90 likes | 198 Vues
Single signon possibilities for iSeries. Mandy Shaw, Logicalis (with many thanks to Pat Botz of IBM Rochester). Simplify your infrastructure: single level signon. What Every Enterprise Wants Protect access to enterprise resources at lowest possible cost What Every User Wants
E N D
Single signon possibilities for iSeries Mandy Shaw, Logicalis (with many thanks to Pat Botz of IBM Rochester)
Simplify your infrastructure: single level signon • What Every Enterprise Wants • Protect access to enterprise resources at lowest possible cost • What Every User Wants • Highest possible convenience and productivity • Not to have to remember or change passwords
SSO Definition • What we mean by SSO • The ability of an end user to sign in to the enterprise network and run multi-tier applications without being prompted again for authentication data, and without requiring the end user to have the same user ID and/or password on every system. • What we don’t mean by SSO • Same user id everywhere • Same password everywhere • Centralized storing/caching of passwords • LDAP Authentication
Kerberos and Enterprise Identity Mapping • Kerberos involves the acceptance of a single authentication by ‘Kerberised’ applications, avoiding the need for passwords • EIM links user ids for different servers, at individual or group level • EIM can be used without Kerberos; Kerberos can be used without EIM
Nirvana Windows 2000/NT NetServer NDS Extranet / Internet WebSphere Linux iSeries intranet User AIX RACF z/OS John Smith's user ID: u:JSimth p:myonepwd
OS/400 approach gets you here Windows NT/98/95 Windows 2000/2003 Server NetServer WebSphere NDS intranet User Linux John Smith's user IDs: iSeries u:John Smith u:JSimth u:John u:Smith1 u:JoSm05 etc.. John Smith's user IDs: u:JohnSmith p:myonepwd u:simthj p:*NONE u:John p:*NONE u:Smith1 p:*NONE u:JoSm05 p:*NONE etc.. RACF z/OS AIX
OS/400 implementation elements • Kerberos • OS/400 can store KDC and do Kerberos authentication • Typically, it won’t • EIM • Identifiers for individuals • Maps identifiers to user ids in registries • Network Authentication Service • Identifies where the Kerberos authentication is done, and for which apps • LDAP directory • used purely to store EIM data • Applications • NetServer, iSeries Navigator, Management Central, PC5250, QFileSvr.400, …
Benefits • Whatever the user profile password is set to, it is not used for authentication, therefore can be set to *NONE • No need to store/cache passwords • Exploits signon technology that the significant majority of end users use when they sign on • Comparatively small overhead to implement and manage over time • Use within application development
Things to consider • EIM doesn’t create or delete users: it just maps them and saves management time • Use with V5R2 requires appropriate PTFs • Kerberos authentication doesn’t yet cover all possible OS/400 applications (e.g. FTP) • Domino and WebSphere currently require special treatment • Domino: consider Active Directory integration • WebSphere: consider identity tokens or Domino integration