EIM Installation on AS/400 consists on the following steps:
install EIM installation prerequisites for AS/400
• configure the Network Authentication Service using iSeries Navigator
• export the ’keytab’ to the network Kerberos system (usually the Microsoft Windows server domain controller).
• configure OS/400 users EIM using IBM iSeries Navigator.
• test using a Client Access connection (for example terminal emulator), by selecting the "Use Kerberos principal name (no prompt)" in the connection properties.
Once it works with Client Access you can setup in Easycom using the CFGEACSSO command.
All required information can be found on the iSeries Information Center: http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp
EIM installation documentation can be found under: Network / Network Security / Enterprise Identity Mapping (EIM).
We suggest reading at least the following pages:
• Planning For Enterprise Identity Mapping / Enterprise Identity Mapping for i5/OS / EIM installation prerequisites for AS/400
• Enterprise Identity Mapping concepts
• Configuring Enterprise Identity Mapping / Creating and joining a new local domain (this the most common situation).
Here are typical steps:
Configure Network Authentication Service
Use System i Navigator and go to "Security/Network Authentication Service". Then click on "Configure Network Authentication Service".
The suggestions here are in case of a Windows Domain Controller.
You will need to choose a Kerberos Realm. If you have an Active Directory server, you will enter the domain name here. KDC is the Kerberos Domain Controller.
The wizard prompts which service is to put to the keytab entry. You need to select at least "i5/OS Kerberos Authentication".
The wizard generates a batch file to be executed on the KDC. Warning! The password is included in clear text in this batch file! You need to store it in a secure location.
After having executed the batch file you will get a user named "myiseries_1_krbsvr400". You need to ensure that the "Use DES encryption for this account" is checked.
Configure EIM
Use System i Navigator and go to "Network/Enterprise Identity Mapping". Then click on "Configure system for EIM".
You will see a wizard:
(in this scenario we will create a standalone EIM domain)
• Select "Create and join a new domain".
• Select "On the local Directory server". If you choose this you need to define an administrator password for the local directory server. To setup the password, go to "Network/Servers/TCP/IP", and select "IBM Tivoli Directory Server for i5/OS".
• If you did not configure all keytabs, you will be prompt to "finish" the Network Authentication Service". You can bypass this step.
• Then enter the Directory server credentials, and validate the creation of the Domain. You can choose any name for the domain.
Add a new mapping and test it
• Go to "Network"/"Enterprise Identity Mapping"/"Domain Management"/"<your domain>"/"Identifiers", and click "Add a new identifier".
• Choose a identifier name (usually the username). Then add the association entries, typically a source and a target entry (source is Kerberos, target is i5/OS). Configure your own user for the next tests.
• Test the mapping using the "Test an EIM mapping" option
• Test the mapping using System i Access emulator (click "Properties" on the server, and choose "User Kerberos principal name, no prompting" in the User ID signon information combobox).
This should connect directly to the user you have configured.
See also