Security
You can use Kerberos and single sign on with the Application Package on Linux® and Transport Layer Security (TLS) with the Application Package on Linux, macOS, and PASE.
Kerberos
The Linux Application Package supports IBM® i authentication using Kerberos. To install and configure the IBM i platform for Kerberos, see the Single signon topic, in the Security topic collection in the IBM i Information Center.
CWBSY1015
- Kerberos not available on this version of the operating system.
To use Kerberos with the Linux Application Package, you must first authenticate to your Kerberos domain using the kinit command or by setting up your initial Linux login to authenticate with the pluggable authentication module (PAM) Kerberos plugin. After successful authentication, you should be able to do a klist -f to see the status of your Kerberos tickets.
For any IBM i Access function, you can use *kerberos in place of the IBM i user profile to use your Kerberos tickets. Any password is ignored in this case.
The Kerberos principle name is based upon the fully qualified
TCP/IP name received from the reverse lookup of the TCP/IP address.
If you use a host file to resolve TCP/IP addresses, be sure to include
the fully qualified TCP/IP system name. For example: 1.2.3.4
mysystem.example.com mysystem
.
Transport Layer Security (TLS)
To enable the Application Package to use TLS, stunnel can be used. An example stunnel configuration file is provided for each of the supported OS platforms:/opt/ibm/iaccess/doc/iaccess.stunnel.config
(Linux)/Library/IBMiAccess/doc/iaccess.stunnel.config
(macOS)/QOpenSys/pkgs/share/doc/ibm-iaccess/iaccess.stunnel.config
(PASE)