Embed Size (px)
Citation preview
© Logicalis Group
Single signon possibilities for iSeries
Mandy Shaw, Logicalis
(with many thanks to Pat Botz of IBM Rochester)
Simplify your infrastructure: single level signon
What Every Enterprise Wants
Protect access to enterprise resources at lowest possible cost
What Every User Wants
Highest possible convenience and productivity
Not to have to remember or change passwords
SSO Definition
What we mean by SSO
The ability of an end user to sign in to the enterprise network and run multi-tier applications without being prompted again for authentication data, and without requiring the end user to have the same user ID and/or password on every system.
What we don’t mean by SSO
Same user id everywhere
Same password everywhere
Centralized storing/caching of passwords
LDAP Authentication
Kerberos and Enterprise Identity Mapping
Kerberos involves the acceptance of a single authentication by ‘Kerberised’ applications, avoiding the need for passwords
EIM links user ids for different servers, at individual or group level
EIM can be used without Kerberos; Kerberos can be used without EIM
John Smith's user ID:
u:JSimth p:myonepwd
z/OSRACF
iSeries
WebSphere
NetServer
intranet User
AIX
Windows 2000/NT
Linux
NDS
Nirvana
Extranet / Internet
John Smith's user IDs:
z/OSRACF
iSeries
WebSphere
NetServer
intranet User
AIX
Windows 2000/2003 Server
Linux
NDS
Windows NT/98/95
u:JohnSmith p:myonepwdu:simthj p:*NONEu:John p:*NONEu:Smith1 p:*NONEu:JoSm05 p:*NONEetc..
John Smith's user IDs:
u:John Smithu:JSimthu:Johnu:Smith1u:JoSm05etc..
OS/400 approach gets you here
OS/400 implementation elements
LDAP directory•used purely to store EIM data
EIM•Identifiers for individuals•Maps identifiers to user ids in registries
Kerberos•OS/400 can store KDC and do Kerberos authentication•Typically, it won’t
Network Authentication Service•Identifies where the Kerberos authentication is done, and for which apps
Applications•NetServer, iSeries Navigator, Management Central, PC5250, QFileSvr.400, …
Benefits
Whatever the user profile password is set to, it is not used for authentication, therefore can be set to *NONE
No need to store/cache passwords
Exploits signon technology that the significant majority of end users use when they sign on
Comparatively small overhead to implement and manage over time
Use within application development
Things to consider
EIM doesn’t create or delete users: it just maps them and saves management time
Use with V5R2 requires appropriate PTFs
Kerberos authentication doesn’t yet cover all possible OS/400 applications (e.g. FTP)
Domino and WebSphere currently require special treatment
Domino: consider Active Directory integration
WebSphere: consider identity tokens or Domino integration
