Required network components

To implement SSO in the same manner we have, you need a few network services, some of which can reside on your iSeries. Others, like the Kerberos Key Distribution Center (KDC) functionality need to implemented on other platforms, for example on z/OS, AIX, Linux or Microsoft® Windows 2000. For our scenarios later on in the book we assume that you have implemented the KDC on a Windows 2000 Server using the Microsoft Active Directory.

The part of Kerberos that is enabled on the iSeries is done through Network Authentication Service. Network Authentication Service allows the iSeries to use Kerberos Tickets for Authentication. However, the KDC functionality of Kerberos is not supported on the iSeries server. You need to implement this functionality on another server. The most common implementation of a KDC is Microsoft Active Directory. If you already have a Windows 2000 or 2003 Server on your network and this Windows 2000 Server is Active Directory enabled, you should use this server as a KDC. If you live in a Windows Server free environment, there are a some open source implementations of Kerberos available on Linux. We suggest that you run one of these in a Linux Partition on your iSeries server.

Checking prerequisites on your Windows 2000 Server

To have Windows 2000 server run Kerberos, a Microsoft Active Directory needs to be set up on your Windows server. We assume that you are using default Window 2000 server set-up, using Active Directory. If this is not the case, you can find information how to set up the Microsoft's Active Directory at its home page on the Internet:

http://www.microsoft.com/windows2000/technologies/directory/AD/default.asp

If you are not sure, whether your Windows domain has Active Directory set up and running, you should consult your Windows 2000 administrator. Here are two simple checks you can perform that may verify that Active Directory is configured.

1. Check if the Kerberos Key Distribution Center (KDC) service is running:

At the console of your Windows 2000 server, select Programs -> Administrative Tools -> Component Services.

Important: If you are unfamiliar with Active Directory do not attempt to set it up in a production environment without first reading about the implications.

In the Components Services window shown in Figure 2-2, the Kerberos KDC service is highlighted. Check to see if the status is Started.

Figure 2-2 Check the Kerberos KDC service

2. Now check to see if there are users that have been entered in the Active Directory – Select Programs -> Administrative Tools -> Active Directory Users and

Computers then highlight Users.

If the Kerberos KDC is not started or the Active Directory is not populated by your users you are not using Active Directory. Go to the Microsoft's Active Directory home page, listed previously, for more information on configuration.

There are additional Kerberos support tools that are not installed by default on the Windows 2000 server. We make use of the ktpass command which is included in those tools. If you do not have the tools installed on your server the process to do so is described in Appendix C,

“Windows 2000 Kerberos tools” on page 235.

LDAP

Enterprise Identity Mapping requires that a Lightweight Directory Access Protocol (LDAP) server is configured with at least a basic configuration. OS/400 is an excellent platform for a directory server. Since the release of V4R3, each server has an optional LDAP-enabled directory in the form of IBM SecureWay® Directory that is known as OS/400 Directory Services. As of the release of V5R2, this has been integrated into the base of OS/400.

If an LDAP server has not been previously configured, the EIM wizard creates a basic configuration on your iSeries for you. From an EIM management point of view, you do not need to access that directory directly. This automatically implemented LDAP server is sufficient for an EIM and SSO implementation. However, should you plan to use the directory for additional functions, such as storing employee information, or configuring advanced functions, such as replication or SSL, you should first become familiar with the LDAP directory server. See "Plan your LDAP directory server" in the iSeries Information Center for planning information before you attempt to configure LDAP:

http://publib.boulder.ibm.com/pubs/html/as400/infocenter.htm

Select the appropriate Geography -> Language ->Security and Directory Services ->

Directory Services (LDAP) -> Getting started with Directory Services -> Plan your LDAP directory server

If you are familiar with Directory Services and are past the planning stage for LDAP, see

"Install and configure Directory Services" at:

http://publib.boulder.ibm.com/pubs/html/as400/infocenter.htm

Chapter 2. Planning for Network Authentication Service and Enterprise Identity Mapping implementation 19 Select the appropriate Geography -> Language ->Security and Directory Services ->

Directory Services (LDAP) -> Getting started with Directory Services -> Install and configure Directory Services

Another excellent resource for iSeries Directory Services implementation and use is the redbook Implementation and Practical Use of LDAP on the IBM

~

The directory server is the container for the EIM domain and domain controller information, authorities, as well as access control to the information contained in EIM. For a production environment, we recommend that you configure the Directory Server to use SSL.

2.2.1 General TCP/IP considerations

The most common problem we have encountered with configuring Kerberos on the iSeries is name resolution. For Network Authentication Service and Kerberos to properly work together on your network you must ensure a reliable IP name resolution process. One of the reasons this becomes an issue so frequently is that Kerberos is case sensitive and DNS is not. With that said, the simplest method still to avoid many of the pitfalls while configuring SSO is to implement or use a Domain Name System (DNS) server on your network. A DNS server can be implemented on a variety of platforms, for our scenarios we have implemented a Bind 8.2.5 DNS server on an iSeries. For detailed information on implementing a DNS on iSeries, see chapter 8 in the redbook iSeries IP Networks: Dynamic!, SG24-6718.

To determine how your iSeries host name should be resolved, you need to check your iSeries Host domain properties as seen in Figure 2-3. To navigate there, open iSeries Navigator and select System -> Network -> TCP/IP Configuration -> Properties.

Important: Never attempt to edit the EIM files manually. Editing this information manually will result in a corrupted directory tree and you will be required to reconfigure EIM.

Important: Without accurate name resolution on your network, Kerberos and EIM will fail.

The error message “CWBSY1017 - rc=608 Kerberos credentials not valid on server.”

means that host names are not being resolved correctly (server side). The error message

“CWBSY1012 - Kerberos principal not found on server.” usually means that you probably have a name resolution problem on your client. More information on troubleshooting can be found in Appendix B, “Troubleshooting” on page 229.

Figure 2-3 iSeries host domain information

Note the host and domain name shown in Figure 2-3.

The next step we need to take is to determine how the iSeries’ name is being resolved on the network. There are two possible scenarios at this point:

1. The name will be resolved on the PC in the hosts file. In Windows 2000 that file is located at C:\WINNT\system32\drivers\etc\hosts. On an XP system the file can be found at C:\WINDOWS\system32\drivers\etc\hosts. Open the appropriate file for your operating system and verify whether the iSeries name is listed. If so make note of the name (including upper and lower case characters) and the IP address associated with it. If the file does not exist, or there is no entry for the iSeries go to the next scenario.

2. The iSeries name is being resolved by a DNS server on the network. To determine how the DNS server is resolving the host name we have to do an NSLOOKUP (Name Server Lookup). Open a DOS window by clicking Start -> Run... and then typing command when prompted. When the command window opens type NSLOOKUP followed by the IP address of the iSeries. Note the name that is returned, including the case of each of the characters (upper or lower). To verify that the DNS record is complete run the NSLOOKUP command again, this time substituting the name that was returned (in the last lookup) for the IP address. If the address returned is different you will need to contact the

administrator of the DNS to correct the record.

If the host name that has been noted is an exact match with what you saw in Figure 2-3, your resolution will satisfy the Network Authentication Service and Kerberos requirements. If not, change either your iSeries host name and domain name to the value returned by the

NSLOOKUP function, change the value found in the hosts file, or change your DNS server to Tip: Either scenario will work but the DNS server will provide a more reliable, easy to manage, solution to your name resolution. Using DNS gives you a single point to manage your name resolution rather than having to make entries on each of the hosts in your network.

Chapter 2. Planning for Network Authentication Service and Enterprise Identity Mapping implementation 21 resolve to the name listed in the Host Domain Information window. To make the change on the iSeries, open a 5250 session to your iSeries and on the command line enter the

command to Configure TCP (icfgtcp), then select option 12, followed by PF11. By using the single quote (‘) character around your entries the case will be saved as seen in Figure 2-4.

You need *IOSYSCFG and *ALLOBJ special authorities to do this.

After you have successfully configured Network Authentication Service (Chapter 7, “Enabling Network Authentication Service and Enterprise Identity Mapping” on page 97) on the iSeries you will perform a test to verify that the configuration is correct. In the test you will try to get a ticket from the KDC using the string (the following example is the string we would use in our environment) kinit -k krbsvr400/[email protected]. Because of the way we entered the string the DNS server will return the host name AS20 (upper case AS). If your host and domain name is configured similar to Figure 2-4, with the fully qualified name as20.itso.ibm.com, the kinit will fail because the iSeries is configured with lower case as in the host name.

Figure 2-4 Configure the host and domain name to match the DNS resolution

2.2.2 Time / SNTP

When you use Kerberos for Authentication in your network, setting all your servers to the correct time and time zone is a must. The maximum time skew allowed by default in Kerberos is 300 seconds. If your server time is outside this maximum skew, Kerberos authentication will not authenticate. This is a value that can be configured and can be raised to a maximum of 900 seconds in the iSeries Network Authentication Service configuration.

There are two system values that need to be checked and synchronized manually with the rest of your network:

An easier way for keeping your system clock updated is the Simple Network Time Protocol (SNTP). SNTP is included in OS/400 5722TC1 as a client service. To configure and activate the service, select your iSeries system in the iSeries Navigator, then click Network -->

Servers --> TCP/IP and select SNTP (Figure 2-5).

Figure 2-5 SNTP configuration Step 1

Enter the fully qualified name of a SNTP server into the time server field above. This could either be an external (Internet) SNTP server, your Active Directory controller or any other SNTP server. We used the same system that the KDC resides on. The default polling Interval is 60 minutes, this should do for most implementations. Click OK to continue.

Your iSeries will now poll the SNTP server every 60 minutes and adjust its software clock.