Windows-based Single Signon and the EIM Framework on the IBM eServer iSeries Server

Windows-based Single Signon and the EIM Framework on the IBM eServer iSeries Server

by Gary Lakner, Gregory Bobak, Jan Cifka, Kim Greene, Axel Lachmann, John Taylor, Craig Wayman
Released April 2004
Publisher(s): IBM Redbooks
ISBN: 9780738498997

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Support for a Kerberos based Network Authentication Service and the introduction of Enterprise Identity Mapping (EIM) were exciting OS/400® V5R2 announcements during 2002.

A Kerberos based Network Authentication Service enables the iSeries (and any kerberized application) to use a Kerberos ticket for authentication instead of a user ID and password. This enables you to sign on once in the morning to your Kerberos based security server and not be prompted again when accessing your enabled applications. This is called Single Signon (SSO).

Enterprise Identity Mapping (EIM) is a cross platform solution that involves a wide range of technologies including Kerberos, LDAP, and Kerberos Network Authentication Service. Basically, EIM is a framework provided by IBM that allows the mapping of authenticated users to OS/400 (and application) userids. This extends the power of SSO to the enterprise.

Because the iSeries is well known as a server that can consolidate a wide range of application programming environments into one manageable system, this IBM Redbooks publication, then, studies the implementation of Kerberos and EIM in a SCON environment that includes OS/400, Windows, and applications that are right now being updated to support the new framework. We provide easy to follow examples that demonstrate all the pieces working together.

Please note that the additional material referenced in the text is not available from IBM.

Table of contents

  1. Notices
    1. Trademarks
  2. Preface
    1. The team that wrote this redbook
    2. Become a published author
    3. Comments welcome
  3. Part 1: Introduction to single signon and Enterprise Identity Mapping
    1. Chapter 1: An overview of single signon
      1. Why single signon?
        1. What is single signon?
        2. What are the benefits of single signon?
      2. Vertical versus horizontal SSO
        1. Vertical SSO
        2. Horizontal SSO
        3. Vertical and horizontal signon work together
      3. How SSO works
        1. Authentication, authorization and auditing
        2. What is Kerberos?
      4. SSO with Enterprise Identity Mapping
        1. Why Kerberos alone is not enough
        2. The IBM single signon strategy
        3. Possible costs of SSO with EIM
        4. Benefits of EIM
        5. SSO in the on demand world
      5. Currently enabled iSeries applications
    2. Chapter 2: Planning for Network Authentication Service and Enterprise Identity Mapping implementation
      1. Required OS/400 components
      2. Required network components
        1. General TCP/IP considerations
        2. Time / SNTP
      3. Planning your EIM implementation
        1. Selecting the system to act as the domain controller
        2. Administering EIM
        3. Naming conventions
        4. EIM associations
      4. Information to collect before you start
    3. Chapter 3: The redbook example scenario
      1. Scenario overview
      2. Objectives
        1. Make effective use of Kerberos
        2. Network Authentication Service
        3. EIM in action
        4. Managing users in EIM
        5. Backing up EIM
        6. Kerberos enabling an application
        7. EIM enabling an application
        8. A second iSeries
  4. Part 2: Building blocks for single signon and Enterprise Identity Mapping
    1. Chapter 4: Kerberos Network Authentication
      1. An introduction to Kerberos
        1. The need for Kerberos
        2. Kerberos versions
        3. Authentication versus authorization
      2. The components of the Kerberos protocol (1/2)
      3. The components of the Kerberos protocol (2/2)
        1. Kerberos Tickets
        2. Principals and realms
        3. The Key Distribution Center
        4. Kerberos Security
        5. Kerberos and Microsoft
        6. Kerberos commands
      4. Kerberos summary
        1. Where to obtain Kerberos
    2. Chapter 5: iSeries Network Authentication Service
      1. Managing Network Authentication Service (1/2)
      2. Managing Network Authentication Service (2/2)
        1. Parameters in the General window
        2. Parameters on the Host Resolution window
        3. Parameters on the Checksum window
        4. Parameters on the Tickets window
      3. Administrative tasks in iSeries Navigator
        1. Adding a realm
        2. Deleting a Realm
        3. Adding and Removing Key Distribution Centers
        4. Adding and Removing Password Servers
        5. Creating and removing cross realm trusts
      4. Kerberos Client tasks through Qshell Interpreter (1/2)
      5. Kerberos Client tasks through Qshell Interpreter (2/2)
        1. Using the kinit command
        2. Using the klist command
        3. Using the keytab command
        4. Using the kpasswd command
        5. Using the kdestroy command
        6. Using the ksetup command
      6. More information
    3. Chapter 6: Enterprise Identity Mapping
      1. EIM overview
        1. The problem of managing multiple user registries
        2. Current approaches
        3. The EIM approach
      2. Benefits of single signon
        1. Benefits for users
        2. Benefits for administrators
        3. Benefits for application developers
      3. EIM components
        1. EIM domain controller
        2. EIM domain
        3. EIM identifiers
        4. EIM registry definitions
        5. EIM associations
        6. EIM lookup operations
        7. EIM authorities
        8. Setting Up EIM Authorities
      4. APIs available to work with the EIM environment
      5. Three steps to success
        1. Collection
        2. Collation
        3. Population
      6. EIM User Management
        1. Disabling users
        2. Users changing names
        3. Changing roles
        4. Consolidated passwords
      7. EIM server management situations
        1. Clustered servers
        2. Server migration and consolidation
        3. Application registries and user groups
  5. Part 3: Installation and configuration
    1. Chapter 7: Enabling Network Authentication Service and Enterprise Identity Mapping
      1. Configure Network Authentication Service (1/3)
      2. Configure Network Authentication Service (2/3)
      3. Configure Network Authentication Service (3/3)
        1. Setting up Network Authentication Service with iSeries Navigator wizard
        2. Create Kerberos principal for your iSeries server
        3. Verify Network Authentication Service setup
      4. Enable EIM (1/2)
      5. Enable EIM (2/2)
        1. Using EIM configuration wizard
        2. Add the EIM domain to be managed
        3. Using iSeries Navigator to add identifiers and associations
      6. Enable IBM iSeries applications for single signon (1/2)
      7. Enable IBM iSeries applications for single signon (2/2)
        1. Getting ready
        2. Enabling iSeries Navigator single signon
        3. iSeries Access 5250 emulation single signon
    2. Chapter 8: Other scenarios
      1. The Bike Shop scenario (1/3)
      2. The Bike Shop scenario (2/3)
      3. The Bike Shop scenario (3/3)
        1. EIM solution overview
        2. The components
        3. The J2EE application in more detail
        4. The EIS applications
        5. Notes about setting up and compiling the example code
        6. Compiling files and setting up the physical file and logical file authorities
        7. Compiling the RPGLE examples
        8. Compiling and deploying the Java examples
      4. Using remote SQL with single signon
      5. Enabling another iSeries server for single signon (1/2)
      6. Enabling another iSeries server for single signon (2/2)
        1. Before you begin
        2. Configuring the Network Authentication Service
        3. Adding the iSeries server to the EIM domain
        4. Adding associations
        5. Verify single signon for your new iSeries server
      7. Enabling NetServer for single signon (1/2)
      8. Enabling NetServer for single signon (2/2)
        1. Getting ready
        2. Preparing NetServer for parallel use of SSO and legacy connection
        3. Checking and setting up NetServer properties
        4. Creating the NetServer Kerberos principals
        5. Creating the key tables on the iSeries server
        6. Verifying single signon with the NetServer
      9. Enabling Domino Web Access for single signon and EIM (1/4)
      10. Enabling Domino Web Access for single signon and EIM (2/4)
      11. Enabling Domino Web Access for single signon and EIM (3/4)
      12. Enabling Domino Web Access for single signon and EIM (4/4)
        1. Overview
        2. Prerequisites
        3. Set up
        4. Downloading the source code
        5. Recompilation of the DSAPI exit program on your iSeries
      13. Where to find more information
      14. Enabling Web Express Logon for WebSphere Host on-Demand (1/2)
      15. Enabling Web Express Logon for WebSphere Host on-Demand (2/2)
    3. Chapter 9: Programming APIs and examples
      1. Java EIM API
      2. Java classes and interfaces
        1. DomainManager class
        2. The java.util.Set class
        3. Domain class
        4. Registry interface
        5. SystemRegistry interface
        6. ApplicationRegistry interface
        7. RegistryAlias class
        8. Eid interface
        9. RegistryUser interface
        10. ConnectInfo class
        11. SSLInfo class
        12. AccessContext interface
        13. UserAccess class
        14. EIMException class
      3. Security in the Java classes
        1. DomainManager class
        2. Domain class
        3. Registry interface
        4. Eid class
        5. RegistryUser class
      4. Java example: ReportEIM (1/4)
      5. Java example: ReportEIM (2/4)
      6. Java example: ReportEIM (3/4)
      7. Java example: ReportEIM (4/4)
        1. Constants
        2. The createAssociationTypeMap method
        3. The createRegistryTypeHashMap method
        4. The getDomain method
        5. The getAllDomains method
        6. The createDomain method
        7. The getRegistries method
        8. The createRegistries method
        9. The getEids method
        10. The createEids method
        11. The outputDomainInfo method
        12. The outputRegistryInformation method
        13. The outputRegistryAliasInformation method
        14. The outputRegistryUserInfo method
        15. The outputEidInfo method
        16. The outputStringInformation method
        17. The outputAssociationInfo method
        18. The deleteEIMDomain method
        19. The startReport method
      8. Java example: EIMAuthorities (1/2)
      9. Java example: EIMAuthorities (2/2)
        1. The createEIMAuthoritiesHashMap method
        2. Using the AccessContext class
        3. Using the UserAccess class
      10. Kerberizing an application
      11. C EIM API
      12. C Generic Security Service (GSS) API
      13. EIM demo tool
  6. Part 4: Appendices
    1. Appendix A: Backup and recovery
      1. Microsoft Active Directory
      2. Objects on your iSeries system
        1. The iSeries Network Authentication Service objects
        2. The EIM domain on the iSeries LDAP directory server
        3. The iSeries EIM configuration
        4. Sample CL program to save your data
    2. Appendix B: Troubleshooting
      1. Common problems and solutions
        1. Unable to connect to domain controller
        2. List EIM identifiers takes a long time
        3. EIM Configuration wizard hangs during finish processing
        4. EIM handle is no longer valid
        5. Cannot connect with NetServer
        6. Kerberos authentication and diagnostic messages
        7. Errors when running client commands in QSH
      2. iSeries Access Diagnostic Tools
      3. Troubleshooting WebSphere Host On-Demand
    3. Appendix C: Windows 2000 Kerberos tools
      1. Introduction
      2. Support tools installation
      3. Support tools verification
        1. Finding the ktpass command
        2. Verify the system path
        3. Running the ktpass command
      4. Klist command
      5. Kerbtray
    4. Appendix D: Planning forms
      1. Prerequisites checklist
      2. Configuration planning worksheets
    5. Appendix E: Available EIM products
      1. BlueNotes EIM Administration Suite (1/2)
      2. BlueNotes EIM Administration Suite (2/2)
        1. Overview
        2. Collection and collation
        3. Population
        4. Summary
      3. SafeStone’s AxcessIT - Automated EIM Management (1/2)
      4. SafeStone’s AxcessIT - Automated EIM Management (2/2)
        1. Overview
        2. Orphaned Target Account processing
        3. Register Target Account processing
        4. Population process
        5. Technical overview
      5. TriAWorks Identity Manager for Single Sign-On (1/3)
      6. TriAWorks Identity Manager for Single Sign-On (2/3)
      7. TriAWorks Identity Manager for Single Sign-On (3/3)
        1. Population
        2. Collation
        3. Reports
        4. Summary
    6. Appendix F: Java code listings and output examples
      1. ReportEIM class (1/3)
      2. ReportEIM class (2/3)
      3. ReportEIM class (3/3)
      4. Sample output for reportOne()
      5. Sample output for reportTwo()
      6. Sample output for reportThree()
      7. Sample output for reportFour()
      8. EIMAuthorities class
      9. EIMAuthorities output
    7. Appendix G: Additional material
      1. Locating the Web material
      2. Using the Web material
        1. System requirements for downloading the Web material
        2. How to use the Web material
    8. Related publications
      1. IBM Redbooks
      2. Other publications
      3. Online resources
      4. How to get IBM Redbooks
      5. Help from IBM
    9. Index (1/2)
    10. Index (2/2)
    11. Back cover

Product information

  • Title: Windows-based Single Signon and the EIM Framework on the IBM eServer iSeries Server
  • Author(s): Gary Lakner, Gregory Bobak, Jan Cifka, Kim Greene, Axel Lachmann, John Taylor, Craig Wayman
  • Release date: April 2004
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738498997