The real advantage of using single signon is being able to enable users to transparently access systems without having to log in repeatedly. A by-product of this is simplifying administrative procedures. Due to the fact that Enterprise Identity Mapping (EIM) is an authorization mechanism not an authentication mechanism we are also implementing network security in parallel. With this in mind we explain EIM planning, implementation and management of users. We also show you how to use the implemented infrastructure to enable applications to use EIM and Kerberos.
This chapter provides an overview of the scenario which has become the basis for this book.
We outline the different objectives involved at each stage of the project and how these objectives are to be accomplished.
3
3.1 Scenario overview
In our scenario we have a company called The Bike Shop. The company uses a network of Windows 2000 client machines with a Windows 2000 server. In addition to the Windows 2000 server The Bike Shop also has two iSeries servers. These iSeries servers are used
extensively to meet the changing needs of the business.
The first iSeries is used to hold business information such as stock management information and customer information. This information is stored in DB2® databases. On this iSeries there is an Enterprise Resource Planning software package which controls the stock management and customer information. There are also RPG applications which create reports based on the information from DB2.
The second iSeries runs Lotus Domino as a mail server internally and also has Domino Web Access installed to allow remote users access to their e-mail. As well as running Domino the iSeries also uses WebSphere Application Server to provide access to products and services offered by The Bike Shop. This is served to the browser through an Apache Web server.
The company has 100 users and each user has multiple user names and passwords. Each user has IDs on these systems:
Windows
Lotus Notes
WebSphere
Both iSeries systems
In addition to the users in the office the company also has users which work remotely. At present these remote employees connect through VPN in order to access the iSeries applications and sensitive information on the iSeries servers. When remote users are not connected to the network through a VPN connection they can quickly access their e-mail through a Web browser using iNotes. This is useful for sales representatives travelling to customer sites where a VPN cannot be obtained.
Customers can also access product information and services over the Internet.
For a graphical example of how the The Bike Shop network infrastructure looks, see Figure 3-1.
Chapter 3. The redbook example scenario 31
3.2 Objectives
The company is growing rapidly and it realizes that its current administration practices are not coping with the needs of the business. Although they have a windows domain for users they are not making much use of the services offered by the hardware available to them.
The primary objective that the organization wants to achieve is as much single signon enablement of applications and services as possible. The organization understands that the current configuration of the company’s infrastructure will have to be examined carefully and possibly redesigned in order to implement an effective single sign on solution. These are the steps we followed in order to implement an effective single signon solution.
3.2.1 Make effective use of Kerberos
Currently The Bike Shop has a Windows 2000 server which comes with active directory installed and without the company knowing it the Windows 2000 server also functions as a Kerberos Key Distribution Center. The goal is to set up this Key Distribution Center as a basis for authentication using EIM.
3.2.2 Network Authentication Service
Not only does The Bike Shop have a Windows 2000 server but they also have two iSeries servers. These iSeries servers will also need to be configured so that they can participate in the Kerberos realm set up by the Windows 2000 server. This is done by enabling the Network Authentication Service. Setup of the second iSeries is demonstrated in 8.3, “Enabling another iSeries server for single signon” on page 145.
3.2.3 EIM in action
After the EIM infrastructure has been set up and populated with information from the other servers the next objective for the company is in fact the first benefit the company will see. This objective is to allow EIM enabled applications that come with the iSeries Navigator and the iSeries Access to use the implemented EIM infrastructure. Single signon for Kerberos enabled and EIM enabled applications will now become a reality for The Bike Shop. For a list of applications which support Kerberos and EIM, see 1.5, “Currently enabled iSeries
applications” on page 13. For information on how to implement these supported applications, see Chapter 8, “Other scenarios” on page 127.
3.2.4 Managing users in EIM
Now that The Bike Shop has created the infrastructure and populated EIM the next step is the continual management of this infrastructure. With current technologies implemented in organizations there are books on situations that the administrator will probably face while they are dealing with a product. With EIM there are at present no commercial books to refer to and these situations will only be able to be performed by the administrator after a solution has been identified. We have mentioned a few possible points in 6.6, “EIM User Management” on page 92.
3.2.5 Backing up EIM
With the organization moving to EIM it puts a lot of trust with the administrators to manage the systems effectively and to conform to the organizations procedures and rules for dealing with computers. Of course some things are out of the control of the administrators, such as in the event of a power failure causing hardware to fail in an iSeries server. In the event of this
happening responsibility lies with the administrators to create another EIM infrastructure. This would be made infinitely easier if the information was backed up.For more information on how to backup up the information in EIM see Appendix A, “Backup and recovery” on page 225
3.2.6 Kerberos enabling an application
The EIM infrastructure has now been created and is functioning correctly. In order to further their single signon infrastructure The Bike Shop would like to Kerberos enable other existing applications to allow them to authenticate using Kerberos tickets. For more information on Kerberos enabling an application see:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/
3.2.7 EIM enabling an application
The Bike Shop, in addition to client side applications, also have a multi-tier application which connects to a program running on the server. This server application runs SQL queries against information held in DB2 and returns it to the client. A problem is that when a user wants to connect to the DB2 database they are challenged for a user name and password to connect to the database. The Bike Shop would like to EIM enable this application so that a user does not have to log onto the DB2 database in order to run this query. For this example of EIM enabling an application, see Chapter 8, “Other scenarios” on page 127
In addition to The Bike Shop having this application which they want to EIM enable they also have an RPG application which they would like to convert to use EIM. The problem that they have is that there are three different prices stored in the stock database and depending on what user is accessing the database depends on which price is returned, retail, wholesale or cost price. The Bike Shop wants to use EIM so that a user ID is only needed for each price that is to be returned. This task user name will be associated to the users identity in the EIM domain. After logging in EIM code looks up the user name for this user on the target system and then calls the application using this user name. Only the price lists which the user is authorized to access would be returned. For external users who quickly want to access back end information from sites where the possibility to dial in via a VPN is not possible this is would be a very powerful way to access important information effectively. See “The Bike Shop scenario” on page 128 for details on this scenario.
3.2.8 A second iSeries
In this scenario for The Bike Shop there is are two iSeries. Naturally when the organization wants to implement this EIM configuration they would like all computers that they have in the network to be EIM enabled. Another object for this scenario is to enable the iSeries used for Web and e-mail functionality to participate and use information in the EIM domain. See 8.3,
“Enabling another iSeries server for single signon” on page 145, and 8.5, “Enabling Domino Web Access for single signon and EIM” on page 162 respectively for our implementation.
© Copyright IBM Corp. 2004. All rights reserved. 33
Part 2