ERserver. Single signon. iseries. Version 5 Release 3

(1)

iSeries

Single

signon

Version

5 Release

3

(2)

(3)

iSeries

Single

signon

Version

5 Release

3

(4)

Note

Beforeusingthisinformationandtheproductitsupports,be suretoreadtheinformationin “Notices,”onpage85.

FirstEdition(May2004)

Thiseditionappliestoversion5,release3,modification0ofIBMOperatingSystem/400(productnumber5722–SS1) andtoallsubsequentreleasesandmodificationsuntilotherwiseindicatedinneweditions.Thisversiondoesnot runonallreducedinstructionsetcomputer(RISC)modelsnordoesitrunonCISCmodels.

(5)

Single

signon

.

. 1

What’snewforV5R3 . . . 1

Printthistopic. . . 2

Scenarios . . . 3

Scenario:Createasinglesignontestenvironment 3 Scenario:EnablesinglesignonforOS/400 . . . 17

Scenario:Propagatenetworkauthentication serviceandEIMacrossmultiplesystems . . . 42

Scenario:ConfiguretheManagementCentral serversforsinglesignon . . . 50

Scenario:EnablesinglesignonforISV applications . . . 56

Concepts . . . 68

Singlesignonoverview . . . 68

Authentication . . . 69 Authorization . . . 69 Domains . . . 70 Identitymapping . . . 71 OS/400enablement. . . 72 ISVenablement . . . 73

Planforsinglesignonenablement. . . 74

Requirementsforconfiguringasinglesignon environment . . . 75

Singlesignonconfigurationplanningworksheets 76 Configuresinglesignon . . . 78

Manageasinglesignonenvironment. . . 80

Troubleshootasinglesignonconfiguration. . . . 80

Relatedinformationforsinglesignon. . . 84

Codedisclaimer. . . 84

Appendix.

Notices

.

. 85

ProgrammingInterfaceInformation . . . 87

Trademarks . . . 87

Termsandconditionsfordownloadingandprinting publication . . . 87

(6)

(7)

Single

signon

Ifyouare lookingforaway toeliminatethenumberof passwordsthatyourusersmustuseandthat youradministratorsmust manage,thenimplementing asingle signonenvironmentmaybe theanswer youneed.Thisinformationpresentsasingle signonsolutionforOS/400,whichusesnetwork

authenticationservice(IBM’simplementationoftheKerberosV5standardfromMIT) pairedwith

EnterpriseIdentityMapping(EIM).Thesinglesignonsolutionreducesthenumberofsign-onsthatauser mustperform,aswellasthenumberofpasswordsthata userrequirestoaccessmultipleapplications andservers.Thiscodedisclaimerpertainstocodeexamplesthatareprovidedwithin thistopic. Thefollowinginformationprovidesspecificdetailspertainingtothesinglesignonsolution:

What’snewforV5R3

Learn aboutnew informationandfunctionsthatareavailableregardingsingle signonenablementfor your enterpriseorforOS/400®.

Printthistopic

PrintPDFversionsof thistopicandrelatedinformation,suchasEnterpriseIdentityMapping(EIM) and networkauthentication service.

Scenarios

Usethis informationtoreviewscenariosthatillustratetypicalsinglesignonimplementationsituations tohelpyouplanyour owncertificate implementationaspartof yourserversecuritypolicy.

Concepts

Learn abouttheunderlyingconceptsforsinglesignonforabetterunderstandingofhow youcanplan tousesinglesignoninyourenterprise.

Plan

Learn aboutplanningconsiderationsand tasksforimplementing singlesignon,includingsoftware and hardwareprerequisites andotherrequirements.Also,reviewthesinglesignonplanningprocess tohelpyouplanhow bestto implementsinglesignoninyour enterprise

Configure

Learn howtoconfigureeverythingyouneedtoimplementasinglesignonenvironmentinyour enterprise.

Manage

Usethis informationtolearnhow tomanageyoursingle signonenvironment,includingmanagement tasks fornetworkauthentication serviceandEIM.

Troubleshoot

Usethis informationtolearnhow toresolvesomecommonerrorsthatyoumight experiencewhile configuringandusingasinglesignonenvironment.

Relatedinformationforsingle signon

Usethis resourcetoaccessinformationthatsupportsthesingle signonsolutionand itsunderlying technologies.

What’s

new

for

V5R3

SinglesignoncapabilityforOS/400,first introducedinV5R2,offersnew functionsandenhancementsin V5R3.Thistopichighlightswhatisnewand changedforsinglesignon.

Neworenhancedfunctionsforsinglesignon

v _Synchronize_Functions_wizard_for_network _{authentication}_service _and_EIM_{configurations} Tomakeimplementing singlesignoneasier acrossyour enterprise,youcannow usetheiSeries™ NavigatorSynchronizeFunctionswizardtopropagatea singlesetofnetworkauthenticationservice andEnterpriseIdentityMapping(EIM) configurationstoagroupofiSeries systems.Thewizard

(8)

duplicatestheconfigurationsonthemodelsystemandcopiesthemtotheothersystemsinthegroup. Yousavetimebyperformingconfigurationonetimeonthemodelsystemand thenusingthewizard topropagatethatconfigurationtomultiplesystems, ratherthanhavingtoconfigureeachsystem individually.Seethe“Scenario:Propagatenetworkauthentication serviceandEIM acrossmultiple systems”onpage42scenariofortechnicalandconfigurationdetails.

v _Enhanced_single_signon_support _for_OS/400_applications_that_use_the_Management_Central_servers Enhancedsinglesignonsupporteliminatestherestrictionofhavingidenticalpasswordsonthesystems thatyoumanage witha centralsysteminiSeriesNavigator.See “Scenario:ConfiguretheManagement Centralserversforsingle signon”onpage50fortechnicalandconfigurationdetails.

v _EIM_and_network_{authentication}_service_enhancements

Manyoftheneworenhancedsinglesignonfunctionsare aresultof newandenhancedfunctionfor EIMand networkauthentication service,thetwotechnologieswhichmakeuptheOS/400single signonsolution.Refer tothefollowingtopics formoreinformationaboutspecificenhancements: – What’snew forEIM

– What’snew fornetworkauthentication service

Neworenhancedinformationaboutthistopic

Previously,informationaboutthesingle signonfunction wasavailableinthenetworkauthentication serviceandEIMtopics becausetheseare thetwotechnologiesthatfunctiontogethertoenable thesingle signonenvironment.ThisnewInformationCentertopicprovides centralizedinformationabout

configuringand usingsingle signon.Thisnewtopicalsoprovides enhancedand morecomplete information,includingimportantconcepts,detailedplanningmaterial,andscenariosthathelpyou determinewhenandhowtousethesinglesignoncapabilities.

Tofindotherinformationaboutwhat’sneworchangedthisrelease,seetheMemotoUsers.

Print

this

topic

ToviewordownloadthePDFversionofthisdocument,selectSinglesignon(about600KB). Youcanview ordownloadtheserelatedtopics:

v _Enterprise_Identity_Mapping_(EIM)_(about₇₀₀ _KB)._Enterprise_Identity_Mapping_(EIM) _is_a _mechanism formappinga personorentity(suchasaservice)totheappropriateuser identitiesinvarioususer registriesthroughouttheenterprise.

v _Network_{authentication} _service_(about₉₉₀_KB)._Network_{authentication} _service_allows_an_iSeries_server toparticipateinanexistingKerberosnetwork.

SavingPDFfiles

Tosavea PDFonyour workstationforviewingor printing: v _Right-click_the_PDF_in_your _browser_(right-click_the_link_above).

v _Click_Save _Target_As..._if_you_are _using_Internet _Explorer._Click_Save_Link _As..._if _you_are_using NetscapeCommunicator.

v _Navigate_to_the_directory _in_which_you_want_to_save_the_PDF. v _Click_Save_.

DownloadingAdobeAcrobatReader

YouneedAdobeAcrobatReadertovieworprintthesePDFs.Youcandownloada copyfromtheAdobe Website(www.adobe.com/products/acrobat/readstep.html) .

(9)

Scenarios

Thesescenariosprovidea logicalprogressionforconfiguringandusingsinglesignoninanenterprise. Althoughallofthesescenariosprovidemodels fornetworkadministrators,thereisalso ascenariofor applicationdevelopersthatdemonstratesthetasks thata developerneedstocompletetocreate applicationsthatcanparticipateina singlesignonenvironment.

Reviewthefollowingscenariostobecomefamiliarwiththetechnicalandconfigurationdetailsinvolved insettingupsingle signon:

Scenario:Createa singlesignontest environment

Thisscenariodemonstrateshowtoconfigurenetworkauthenticationserviceand EIMtocreatea basic singlesignontestenvironment.Administratorscanusethis scenariotogaina basicunderstandingof whatconfiguringa singlesignonenvironmentinvolvesonasmallscalebeforeimplementing single signonacrossan entireenterprise.

Scenario:Enablesingle signonforOS/400

Thisscenariodemonstrateshowtoconfigurenetworkauthenticationserviceand EIMtocreatea singlesignonenvironmentacrossmultiplesystemsinanenterprise.Thisscenarioexpandsuponthe conceptsandtaskspresented intheprevious scenariowhichdemonstrates howtocreatea simple singlesignontestenvironment.

Scenario:Propagatenetworkauthenticationservice andEIMacrossmultiplesystems

ThisscenariodemonstrateshowtousetheSynchronizeFunctions wizardiniSeriesNavigatorto propagatea singlesignonconfigurationacrossmultiplesystemsinamixedOS/400release

environment.Administratorscansavetimebyconfiguringsinglesignononceand propagatingthat configurationtoalloftheirsystems, insteadofconfiguringeachsystem individually.

Scenario:ConfiguretheManagementCentralservers forsinglesignon

Thisscenariodemonstrateshowtoconfigureyour V5R3ManagementCentralserverstoparticipatein a singlesignonenvironment.Afteradministrators completethescenarioforpropagatinga single signonconfigurationacrossmultiplesystems, theycandothenecessaryconfigurationsothattheir Management Centralserverscanparticipateinthesinglesignonenvironment.

Scenario:Enablesingle signonforISVapplications

Thisscenariodemonstrateshowtowriteapplicationstorunin asinglesignonenvironment.

IndependentSoftwareVendor(ISV)applicationdeveloperscanusethis scenariotolearnhowtouse EIM applicationprogramminginterfaces(APIs)inconjunctionwithnetworkauthenticationserviceor anotherauthentication mechanism,suchasIBM® DirectoryServer foriSeries(LDAP),tocreate applicationsthatcanfullyparticipateinasingle signonenvironment.

Scenario:

Create

a

single

signon

test

environment

Situation

You,JohnDay,are anetworkadministratorforalargewholesalecompany.Currentlyyouspendmuchof yourtimetroubleshootingpasswordanduseridentityproblems,suchasforgottenpasswords.Your networkiscomprisedofseveraliSeriessystemsanda Windows®₂₀₀₀_server,_where_your_users_are

registeredinMicrosoft®_Windows_Active_Directory._Based_on_your _research,_you_know_that_Microsoft

ActiveDirectoryusestheKerberosprotocoltoauthenticateWindowsusers.YoualsoknowthatOS/400 providesasingle signonsolutionbased onanimplementationof Kerberosauthentication,callednetwork authenticationservice,inconjunctionwithEIM.

Youareexcitedaboutthebenefitsofusingsinglesignon. However,youwanttothoroughly understand singlesignonconfigurationand usagebeforeyoubeginusingit acrossyour entireenterprise.

Consequently,youdecidetoconfigureatest environmentfirst.

Afterconsideringthevariousgroupsinyour company,youdecidetocreatethetestenvironment forthe OrderReceiving department.TheemployeesintheOrderReceivingdepartmentusemultiple applications ononeiSeriessystemtohandleincomingcustomerorders. Consequently,theOrderReceiving

(10)

departmentprovides anexcellentopportunityforyoutocreateasingle signontestenvironment thatyou canusetobetterunderstandhowsingle signonworksand howtoplanasinglesignonimplementation acrossyour enterprise.

Thisscenariohasthefollowingadvantages:

v _Allows_you_to_see_some_of _the_benefits_of_single _signon_on_a _small_scale_to_better _understand_how_you cantakefulladvantageof itbeforeyoucreatealarge-scale,singlesignonenvironment.

v _Provides_you_with_a _better_{understanding}_of_the_planning_process _you_need_to_use_to_successfully_and tomorequickly implementsinglesignonacrossyour entireenterprise.

v _Minimizes_the_learning_curve_of_implementing _single_signon_across_your _enterprise.

Objectives

AsthenetworkadministratoratMyCo,Inc.,youwanttocreatea smallsingle signonenvironmentfor testingthatincludesa smallnumber ofusersandasingle iSeriesserver.Youwanttoperform thorough testingtoensure thatuser identitiesare correctlymappedwithin yourtestenvironment.Based onthis configuration,youeventuallywanttoexpandthetestenvironment toincludetheothersystemsand usersinyourenterprise.

Theobjectivesofthisscenarioareasfollows:

v _The_iSeries_system,_known _as_iSeries_A,_must _be_able _to_use_Kerberos_within_the_MYCO.COM_realm_to authenticatetheusersandservices thatareparticipatinginthis singlesignontest environment.To enablethesystemtouseKerberos,iSeriesAmust beconfiguredfornetworkauthentication service. v _The_directory_server_on_iSeries_A_must _function_as_the_domain_controller_for_the_new_EIM _domain.

Note: Refer to“Domains”onpage70tolearnhowanEIM domainanda Windows2000domainboth fit intothesinglesignonenvironment.

v _One_user_profile_on_iSeries_A_and_one_Kerberos_principal_must_each_be _mapped_to_a_single_EIM identifier.

v _A_Kerberos_service_principal_must _be_used_to_authenticate_the_user_to_the_iSeries_Access_for _Windows applications.

Details

(11)

Thefigureillustratesthefollowingpointsrelevanttothis scenario.

EIMdomaindatadefinedfortheenterprise

v _An_EIM _registry_definition_for_iSeries_A_called_{ISERIESA.MYCO.COM.} v _An_EIM _registry_definition_for_the_Kerberos_registry_called_MYCO.COM.

v _An_EIM _identifier_called_John_Day. _This_identifier_uniquely _identifies_John_Day,_the_{administrator}_for MyCo.

v _A_source_association_for_the_jday _Kerberos_principal_on_the_Windows₂₀₀₀_server. v _A_target_association_for_the_JOHND_user_profile_on_iSeries_A.

Windows2000server

v _Acts_as_the_Kerberos_server_{(kdc1.myco.com),}_also_known_as_a _key_distribution _center_(KDC),_for_the network.

v _The_default_realm_for_the_Kerberos_server_is_MYCO.COM.

v _A_Kerberos_principal_of_jday _is_registered_with _the_Kerberos_server_on_the_Windows ₂₀₀₀_server._This principalwillbe usedtocreatea sourceassociationtotheEIMidentifier,JohnDay.

iSeriesA

v _Runs_OS/400_Version₅_Release₃ _(V5R3)_with _the_following_options_and_licensed_products_installed: – OS/400HostServers(5722-SS1 Option12)

– QshellInterpreter (5722-SS1Option30) – iSeriesAccessforWindows(5722-XE1) – CryptographicAccessProvider(5722-AC3)

(12)

Note: YoucanimplementthisscenariousingaserverthatrunsV5R2.However,someofthe configurationstepswillbe slightlydifferentdue toV5R3enhancements.See“What’snew for V5R3” onpage1formoreinformationonsinglesignonenhancementsforV5R3.

v _The_IBM_Directory_Server_for _iSeries_(LDAP)_on_iSeries_A_will_be_configured_to_be _the_EIM_domain controllerforthenewEIMdomain,MyCoEimDomain.

v _iSeries_A_participates _in_the_EIM_domain,_{MyCoEimDomain.}

v _The_principal_name_for_iSeries_A_is_{krbsvr400/[email protected].}

v _The_user_profile_of_JOHND_exists_on_iSeries_A._You_will_create_a _target_association_between_this_user profileandtheEIMidentifier,JohnDay.

v _The_home_directory _for_the_OS/400_user _profile,_JOHND,_{(/home/JOHND)}_is_defined_on_iSeries_A.

ClientPCused forsinglesignonadministration

v _Runs_Microsoft_Windows ₂₀₀₀_operating_system. v _Runs_V5R3_iSeries_Access_for_Windows _(5722-XE1).

v _Runs_iSeries_Navigator_with_the_following_{subcomponents}_installed: – Network

– Security

v _Serves_as_the_primary _logon_system _for_{administrator}_John_Day. v _Configured_to_be _part_of_the_MYCO.COM_realm_(Windows _domain).

Prerequisitesandassumptions

Successfulimplementationofthisscenariorequiresthatthefollowingassumptionsand prerequisitesare met:

1. Allsystemrequirements, includingsoftwareand operatingsysteminstallation,havebeen verified. Toverify thatthelicensedprogramshavebeeninstalled,completethefollowing:

a. IniSeriesNavigator,expandyouriSeriesserver→ConfigurationandService→Software→Installed Products.

b. Ensurethatallthenecessarylicensedprogramsareinstalled. 2. Allnecessaryhardwareplanningand setupiscomplete.

3. TCP/IPand basicsystemsecurityareconfiguredandtestedoneachsystem. 4. ThedirectoryserverandEIMshouldnotbepreviouslyconfiguredoniSeriesA.

Note: Instructionsinthisscenarioarebased ontheassumptionthatthedirectory serverhasnotbeen previouslyconfiguredoniSeriesA. However,if youalreadyconfiguredthedirectoryserver, youcanstill usetheseinstructions withonlyslightdifferences.Thesedifferencesarenotedin theappropriateplaceswithintheconfigurationsteps.

5. Asingle DNSserverisusedforhostnameresolutionforthenetwork.Hosttablesarenotusedfor hostnameresolution.

Note: Theuseofhosttableswith Kerberosauthentication mayresultinnameresolutionerrorsor otherproblems.Formoredetailedinformationabouthowhostnameresolutionworkswith Kerberosauthentication,seeHostnameresolutionconsiderations.

Configurationsteps

Note: Youneedtothoroughly understandtheconceptsrelatedtosinglesignonwhichincludenetwork authentication serviceandEnterpriseIdentityMapping(EIM)concepts, beforeyouimplementthis scenario.Seethefollowinginformationtolearnaboutthetermsand conceptsrelatedtosingle signon:

(13)

v _Network _{authentication}_service 1. Completetheplanningworksheets

2. Createabasicsingle signonconfigurationforiSeriesA 3. AddiSeriesAserviceprincipaltotheKerberosserver 4. CreatehomedirectoryforJohnDayoniSeriesA

5. TestnetworkauthenticationserviceconfigurationoniSeriesA 6. CreateEIMidentifierforJohnDay

7. CreatesourceassociationandtargetassociationforthenewEIM identifier 8. TestEIMidentitymappings

9. ConfigureiSeriesAccessforWindows applicationstouseKerberos 10. Verifynetworkauthentication serviceandEIMconfiguration 11. (Optional)Post configurationconsiderations

Scenario

details:

Create

a

single

signon

test

environment

Step1:Completetheplanningworksheets

Thefollowingplanningworksheetsaretailoredtofit thisscenariobasedonthegeneralsinglesignon planningworksheets. Theseplanningworksheetsdemonstratetheinformationthatyouneed togather andthedecisionsyouneedtomaketopreparethesinglesignonimplementationdescribedbythis scenario.Toensurea successfulimplementation,youmustbeable toanswerYestoallprerequisiteitems intheworksheet andyoushouldgather alltheinformationnecessarytocompletetheworksheetsbefore youperform anyconfigurationtasks.

Note: Youneedtothoroughly understandtheconceptsrelatedtosinglesignonwhichincludenetwork authentication serviceandEnterpriseIdentityMapping(EIM)concepts, beforeyouimplementthis scenario.Seethefollowinginformationtolearnaboutthetermsand conceptsrelatedtosingle signon:

v _Enterprise_Identity_Mapping_(EIM) v _Network _{authentication}_service

Table1.Singlesignonprerequisiteworksheet

Prerequisiteworksheet Answers

IsyourOS/400V5R3(5722-SS1)orlater? Yes ArethefollowingoptionsandlicensedproductsinstalledoniSeries A?

v _OS/400_Host_Servers_(5722-SS1_Option₁₂₎ v _Qshell_Interpreter_(5722-SS1_Option₃₀₎ v _iSeries_Access_for_Windows_(5722-XE1) v _{Cryptographic}_Access_Provider_(5722-AC3)

Yes

Haveyouinstalledanapplicationthatisenabledforsinglesignonon eachofthePCsthatwillparticipateinthesinglesignonenvironment? Note: Forthisscenario,alloftheparticipatingPCshaveiSeriesAccess forWindows(5722-XE1)installed.

Yes

IsiSeriesNavigatorinstalledontheadministrator’sPC?

v _Is_the_Security_subcomponent_of_iSeries_Navigator_installed_on_the administrator’sPC?

v _Is_the_Network_subcomponent_of_iSeries_Navigator_installed_on_the administrator’sPC?

Yes

HaveyouinstalledthelatestiSeriesAccessforWindowsservicepack? SeeiSeriesAccess forthelatestservicepack.

(14)

Table1.Singlesignonprerequisiteworksheet (continued)

Doyou,theadministrator,have*SECADM,*ALLOBJ,and*IOSYSCFG specialauthorities?

Yes DoyouhaveoneofthefollowingsystemsactingastheKerberos

server(alsoknownastheKDC)?Ifyes,specifywhichsystem. 1. Windows(R)

2000Server

Note: MicrosoftWindows2000ServerusesKerberos authenticationasitsdefaultsecuritymechanism. 2. Windows(R)

Server2003 3. OS/400PASE(V5R3orlater) 4. AIX®

server 5. zSeries®

Yes,Windows(R)

2000Server

AreallyourPCsinyournetworkconfiguredinaWindows(R)

2000 domain?

Yes Haveyouappliedthelatestprogramtemporaryfixes(PTFs)? Yes IstheiSeriessystemtimewithin5minutesofthesystemtimeonthe Kerberosserver?IfnotseeSynchronizesystemtimes.

Yes

YouneedthisinformationtoconfigureEIMand networkauthentication servicetocreateasingle signon testenvironment.

Table2.SinglesignonconfigurationplanningworksheetforiSeriesA

ConfigurationplanningworksheetforiSeriesA Answers

UsethefollowinginformationtocompletetheEIMConfigurationwizard.Theinformationinthisworksheet correlateswiththeinformationyouneedtosupplyforeachpageinthewizard:

HowdoyouwanttoconfigureEIMforyoursystem? v _Join_an_existing_domain

v _Create_and_join_a_new_domain

Createandjoinanewdomain

WheredoyouwanttoconfigureyourEIMdomain? Onthelocaldirectoryserver

Note: Thiswillconfigurethedirectoryserver onthesamesystemonwhichyouarecurrently configuringEIM.

Doyouwanttoconfigurenetworkauthenticationservice? Note: Youmustconfigurenetworkauthenticationserviceto configuresinglesignon.

Yes

TheNetworkAuthenticationServicewizardlaunchesfromtheEIMConfigurationwizard.Usethefollowing informationtocompletetheNetworkAuthenticationServicewizard:

Note: YoucanlaunchtheNetworkAuthenticationServicewizardindependentlyoftheEIMConfigurationwizard. WhatisthenameoftheKerberosdefaultrealmtowhichyour

iSerieswillbelong?

Note: AWindows2000domainissimilartoaKerberosrealm. MicrosoftWindowsActiveDirectoryusesKerberosauthentication asitsdefaultsecuritymechanism.

MYCO.COM

AreyouusingMicrosoftActiveDirectory? Yes WhatistheKerberosserver,alsoknownasakeydistribution

center(KDC),forthisKerberosdefaultrealm?Whatistheporton whichtheKerberosserverlistens?

KDC: kdc1.myco.com Port: 88

Note: ThisisthedefaultportfortheKerberos server.

(15)

Table2.SinglesignonconfigurationplanningworksheetforiSeriesA (continued)

ConfigurationplanningworksheetforiSeriesA Answers Doyouwanttoconfigureapasswordserverforthisdefault

realm?Ifyes,answerthefollowingquestions:

What is name of the password server for this Kerberos server? What is the port on which the password server listens?

Yes

Password server: kdc1.myco.com Port: 464

Note: Thisisthedefaultportforthepassword server.

Forwhichservicesdoyouwanttocreatekeytabentries? v _OS/400_Kerberos_{Authentication}

v _LDAP

v _iSeries_IBM_HTTP_Server v _iSeries_NetServer

OS/400KerberosAuthentication

Whatisthepasswordforyourserviceprincipalorprincipals? iseriesa123

Note: Anyandallpasswordsspecifiedinthis scenarioareforexamplepurposesonly.To preventacompromisetoyoursystemor networksecurity,youshouldneverusethese passwordsaspartofyourownconfiguration. Doyouwanttocreateabatchfiletoautomateaddingtheservice

principalsforiSeriesAtotheKerberosregistry?

Yes DoyouwanttoincludepasswordswiththeOS/400service

principalsinthebatchfile?

Yes

AsyouexittheNetworkAuthenticationServicewizard,youwillreturntotheEIMConfigurationwizard.Usethe followinginformationtocompletetheEIMConfigurationwizard:

Specifyuserinformationthatthewizardshouldusewhen configuringthedirectoryserver.Thisistheconnectionuser.You mustspecifytheportnumber,administratordistinguishedname, andapasswordfortheadministrator.

Note: SpecifytheLDAPadministrator’sdistinguishedname(DN) andpasswordtoensurethewizardhasenoughauthorityto administertheEIMdomainandtheobjectsinit.

Port: 389

Distinguished name: cn=administrator Password: mycopwd

Note: Anyandallpasswordsspecifiedinthis scenarioareforexamplepurposesonly.To preventacompromisetoyoursystemor networksecurity,youshouldneverusethese passwordsaspartofyourownconfiguration. WhatisthenameoftheEIMdomainthatyouwanttocreate? MyCoEimDomain

DoyouwanttospecifyaparentDNfortheEIMdomain? No

WhichuserregistriesdoyouwanttoaddtotheEIMdomain? Local OS/400--ISERIESA.MYCO.COM Kerberos--MYCO.COM

Note: TheKerberosprincipalsstoredonthe Windows2000serverarenotcasesensitive; thereforeyoushouldnotselectKerberosuser identitiesarecasesensitive.

WhichEIMuserdoyouwantiSeriesAtousewhenperforming EIMoperations?Thisisthesystemuser.

Note: Ifyouhavenotconfiguredthedirectoryserverpriorto configuringsinglesignon,theonlydistinguishedname(DN)you canprovideforthesystemuseristheLDAPadministrator’sDN andpassword.

User type: Distinguished name and password User: cn=administrator

Password: mycopwd

Note: Anyandallpasswordsspecifiedinthis scenarioareforexamplepurposesonly.To preventacompromisetoyoursystemor networksecurity,youshouldneverusethese passwordsaspartofyourownconfiguration. AfteryoucompletetheEIMConfigurationwizard,usethefollowinginformationtocompletetheremainingsteps requiredforconfiguringsinglesignon:

(16)

Table2.SinglesignonconfigurationplanningworksheetforiSeriesA (continued)

ConfigurationplanningworksheetforiSeriesA Answers WhatisthenameoftheEIMidentifierthatyouwanttocreate? John Day

Whatkindsofassociationsdoyouwanttocreate? Source association: Kerberos principal jday Target association: OS/400 user profile JOHND WhatisthenameoftheuserregistrythatcontainstheKerberos

principalforwhichyouarecreatingthesourceassociation?

MYCO.COM

WhatisthenameoftheuserregistrythatcontainstheOS/400 userprofileforwhichyouarecreatingthetargetassociation?

ISERIESA.MYCO.COM

WhatinformationdoyouneedtosupplytotestEIMidentity mapping?

Source registry: MYCO.COM Source user: jday

Target registry: ISERIESA.MYCO.COM

Step2:CreateabasicsinglesignonconfigurationforiSeriesA

TheEIMConfigurationwizardhelpsyoucreatea basicEIMconfigurationandalso openstheNetwork AuthenticationServicewizardtoallowyoutocreateabasicnetworkauthentication serviceconfiguration.

Note: Instructionsinthis scenarioare basedontheassumptionthatthedirectoryserverhasnotbeen previouslyconfiguredoniSeriesA.However, ifyoualreadyconfiguredthedirectoryserver,you canstillusetheseinstructionswith onlyslightdifferences.Thesedifferencesarenotedinthe appropriateplaceswithin theconfigurationsteps.

Whenyouhavefinishedthis step,youwillhavecompletedthefollowingtasks: v _Created_a _new_EIM_domain

v _Configured_the_directory_server_on_iSeries_A_to_be _the_EIM_domain_controller v _Configured_network_{authentication}_service

v _Created_EIM_registry_definitions _for_the_iSeries_A_OS/400_registry_and_the_Kerberos_registry_in_the newlycreatedEIMdomain

v _Configured_iSeries_A_to_participate_in_the_EIM _domain

UsetheinformationfromyourplanningworksheetstoconfigureEIM andnetworkauthentication serviceoniSeriesA:

1. IniSeriesNavigator,expandiSeriesA→Network→EnterpriseIdentityMapping. 2. Right-clickConfiguration andselectConfiguretostart theEIMConfigurationwizard. 3. OntheWelcomepage,selectCreateandjoin anewdomain.ClickNext.

4. OntheSpecifyEIMDomainLocationpage,selectOnthelocalDirectoryserver.ClickNext and theNetworkAuthenticationServicewizardisdisplayed.

Note: TheNetworkAuthenticationServicewizardonlydisplays whenthesystemdeterminesthat youneedtoenteradditionalinformationtoconfigurenetworkauthenticationserviceforthe single signonimplementation.

5. Completethese taskstoconfigurenetworkauthenticationservice: a. OntheConfigureNetworkAuthenticationServicepage,selectYes.

Note: ThislaunchestheNetworkAuthenticationServicewizard.Withthiswizard, youcan configureseveralOS/400interfacesandservicestoparticipate inaKerberosrealm. b. OntheSpecifyRealmInformationpage,enterMYCO.COMintheDefaultrealmfieldandselect

(17)

c. OntheSpecifyKDCInformationpage,enterkdc1.myco.comintheKDCfieldandenter88in thePort field.Click Next.

d. On theSpecifyPasswordServerInformationpage,selectYes.Enterkdc1.myco.cominthe

Passwordserverfieldand464in thePort field.Click Next.

e. On theSelectKeytabEntries page,selectOS/400Kerberos Authentication.ClickNext. f. On theCreateOS/400KeytabEntry page,enterandconfirma password,andclick Next.For

example,iseriesa123.ThispasswordwillbeusedwheniSeriesAisaddedtotheKerberosserver.

Note: Anyand allpasswordsspecifiedinthisscenarioareforexample purposesonly.Toprevent acompromisetoyour systemornetworksecurity,youshouldneverusethese passwords aspartofyourown configuration.

g. On theCreateBatchFilepage,selectYes,specifythefollowinginformation,andclickNext: v _Batch_file:_Add_the_text_iseriesa_to_the_end_of_the_default_batch_file_name._For_example,

C:\Documents and Settings\All Users\Documents\IBM\Client Access\NASConfigiseriesa.bat. v _Select_Include_password_._This_ensures_that_all _passwords_associated_with_the_OS/400_service

principalare includedinthebatchfile.Itisimportanttonotethatpasswordsaredisplayedin cleartextandcanberead byanyonewithread accesstothebatchfile.Therefore,it is

recommendedthatyoudeletethebatchfilefromtheKerberosserverandfromyour PC immediatelyafter use.

Note: Ifyoudonotincludethepassword,youwillbe promptedforthepasswordwhenthe batchfileisrun.

h. On theSummarypage,reviewthenetworkauthenticationserviceconfigurationdetails.Click

Finish tocompletetheNetworkAuthenticationServicewizardandreturntotheEIM Configurationwizard.

6. OntheConfigureDirectoryServerpage,enterthefollowinginformation,andclickNext:

Note: Ifyouconfiguredthedirectoryserverbeforeyoustartedthisscenario,youwillseethe

SpecifyUserforConnectionpageinsteadoftheConfigureDirectoryServerpage.Inthat case, youmust specifythedistinguishednameandpasswordfor theLDAPadministrator. v _Port_:₃₈₉

v _{Distinguished}_name_:_{cn=administrator} v _Password_:_mycopwd

Note: Anyandall passwordsspecifiedinthisscenarioareforexamplepurposesonly.Toprevent a compromisetoyoursystem ornetworksecurity,youshouldnever usethesepasswordsas part ofyourown configuration.

7. OntheSpecifyDomainpage,enterthenameofthedomainintheDomainfield,and clickNext. Forexample,MyCoEimDomain.

8. OntheSpecifyParentDNforDomainpage,selectNo,andclick Next.

Note: Ifthedirectoryserverisactive,amessageisdisplayedthatindicatesyouneedtoendand restart thedirectory serverfor thechanges totakeeffect.ClickYestorestartthedirectory server.

9. OntheRegistryInformationpage,selectLocalOS/400 andKerberos,and clickNext.Writedown theregistrynames.Youwillneedthese registrynameswhen youcreateassociationstoEIM identifiers.

Note:

(18)

v _You_can_enter_a_specific _registry_definition_name_for_the_user_registry_if _you_want_to_use_a specific registrydefinitionnamingplan.However,forthis scenarioyoucanacceptthe default values.

10. OntheSpecifyEIMSystemUserpage,selecttheusertheoperatingsystemuseswhenperforming EIMoperationsonbehalfofoperatingsystem functions,andclick Next:

Note: Becauseyoudidnotconfigurethedirectoryserverpriortoperformingthestepsinthis scenario,theonlydistinguishedname(DN)thatyoucanchooseistheLDAP administrator’s DN.

v _User _type_: _{Distinguished} _name _and _password v _{Distinguished}_name_:_{cn=administrator} v _Password_:_mycopwd

Note: Anyandall passwordsspecifiedinthisscenarioareforexamplepurposesonly.Toprevent a compromisetoyoursystem ornetworksecurity,youshouldnever usethesepasswordsas part ofyourown configuration.

11. OntheSummarypage,confirmtheEIMconfigurationinformation.ClickFinish.

NowthatyouhavecompletedabasicEIM andnetworkauthenticationserviceconfigurationoniSeriesA, youcanaddtheserviceprincipalfor iSeriesAtotheKerberosserver.

Step3:AddiSeriesAserviceprincipalto theKerberosserver

YoucanuseoneoftwomethodstoaddthenecessaryOS/400serviceprincipaltotheKerberosserver. Youcanmanuallyaddtheserviceprincipalor,asthisscenarioillustrates,youcanuseabatchfiletoadd it.Youcreatedthis batchfileinStep2. Tousethisfile,youcanuseFileTransferProtocol(FTP)tocopy thefiletotheKerberosserverandrunit.

FollowthesestepstousethebatchfiletoaddprincipalstotheKerberosserver:

FTPbatch filecreatedbythewizard

1. OntheWindows2000workstationthatyouusedtoconfigurenetworkauthentication service,opena commandpromptand typeftp kdc1.myco.comtostart anFTPsessiononyour PC.Youwillbe promptedfortheadministrator’s usernameandpassword.

2. Atthe FTP prompt, enter lcd ″C:\Documents and Settings\All Users\Documents\IBM\Client Access″. PressEnter. You should receive themessage Local directory now C:\Documents and Settings\All Users\Documents\IBM\Client Access.

3. AttheFTPprompt,type cd\mydirectory,wheremydirectoryisa directorylocatedonkdc1.myco.com. 4. Atthe FTPprompt,type put NASConfigiseriesa.bat.Youshouldreceivethis message:226 Transfer

complete.

5. TypequittoexittheFTPsession.

Runthebatch fileon kdc1.myco.com

1. OnyourWindows 2000server,openthedirectorywhereyoutransferredthebatchfile. 2. FindtheNASConfigiseriesa.batfileanddouble-click thefiletorunit.

3. Afterthefileruns,verifythattheOS/400principalhasbeenaddedtotheKerberosserverby completingthefollowing:

a. On yourWindows2000server,expandAdministrativeTools→ActiveDirectoryUsersand Computers→Users.

(19)

Note: ThisWindows 2000domain shouldbe thesame asthedefaultrealmnamethatyou specifiedinthenetworkauthentication serviceconfiguration.

c. Inthelistofusersthatisdisplayed,find iseriesa_1_krbsvr400.Thisistheuseraccountgenerated fortheOS/400principalname.

d. (Optional)AccessthepropertiesonyourActiveDirectoryuser.FromtheAccounttab,selectthe

Accountistrustedfordelegation.

Note: Thisoptionalstep enablesyour systemtodelegate,orforward,auser’scredentialstoother systems.Asa result,theOS/400serviceprincipalcanaccessservices onmultiple systems onbehalfof theuser.Thisisusefulinamulti-tiernetwork.

NowthatyouhaveaddedtheiSeriesAserviceprincipaltotheKerberosserver,youcancreatea home directoryforJohnDay.

Step4:CreatehomedirectoryforJohn Dayon iSeriesA

Youneedtocreateadirectoryinthe/home directorytostoreyourKerberoscredentialscache.Tocreate ahomedirectory, completethefollowing:

On a commandline, enter:CRTDIR’/home/userprofile’where userprofile isyour OS/400 user profile name. For example:CRTDIR ’/home/JOHND’.

Nowthatyouhavecreatedthehomedirectory, youcanverifythatnetworkauthenticationserviceis configuredcorrectly.

Step5:Testnetworkauthenticationservice configurationoniSeriesA

Nowthatyouhavecompletedthenetworkauthentication serviceconfigurationtasks foriSeriesA, you needtotestthatyour configurationworks correctly.Youcandothisbyrequestingaticket grantingticket fortheiSeriesAprincipalname.

Totestthenetworkauthentication serviceconfiguration,followthesesteps:

Note: Ensurethatyouhavecreatedahomedirectory foryourOS/400user profilebefore performingthis procedure.

1. On acommandline,enterQSH tostarttheQshellInterpreter.

2. Enterkeytablist todisplayalist ofprincipalsregisteredinthekeytab file.Inthis scenario, krbsvr400/iseriesa.myco.com@MYCO.COMshoulddisplayastheprincipalnameforiSeriesA. 3. Enter kinit -kkrbsvr400/[email protected]. Ifthis issuccessful,then thekinitcommand

isdisplayedwithouterrors.

4. Enterklist toverifythatthedefaultprincipaliskrbsvr400/[email protected]. Nowthatyouhavetestedthenetworkauthenticationservice configuration,youcancreateanEIM identifierforJohnDay.

Step6:CreateEIMidentifierforJohn Day

Nowthatyouhaveperformedtheinitial stepstocreateabasicsinglesignonconfiguration, youcan begintoaddinformationtothis configurationtocompleteyoursingle signontestenvironment.Youneed tocreatetheEIMidentifierthatyouspecifiedin theplanningworksheet.Inthis scenario,this EIM identifierisa namethatuniquely identifiesyou,JohnDay,in yourenterprise.

(20)

1. IniSeriesNavigator, expandiSeriesA→Network→EnterpriseIdentityMapping→Domain Management→MyCoEimDomain.

Note: Youmaybepromptedtoconnecttothedomaincontroller.Inthatcase,theConnecttoEIM DomainControllerdialogboxisdisplayed.Youmustconnecttothedomainbeforeyoucan performactionsinit.Toconnecttothedomaincontroller,providethefollowinginformation andclick OK:

v _User _type_:_{Distinguished} _name

Note: Anyand allpasswordsspecifiedinthisscenarioareforexamplepurposesonly.To preventacompromisetoyoursystem ornetworksecurity,youshouldnever usethese passwordsaspart ofyourown configuration.

2. Right-clickIdentifiersand selectNew Identifier....

3. OntheNewEIMIdentifierdialogbox,entera nameforthenewidentifierintheIdentifierfield,and clickOK.Forexample,JohnDay.

Nowthatyouhavecreatedyour identifier,youcanaddassociations totheidentifierto definethe relationshipbetweentheidentifierandthecorrespondingKerberosprincipaland OS/400userprofile.

Step7:Createsourceassociationandtargetassociationforthenew EIMidentifier

YoumustcreatetheappropriateassociationsbetweentheEIMidentifierandtheuser identitiesthatthe personrepresentedbytheidentifieruses.Theseidentifierassociations,whenproperlyconfigured,enable theusertoparticipateina singlesignonenvironment.

Inthisscenario,youneedtocreatetwoidentifierassociationsfortheJohnDay identifier:

v _A_source_association_for_the_jday_Kerberos_principal,_which_is_the_user_identity_that_John_Day,_the person,usestologintoWindowsand thenetwork. ThesourceassociationallowstheKerberos principaltobemappedtoanotheruser identityasdefinedina correspondingtargetassociation. v _A_target_association_for_the_JOHND_OS/400_user _profile,_which_is_the_user_identity_that_John_Day, _the

person,usestologintoiSeriesNavigatorand otherOS/400applicationsoniSeriesA.Thetarget associationspecifiesthata mappinglookupoperationcanmaptothisuser identityfromanotherone asdefinedin asourceassociationforthesameidentifier.

NowthatyouhavecreatedtheJohnDayidentifier,youneedtocreatebotha sourceassociationanda targetassociationforit.

TocreateasourceassociationbetweentheKerberosprincipalandtheJohnDayidentifier,followthese steps:

1. IniSeriesNavigator, expandiSeriesA→EnterpriseIdentityMapping→Domain Management→MyCoEimDomain→Identifiers.

2. Right-clickJohnDay,and selectProperties. 3. OntheAssociationspage,clickAdd.

4. IntheAddAssociationdialog,specifyorBrowse...toselectthefollowinginformation,andclick OK: v _Registry_:_MYCO.COM

v _User_:_jday

v _Association_type_:_Source

5. ClickOKtoclosetheAddAssociationdialog.

Tocreatea targetassociationbetweentheOS/400userprofileandtheJohnDayidentifier,follow thesesteps:

(21)

6. On theAssociationspage,clickAdd.

7. On theAddAssociationdialog,specifyorBrowse...toselectthefollowinginformation,andclickOK: v _Registry_:_{ISERIESA.MYCO.COM}

v _User_:_JOHND

v _Association_type_:_Target

8. Click OKtoclosetheAddAssociationdialog. 9. Click OKtoclosethePropertiesdialog.

Nowthatyouhavecreatedanidentifierand addedtheappropriateassociationstotheidentifier,you needtotestthatthemappingsbetweenassociateduser identitiesworkscorrectly.

Step8:TestEIMidentitymappings

YouneedtoverifythatEIMmappinglookupoperationsreturn thecorrectresultsbased onthe configuredassociations.

TotestthatEIMmappingoperationsworkcorrectly,followthesesteps:

1. IniSeriesNavigator,expand iSeriesA→Network→EnterpriseIdentityMapping→Domain Management→MyCoEimDomain

Note: Youmaybepromptedtoconnecttothedomaincontroller.Inthatcase, theConnecttoEIM DomainControllerdialogisdisplayed.Youmust connecttothedomainbeforeyoucan performactionsinit.Toconnecttothedomaincontroller,providethefollowinginformation andclick OK:

v _User _type_: _{Distinguished} _name

Note: Anyand allpasswordsspecifiedinthisscenarioareforexamplepurposesonly.To preventacompromisetoyoursystem ornetworksecurity,youshouldnever usethese passwordsaspart ofyourown configuration.

2. Right-clickMyCoEimDomainandselectTest amapping....

3. IntheTesta mappingdialog,specifyorBrowse...toselectthefollowinginformation: v _Source_registry_:_MYCO.COM

v _Source_user_:_jday

v _Target_registry_:_{ISERIESA.MYCO.COM}

Note: ClickHelp,ifnecessary, formoredetailsaboutwhatinformationisneededforeachfieldinthe dialog.

Click Test,andclick Close.

IfyourEIM mappingsarecorrectlyconfigured,thefollowingresultsare displayedintheMappingfound

portionofthepage:

Forthesefields Seetheseresults

Targetuser JOHND

Origin EIMIdentifier:JohnDay

Ifyoureceivemessagesorerrorsthatindicateproblemswith yourmappings orwithcommunications, seeEIM troubleshootingtohelpyoufindsolutionstothese problems.

(22)

NowthatyouhavetestedtheEIM identifymappings,youcanconfigureiSeriesAccessforWindows applicationstouseKerberosauthentication.

Step9:ConfigureiSeriesAccessforWindowsapplicationstouseKerberos authentication

YoumustuseKerberostoauthenticate beforeyoucanuseiSeriesNavigatortoaccessiSeriesA.Therefore, fromyourPC, youneedtoconfigureiSeriesAccessforWindowstouseKerberosauthentication.

ToconfigureiSeriesAccessforWindows applicationstouseKerberosauthentication, completethe followingsteps:

1. LogontotheWindows(R)

2000domainbysigningintoyourPC. 2. IniSeriesNavigatoronyourPC,right-clickiSeriesAandselectProperties.

3. OntheConnectionpage,selectUseKerberosprincipalname,noprompting.ThiswillallowiSeriesAccessfor WindowsconnectionstousetheKerberosprincipalnameandpasswordforauthentication.

4. Amessageisdisplayedthatindicatesyouneedtocloseandrestartallapplicationsthatarecurrentlyrunningfor thechangestotheconnectionsettingstotakeeffect.ClickOK.Then,endandrestartiSeriesNavigator.

NowthatyouhaveconfigurediSeriesAccessforWindowsapplicationstouseKerberosauthentication,youcan verifythesinglesignontestenvironment.

Step10:VerifynetworkauthenticationserviceandEIMconfiguration

Nowthatyouhaveverifiedtheindividualpiecesofyoursinglesignonconfigurationandensuredthatallsetupis complete,youmustverifythatyouhaveconfiguredEIMandnetworkauthenticationservicecorrectlyandthatsingle signonworksasexpected.

Toverifythatyoursinglesignonenvironmentworkscorrectly,haveJohnDayfollowthesesteps: 1. IniSeriesNavigator,expandiSeriesAtoopenaconnectiontoiSeriesA.

2. PressF5torefreshthescreen.

3. Intherightpane,findiSeriesAintheNamecolumn,andverifythatJohnDay’sOS/400userprofile,JOHND,is displayedasthecorrespondingentryintheSignedOnUsercolumn.

iSeriesNavigatorsuccessfullyusedEIMtomapthejdayKerberosprincipaltotheJOHNDiSeriesAuserprofile becauseoftheassociationsdefinedforEIMidentifier,JohnDay.TheiSeriesNavigatorsessionforiSeriesAisnow connectedasJOHND.

Step11:(Optional)Postconfigurationconsiderations

Nowthatyoufinishedthisscenario,theonlyEIMuseryouhavedefinedthatEIMcanuseistheDNfortheLDAP administrator.TheLDAPadministratorDNthatyouspecifiedforthesystemuseroniSeriesAhasahighlevelof authoritytoalldataonthedirectoryserver.Therefore,youmightconsidercreatingoneormoreDNsasadditional usersthathavemoreappropriateandlimitedaccesscontrolforEIMdata.ThenumberofadditionalEIMusersthat youdefinedependsonyoursecuritypolicy’semphasisontheseparationofsecuritydutiesandresponsibilities. Typically,youmightcreateatleastthetwofollowingtypesofDNs:

v _A_user_that_has_EIM_{administrator}_access_control

ThisEIMadministratorDNprovidestheappropriatelevelofauthorityforanadministratorwhoisresponsiblefor managingtheEIMdomain.ThisEIMadministratorDNcouldbeusedtoconnecttothedomaincontrollerwhen managingallaspectsoftheEIMdomainbymeansofiSeriesNavigator.

v _At_least_one_user_that_has_all_of_the_following_access_controls_: – Identifieradministrator

– Registryadministrator – EIMmappingoperations

ThisuserprovidestheappropriatelevelofaccesscontrolrequiredforthesystemuserthatperformsEIM operationsonbehalfoftheoperatingsystem.

(23)

Note: TousethisnewDNforthesystemuserinsteadoftheLDAPadministratorDN,youmustchangetheEIM configurationpropertiesforeachsystem.Forthisscenario,youneedtochangetheEIMconfiguration

propertiesforiSeriesA.SeeManageEIMconfigurationpropertiestolearnhowtochangethesystemuserDN. Nowthatyouhavesuccessfullycreatedatestenvironment,youmightwanttoexploreimplementingsinglesignon onalargerscale.ThescenarioEnablesinglesignonforOS/400demonstrateshowtodothis.

Scenario:

Enable

single

signon

for

OS/400

Situation

Youareanetworkadministratorthatmanagesa networkandnetworksecurityforyour company, includingtheOrderReceivingdepartment.YouoverseetheIToperationsfora largenumberof employeeswhotakecustomerorders overthetelephone.Youalsosupervisetwoothernetwork administratorswhohelp youmaintainthenetwork.

TheemployeesintheOrderReceivingdepartmentuseWindows 2000andOS/400andrequire multiple passwordsforthedifferentapplicationstheyuseeveryday.Consequently,youspenda lotoftime managingand troubleshootingproblemsrelatedtopasswordsanduser identities,suchasresetting forgottenpasswords.

Asthecompany’s networkadministrator, youarealways lookingforwaystoimprovethebusiness, startingwiththeOrderReceiving department.Youknowthatmostofyouremployeesneedthesame typeofauthoritytoaccesstheapplication thattheyusetoqueryinventorystatus.Itseems redundant andtimeconsumingforyoutomaintainindividualuser profilesandnumerouspasswordsthatare requiredinthis situation.Inaddition,youknowthatall ofyouremployeescanbenefitbyusingfewer userIDsandpasswords.Youwanttodo thesethings:

v _Simplify_the_task_of_password_management_for_the_Order_Receiving_department._{Specifically,}_you_want toefficientlymanageuseraccesstotheapplicationyour employeesroutinelyuseforcustomerorders. v _Decrease_the_use_of _multiple_user_IDs_and _passwords_for_the_department_employees,_as_well _as_for_the

networkadministrators.However,youdo notwanttomaketheWindows2000IDsand OS/400user profilesthesamenordoyouwanttousepasswordcachingorsynching.

Basedonyourresearch,youknowthatOS/400supportssinglesignon,a solutionthatallowsyourusers tologononcetoaccessmultipleapplicationsandservices thatnormallyrequirethemtologonwith multipleuser IDsand passwords.Becauseyour usersdonotneedtoprovideasmanyuser IDsand passwordstodotheirjobs,youhavefewerpasswordproblemstosolveforthem.Singlesignonseems to beanidealsolutionbecauseitallowsyoutosimplifypasswordmanagement inthefollowingways: v _For_typical_users_that_require_the_same_authority_to_an_application,_you_can_create_policy_{associations.}

Forexample,youwanttheorderclerksintheOrderReceivingdepartmenttobeable tologononce withtheirWindows usernameandpasswordandthenbe abletoaccessanew inventoryquery applicationinthemanufacturingdepartmentwithouthavingtobeauthenticatedagain.However,you alsowanttoensurethatthelevelofauthorizationthattheyhavewhenusingthis applicationis appropriate.Toattainthis goal,youdecidetocreateapolicyassociationthatmapstheWindows2000 useridentities forthisgroupofuserstoa singleOS/400userprofilethathastheappropriatelevelof authorityforrunningtheinventoryqueryapplication.Becausethisisaquery-onlyapplication in whichuserscannotchangedata,youare notasconcerned aboutdetailedauditingforthis application. Consequently,youfeelconfidantthatusingapolicyassociationinthissituation conformstoyour securitypolicy.

Youcreateapolicyassociationtomapthegroup oforderclerkswith similarauthorityrequirementsto asingle OS/400userprofilewiththeappropriatelevelofauthorityfor theinventoryqueryapplication. Yourusersbenefitbyhavingonelesspasswordtorememberand onelesslogonto perform.Asthe administrator,youbenefitbyhavingtomaintainonlyoneuserprofileforuseraccesstotheapplication insteadofmultiple userprofilesforeveryoneinthegroup.

v _For_each_of_your _network_{administrators}_who_have_user_profiles_with _special_authorities,_such_as *ALLOBJand*SECADM,youcancreateidentifierassociations.Forexample,youwantalloftheuser

(24)

identitiesfora singlenetworkadministratortobepreciselyandindividuallymappedtooneanother becauseoftheadministrator’shighlevelofauthority.

Basedonyour company’ssecuritypolicy,youdecidetocreateidentifierassociations tomap

specificallyfromeachnetworkadministrator’sWindowsidentitytohis OS/400userprofile.Youcan moreeasilymonitor andtracetheactivityoftheadministratorbecauseoftheone-to-onemappingthat identifierassociationsprovide.Forexample,youcanmonitorthejobsandobjectsthatrunonthe systemfora specificuser identity.Yournetworkadministratorbenefitsbyhavingonelesspasswordto rememberandonelesslogontoperform.Asthenetworkadministrator,youbenefitbytightly

controllingtherelationshipsbetweenall ofyouradministrator’suser identities. Thisscenariohasthefollowingadvantages:

v _Simplifies_{authentication}_process _for_users. v _Simplifies_managing_access_to_{applications.}

v _Eases_the_overhead_of_managing_access_to _servers_in_the_network. v _Minimizes_the_threat_of_password_theft.

v _Avoids_the_need _for_multiple_signons.

v _Simplifies_user_identity_management _across_the_network.

Objectives

Inthisscenario,youaretheadministratoratMyCo,Inc.who wantstoenable singlesignonfortheusers intheOrderReceivingdepartment.

Theobjectivesofthisscenarioareasfollows:

v _iSeries_A_and _iSeries_B_must_participate _in_the_MYCO.COM_realm_to_authenticate_the_users_and_services thatareparticipating inthissinglesignonenvironment.ToenablethesystemstouseKerberos,iSeries AandiSeriesBmust beconfiguredfornetworkauthentication service.

v _The_IBM_Directory_Server_for _iSeries_(LDAP)_on_iSeries_A_must _function_as_the_domain_controller_for thenewEIMdomain.

Note: Refer todomainstolearnhowtwodifferenttypesofdomains,an EIMdomainanda Windows 2000domain,fitinto thesinglesignonenvironment.

v _All_user _identities_in_the_Kerberos_registry_must _map_successfully_to_a _single_OS/400_user_profile_with appropriateauthorityforuseraccesstotheinventoryqueryapplication.

v _Based_on_your _security_policy,_two_{administrators,}_John_Day_and _Sharon_Jones,_who _also_have_user identitiesintheKerberosregistry,musthaveidentifierassociationstomaptheseidentities totheir OS/400user profileswhichhave*SECADMspecialauthority.Theseone-to-onemappingsenableyou tocloselymonitor thejobsandobjectsthatrunonthesystemforthese useridentities.

v _A_Kerberos_service_principal_must _be_used_to_authenticate_the_users_to_the_IBM _iSeries_Access_for Windowsapplications,includingiSeries Navigator.

Details

(25)

Thefigureillustratesthefollowingpointsrelevanttothis scenario.

EIMdomaindatadefinedfortheenterprise

v _Three_registry_definition_names:

– AregistrydefinitionnameofMYCO.COMfortheWindows2000serverregistry.Youwilldefinethis whenyouusetheEIM configurationwizardoniSeriesA.

– AregistrydefinitionnameofISERIESA.MYCO.COMfortheOS/400registryoniSeriesA.Youwill definethiswhen youusetheEIM configurationwizardoniSeriesA.

– AregistrydefinitionnameofISERIESB.MYCO.COMfortheOS/400 registryoniSeries B.Youwill definethiswhen youusetheEIM configurationwizardoniSeriesB.

v _Two_default_registry_policy_{associations:}

Note: EIM lookupoperationprocessingassignsthehighestprioritytoidentifierassociations.Therefore, whena useridentityisdefinedasa sourceinbothapolicyassociationandan identifier

association,onlytheidentifierassociationmapsthatuser identity.Inthis scenario,twonetwork administrators,JohnDayand SharonJones,bothhaveuser identitiesintheMYCO.COM registry,whichisthesourceofthedefaultregistrypolicyassociations.However, asshown below,theseadministrators alsohaveidentifierassociationsdefinedfortheiruseridentities in theMYCO.COMregistry.TheidentifierassociationsensurethattheirMYCO.COMuser identities arenotmappedbythepolicyassociations.Instead,theidentifierassociations ensure thattheiruser identitiesintheMYCO.COMregistryareindividuallymappedtootherspecific individual useridentities.

(26)

– Onedefaultregistrypolicyassociationmapsalluser identitiesintheWindows2000serverregistry calledMYCO.COM,toa singleOS/400user profilecalledSYSUSERAintheISERIESA.MYCO.COM registryoniSeriesA.For thisscenario,mmillerand ksmithrepresenttwooftheseuseridentities. – Onedefaultregistrypolicyassociationmapsalluser identitiesintheWindows2000serverregistry

calledMYCO.COM,toa singleOS/400user profilecalledSYSUSERB intheISERIESB.MYCO.COM registryoniSeriesB.Forthisscenario,mmillerand ksmithrepresenttwooftheseuseridentities. v _Two_EIM _identifiers_named_John_Day _and_Sharon_Jones_to_represent_the_two_network_{administrators}_in

thecompanywho havethose names.

v _For_the_John_Day_EIM_identifier,_these_identifier_associations _are_defined:

– Asourceassociationforthejday useridentity,whichisaKerberosprincipalintheWindows2000 serverregistry.

– AtargetassociationfortheJOHNDuseridentity,whichisauser profileintheOS/400registryon iSeriesA.

– AtargetassociationfortheDAYJOuseridentity,whichisauser profileintheOS/400registryon iSeriesB.

v _For_the_Sharon_Jones_EIM_identifier,_these_identifier_associations _are_defined:

– Asourceassociationforthesjonesuser identity,whichisa KerberosprincipalintheWindows2000 serverregistry.

– AtargetassociationfortheSHARONJuseridentity,whichisauser profileintheOS/400registry oniSeriesA.

– AtargetassociationfortheJONESSHuser identity,whichisauser profileintheOS/400registryon iSeriesB.

Windows2000server

v _Acts_as_the_Kerberos_server_{(kdc1.myco.com),}_also_known_as_a _key_distribution _center_(KDC),_for_the network.

v _The_default_realm_for_the_Kerberos_server_is_MYCO.COM.

v _All_Microsoft _Windows_Active _Directory_users_that_do_not_have_identifier_associations_are_mapped_to_a singleOS/400user profileoneachoftheiSeriessystems.

iSeriesA

Note: YoucanimplementthisscenariousingaserverthatrunsV5R2.However,someofthe

configurationstepswillbe slightlydifferent.Inaddition,thisscenariodemonstratessomeofthe single signonfunction thatisonlyavailableinV5R3,suchaspolicyassociations.SeeWhat’snew for V5R3formore informationaboutsingle signonenhancementsforV5R3.

v _The_directory_server_on_iSeries_A_will_be_configured _to_be_the_EIM_domain_controller_for_the_new_EIM domain,MyCoEimDomain.

v _Participates_in_the_EIM _domain,_{MyCoEimDomain.}

v _Has_the_service_principal_name_of _{krbsvr400/[email protected].}

v _Has_the_fully_qualified_host_name_of_{iseriesa.myco.com.}_This_name_is_registered_in_a_single_Domain NameSystem(DNS)towhichallPCsandservers inthenetworkpoint.

v _Home_directories_on_iSeries_A_store_the_Kerberos_credentials_caches_for_OS/400 _user_profiles.

(27)

v _Has_the_fully_qualified_host_name_of_{iseriesb.myco.com.}_This_name_is_registered_in_a_single_Domain NameSystem(DNS)towhichallPCsandservers inthenetworkpoint.

v _The_principal_name_for_iSeries _B_is_{krbsvr400/[email protected]}_. v _Participates_in _the_EIM _domain,_{MyCoEimDomain.}

v _Home_directories_on_iSeries_B_store_the_Kerberos_credentials_caches_for_OS/400_user _profiles.

AdministrativePC

v _Runs_Microsoft_Windows ₂₀₀₀_operating_system. v _Runs_V5R3_iSeries_Access_for_Windows _(5722-XE1).

v _Runs_iSeries_Navigator_with_the_following_{subcomponents}_installed: – Network

– Security

– UsersandGroups

v _Serves_as_the_primary _logon_system _for_the_{administrator.}

v _Configured_to_be _part_of_the_MYCO.COM_realm_(Windows _domain).

Prerequisitesandassumptions

Successfulimplementationofthisscenariorequiresthatthefollowingassumptionsandprerequisites are met:

1. All systemrequirements, includingsoftwareand operatingsysteminstallation,havebeen verified. Toverify thattheselicensedprogramshavebeeninstalled,completethefollowing:

a. IniSeriesNavigator,expandyouriSeriesserver→ConfigurationandService→Software→Installed Products.

b. Ensurethatallthenecessarylicensedprogramsareinstalled. 2. All necessaryhardwareplanningand setuparecomplete.

3. TCP/IPandbasic systemsecurityare configuredandtestedoneachsystem. 4. The directoryserverandEIMshouldnotbepreviouslyconfiguredoniSeriesA.

Note: Instructionsinthisscenarioarebased ontheassumptionthatthedirectory serverhasnotbeen previouslyconfiguredoniSeriesA. However,if youalreadyconfiguredthedirectoryserver, youcanstill usetheseinstructions withonlyslightdifferences.Thesedifferencesarenotedin theappropriateplaceswithintheconfigurationsteps.

5. Asingle DNSserverisusedforhostnameresolutionforthenetwork.Hosttablesarenotusedfor host nameresolution.

Note: Theuseofhosttableswith Kerberosauthentication mayresultinnameresolutionerrors or otherproblems.Formoredetailedinformationabouthowhostnameresolutionworkswith Kerberosauthentication, seeHostnameresolutionconsiderations.

(28)

Configurationsteps

Note: Youneedtothoroughly understandtheconceptsrelatedtosinglesignon, whichincludenetwork authentication serviceandEnterpriseIdentityMapping(EIM)concepts, beforeyouimplementthis scenario.Seethefollowinginformationtolearnaboutthetermsand conceptsrelatedtosingle signon:

v _Enterprise_Identity_Mapping_(EIM) v _Network _{authentication}_service 1. Completetheplanningworksheets

2. Createabasicsingle signonconfigurationforiSeriesA

3. ConfigureiSeriesBtoparticipateintheEIMdomainand configureiSeriesBfornetwork authenticationservice

4. AddbothOS/400serviceprincipalstotheKerberosserver 5. CreateuserprofilesoniSeriesAand iSeriesB

6. CreatehomedirectoriesoniSeriesAandiSeries B

7. TestnetworkauthenticationserviceoniSeriesAand iSeriesB

8. CreateEIMidentifiersfor twoadministrators,JohnDayandSharonJones 9. CreateidentifierassociationsforJohnDay

10. CreateidentifierassociationsforSharonJones 11. Createdefaultregistrypolicyassociations

12. Enableregistriestoparticipate inlookupoperationsandtousepolicyassociations 13. TestEIMidentitymappings

14. ConfigureiSeriesAccessforWindows applicationstouseKerberosauthentication 15. Verifynetworkauthentication serviceandEIMconfiguration

16. (Optional)Postconfigurationconsiderations

Scenario

details:

Enable

single

signon

for

OS/400

Step1:Completetheplanningworksheets

Thefollowingplanningworksheetsaretailoredtofit thisscenariobasedonthegeneralsinglesignon planningworksheets. Theseplanningworksheetsdemonstratetheinformationthatyouneedtogather andthedecisionsyouneedtomakeasyoupreparetoconfigurethesinglesignonimplementation describedbythisscenario.Toensurea successfulimplementation,youmustbeable toanswerYestoall prerequisiteitemsintheworksheetandyoushouldgather alltheinformationnecessarytocompletethe worksheetsbefore youperform anyconfigurationtasks.

Note: Youneedtothoroughly understandtheconceptsrelatedtosinglesignon, whichincludenetwork authentication serviceandEnterpriseIdentityMapping(EIM)concepts, beforeyouimplementthis scenario.Seethefollowinginformationtolearnaboutthetermsand conceptsrelatedtosingle signon:

v _Enterprise_Identity_Mapping_(EIM) v _Network _{authentication}_service

Table3.Singlesignonprerequisiteworksheet

Prerequisiteworksheet Answers

ERserver. Single signon. iseries. Version 5 Release 3

iSeries

Single

signon

Version

5

Release

3

iSeries

Single

signon

Version

5

Release

3

Contents

Single

signon

.

.

.

.

.

.

.

.

.

.

.

. 1

Appendix.

Notices

.

.

.

.

.

.

.

.

.

. 85

Single

signon

What’s

new

for

V5R3

Print

this

topic

Scenarios

Scenario:

Create

a

single

signon

test

environment

Scenario

details:

Create

a

single

signon

test

environment

Scenario:

Enable

single

signon

for

OS/400

Scenario

details:

Enable

single

signon

for

OS/400