navigator.
• test en utilisant une connexion Client Access (par exemple un émulateur de terminal), en sélectionnant l’option "Use Kerberos principal name (no prompt)" dans les propriétés de connexion.
Dès que cela fonctionne avec Client Access, reste à configurer Easycom en utilisant la commande Single Sign On (SSO).
Les informations détaillées sur le système EIM sont disponibles au lien suivant (iSeries information center): http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp
La documentation EIM peut être trouvée dans : Network / Network Security / Enterprise Identity Mapping (EIM).
Nous suggérons la lecture des pages suivantes (en anglais jusque là):
• Planning For Enterprise Identity Mapping / Enterprise Identity Mapping for i5/OS / EIM installation prerequisites for System i
• Enterprise Identity Mapping concepts
• Configuring Enterprise Identity Mapping / Creating and joining a new local domain (this the most common situation).
Ici un résumé (en anglais) des étapes généralement suivies :
Configure Network Authentication Service
Use System i Navigator and go to "Security/Network Authentication Service". Then click on "Configure Network Authentication Service".
The suggestions here are in case of a Windows Domain Controller.
You will need to choose a Kerberos Realm. If you have an Active Directory server, you will enter the domain name here. KDC is the Kerberos Domain Controller.
The wizard prompts which service is to put to the keytab entry. You need to select at least "i5/OS Kerberos Authentication".
The wizard generates a batch file to be executed on the KDC. Warning! The password is included in clear text in this batch file! You need to store it in a secure location.
After having executed the batch file you will get a user named "myiseries_1_krbsvr400". You need to ensure that the "Use DES encryption for this account" is checked.
Configure EIM
Use System i Navigator and go to "Network/Enterprise Identity Mapping". Then click on "Configure system for EIM".
You will see a wizard:
(in this scenario we will create a standalone EIM domain)
• Select "Create and join a new domain".
• Select "On the local Directory server". If you choose this you need to define an administrator password for the local directory server. To setup the password, go to "Network/Servers/TCP/IP", and select "IBM Tivoli Directory Server for i5/OS".
• If you did not configure all keytabs, you will be prompt to "finish" the Network Authentication Service". You can bypass this step.
• Then enter the Directory server credentials, and validate the creation of the Domain. You can choose any name for the domain.
Add a new mapping and test it
• Go to "Network"/"Enterprise Identity Mapping"/"Domain Management"/"<your domain>"/"Identifiers", and click "Add a new identifier".
• Choose a identifier name (usually the username). Then add the association entries, typically a source and a target entry (source is Kerberos, target is i5/OS). Configure your own user for the next tests.
• Test the mapping using the "Test an EIM mapping" option
• Test the mapping using System i Access emulator (click "Properties" on the server, and choose "User Kerberos principal name, no prompting" in the User ID signon information combobox).
This should connect directly to the user you have configured.