Windows-based single signon and the EIM framework on the IBM eServer iSeries server / Gary Lakner et al.

Format:

Book

Author/Creator:

Lakner, Gary.

Contributor:

Bobak, Gregory.

Cifka, Jan.

Greene, Kim.

Lachman, Axel.

Taylor, John.

Wayman, Craig.

Series:

IBM redbooks.

IBM redbooks

Language:

English

Subjects (All):

Web servers.

Client/server computing.

Physical Description:

1 online resource (322 p.)

Edition:

[First edition].

Place of Publication:

White Plains, N.Y. : IBM, c2004.

Language Note:

English

Summary:

Support for a Kerberos based Network Authentication Service and the introduction of Enterprise Identity Mapping (EIM) were exciting OS/400® V5R2 announcements during 2002. A Kerberos based Network Authentication Service enables the iSeries (and any kerberized application) to use a Kerberos ticket for authentication instead of a user ID and password. This enables you to sign on once in the morning to your Kerberos based security server and not be prompted again when accessing your enabled applications. This is called Single Signon (SSO). Enterprise Identity Mapping (EIM) is a cross platform solution that involves a wide range of technologies including Kerberos, LDAP, and Kerberos Network Authentication Service. Basically, EIM is a framework provided by IBM that allows the mapping of authenticated users to OS/400 (and application) userids. This extends the power of SSO to the enterprise. Because the iSeries is well known as a server that can consolidate a wide range of application programming environments into one manageable system, this IBM Redbooks publication, then, studies the implementation of Kerberos and EIM in a SCON environment that includes OS/400, Windows, and applications that are right now being updated to support the new framework. We provide easy to follow examples that demonstrate all the pieces working together.

Contents:

Front cover

Contents

Notices

Trademarks

Preface

The team that wrote this redbook

Become a published author

Comments welcome

Part 1 Introduction to single signon and Enterprise Identity Mapping

Chapter 1. An overview of single signon

1.1 Why single signon?

1.1.1 What is single signon?

1.1.2 What are the benefits of single signon?

1.2 Vertical versus horizontal SSO

1.2.1 Vertical SSO

1.2.2 Horizontal SSO

1.2.3 Vertical and horizontal signon work together

1.3 How SSO works

1.3.1 Authentication, authorization and auditing

1.3.2 What is Kerberos?

1.4 SSO with Enterprise Identity Mapping

1.4.1 Why Kerberos alone is not enough

1.4.2 The IBM single signon strategy

1.4.3 Possible costs of SSO with EIM

1.4.4 Benefits of EIM

1.4.5 SSO in the on demand world

1.5 Currently enabled iSeries applications

Chapter 2. Planning for Network Authentication Service and Enterprise Identity Mapping implementation

2.1 Required OS/400 components

2.2 Required network components

2.2.1 General TCP/IP considerations

2.2.2 Time / SNTP

2.3 Planning your EIM implementation

2.3.1 Selecting the system to act as the domain controller

2.3.2 Administering EIM

2.3.3 Naming conventions

2.3.4 EIM associations

2.4 Information to collect before you start

Chapter 3. The redbook example scenario

3.1 Scenario overview

3.2 Objectives

3.2.1 Make effective use of Kerberos

3.2.2 Network Authentication Service

3.2.3 EIM in action

3.2.4 Managing users in EIM

3.2.5 Backing up EIM

3.2.6 Kerberos enabling an application

3.2.7 EIM enabling an application

3.2.8 A second iSeries

Part 2 Building blocks for single signon and Enterprise Identity Mapping

Chapter 4. Kerberos Network Authentication

4.1 An introduction to Kerberos

4.1.1 The need for Kerberos.

4.1.2 Kerberos versions

4.1.3 Authentication versus authorization

4.2 The components of the Kerberos protocol

4.2.1 Kerberos Tickets

4.2.2 Principals and realms

4.2.3 The Key Distribution Center

4.2.4 Kerberos Security

4.2.5 Kerberos and Microsoft

4.2.6 Kerberos commands

4.3 Kerberos summary

4.3.1 Where to obtain Kerberos

Chapter 5. iSeries Network Authentication Service

5.1 Managing Network Authentication Service

5.1.1 Parameters in the General window

5.1.2 Parameters on the Host Resolution window

5.1.3 Parameters on the Checksum window

5.1.4 Parameters on the Tickets window

5.2 Administrative tasks in iSeries Navigator

5.2.1 Adding a realm

5.2.2 Deleting a Realm

5.2.3 Adding and Removing Key Distribution Centers

5.2.4 Adding and Removing Password Servers

5.2.5 Creating and removing cross realm trusts

5.3 Kerberos Client tasks through Qshell Interpreter

5.3.1 Using the kinit command

5.3.2 Using the klist command

5.3.3 Using the keytab command

5.3.4 Using the kpasswd command

5.3.5 Using the kdestroy command

5.3.6 Using the ksetup command

5.4 More information

Chapter 6. Enterprise Identity Mapping

6.1 EIM overview

6.1.1 The problem of managing multiple user registries

6.1.2 Current approaches

6.1.3 The EIM approach

6.2 Benefits of single signon

6.2.1 Benefits for users

6.2.2 Benefits for administrators

6.2.3 Benefits for application developers

6.3 EIM components

6.3.1 EIM domain controller

6.3.2 EIM domain

6.3.3 EIM identifiers

6.3.4 EIM registry definitions

6.3.5 EIM associations

6.3.6 EIM lookup operations

6.3.7 EIM authorities

6.3.8 Setting Up EIM Authorities

6.4 APIs available to work with the EIM environment

6.5 Three steps to success

6.5.1 Collection

6.5.2 Collation

6.5.3 Population.

6.6 EIM User Management

6.6.1 Disabling users

6.6.2 Users changing names

6.6.3 Changing roles

6.6.4 Consolidated passwords

6.7 EIM server management situations

6.7.1 Clustered servers

6.7.2 Server migration and consolidation

6.7.3 Application registries and user groups

Part 3 Installation and configuration

Chapter 7. Enabling Network Authentication Service and Enterprise Identity Mapping

7.1 Configure Network Authentication Service

7.1.1 Setting up Network Authentication Service with iSeries Navigator wizard

7.1.2 Create Kerberos principal for your iSeries server

7.1.3 Verify Network Authentication Service setup

7.2 Enable EIM

7.2.1 Using EIM configuration wizard

7.2.2 Add the EIM domain to be managed

7.2.3 Using iSeries Navigator to add identifiers and associations

7.3 Enable IBM iSeries applications for single signon

7.3.1 Getting ready

7.3.2 Enabling iSeries Navigator single signon

7.3.3 iSeries Access 5250 emulation single signon

Chapter 8. Other scenarios

8.1 The Bike Shop scenario

8.1.1 EIM solution overview

8.1.2 The components

8.1.3 The J2EE application in more detail

8.1.4 The EIS applications

8.1.5 Notes about setting up and compiling the example code

8.1.6 Compiling files and setting up the physical file and logical file authorities

8.1.7 Compiling the RPGLE examples

8.1.8 Compiling and deploying the Java examples

8.2 Using remote SQL with single signon

8.3 Enabling another iSeries server for single signon

8.3.1 Before you begin

8.3.2 Configuring the Network Authentication Service

8.3.3 Adding the iSeries server to the EIM domain

8.3.4 Adding associations

8.3.5 Verify single signon for your new iSeries server

8.4 Enabling NetServer for single signon

8.4.1 Getting ready.

8.4.2 Preparing NetServer for parallel use of SSO and legacy connection

8.4.3 Checking and setting up NetServer properties

8.4.4 Creating the NetServer Kerberos principals

8.4.5 Creating the key tables on the iSeries server

8.4.6 Verifying single signon with the NetServer

8.5 Enabling Domino Web Access for single signon and EIM

8.5.1 Overview

8.5.2 Prerequisites

8.5.3 Set up

8.5.4 Downloading the source code

8.5.5 Recompilation of the DSAPI exit program on your iSeries

8.6 Where to find more information

8.7 Enabling Web Express Logon for WebSphere Host on-Demand

Chapter 9. Programming APIs and examples

9.1 Java EIM API

9.2 Java classes and interfaces

9.2.1 DomainManager class

9.2.2 The java.util.Set class

9.2.3 Domain class

9.2.4 Registry interface

9.2.5 SystemRegistry interface

9.2.6 ApplicationRegistry interface

9.2.7 RegistryAlias class

9.2.8 Eid interface

9.2.9 RegistryUser interface

9.2.10 ConnectInfo class

9.2.11 SSLInfo class

9.2.12 AccessContext interface

9.2.13 UserAccess class

9.2.14 EIMException class

9.3 Security in the Java classes

9.3.1 DomainManager class

9.3.2 Domain class

9.3.3 Registry interface

9.3.4 Eid class

9.3.5 RegistryUser class

9.4 Java example: ReportEIM

9.4.1 Constants

9.4.2 The createAssociationTypeMap method

9.4.3 The createRegistryTypeHashMap method

9.4.4 The getDomain method

9.4.5 The getAllDomains method

9.4.6 The createDomain method

9.4.7 The getRegistries method

9.4.8 The createRegistries method

9.4.9 The getEids method

9.4.10 The createEids method

9.4.11 The outputDomainInfo method

9.4.12 The outputRegistryInformation method

9.4.13 The outputRegistryAliasInformation method

9.4.14 The outputRegistryUserInfo method

9.4.15 The outputEidInfo method.

9.4.16 The outputStringInformation method

9.4.17 The outputAssociationInfo method

9.4.18 The deleteEIMDomain method

9.4.19 The startReport method

9.5 Java example: EIMAuthorities

9.5.1 The createEIMAuthoritiesHashMap method

9.5.2 Using the AccessContext class

9.5.3 Using the UserAccess class

9.6 Kerberizing an application

9.7 C EIM API

9.8 C Generic Security Service (GSS) API

9.9 EIM demo tool

Part 4 Appendices

Appendix A. Backup and recovery

Microsoft Active Directory

Objects on your iSeries system

The iSeries Network Authentication Service objects

The EIM domain on the iSeries LDAP directory server

The iSeries EIM configuration

Sample CL program to save your data

Appendix B. Troubleshooting

Common problems and solutions

Unable to connect to domain controller

List EIM identifiers takes a long time

EIM Configuration wizard hangs during finish processing

EIM handle is no longer valid

Cannot connect with NetServer

Kerberos authentication and diagnostic messages

Errors when running client commands in QSH

iSeries Access Diagnostic Tools

Troubleshooting WebSphere Host On-Demand

Appendix C. Windows 2000 Kerberos tools

Introduction

Support tools installation

Support tools verification

Finding the ktpass command

Verify the system path

Running the ktpass command

Klist command

Kerbtray

Appendix D. Planning forms

Prerequisites checklist

Configuration planning worksheets

Appendix E. Available EIM products

BlueNotes EIM Administration Suite

Overview

Collection and collation

Population

Summary

SafeStone's AxcessIT - Automated EIM Management

Orphaned Target Account processing

Register Target Account processing

Population process

Technical overview

TriAWorks Identity Manager for Single Sign-On.

Population.

Notes:

"April 2004."

Includes index.

OCLC:

80244548