Windows-based single signon and the EIM framework on the IBM eServer iSeries server
Support for a Kerberos based Network Authentication Service and the introduction of Enterprise Identity Mapping (EIM) were exciting OS/400® V5R2 announcements during 2002. A Kerberos based Network Authentication Service enables the iSeries (and any kerberized application) to use a Kerberos ticket fo...
| Autor principal: | |
|---|---|
| Otros Autores: | , , , , , |
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
White Plains, N.Y. :
IBM
c2004.
|
| Edición: | [First edition] |
| Colección: | IBM redbooks.
|
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009755136206719 |
Tabla de Contenidos:
- Front cover
- Contents
- Notices
- Trademarks
- Preface
- The team that wrote this redbook
- Become a published author
- Comments welcome
- Part 1 Introduction to single signon and Enterprise Identity Mapping
- Chapter 1. An overview of single signon
- 1.1 Why single signon?
- 1.1.1 What is single signon?
- 1.1.2 What are the benefits of single signon?
- 1.2 Vertical versus horizontal SSO
- 1.2.1 Vertical SSO
- 1.2.2 Horizontal SSO
- 1.2.3 Vertical and horizontal signon work together
- 1.3 How SSO works
- 1.3.1 Authentication, authorization and auditing
- 1.3.2 What is Kerberos?
- 1.4 SSO with Enterprise Identity Mapping
- 1.4.1 Why Kerberos alone is not enough
- 1.4.2 The IBM single signon strategy
- 1.4.3 Possible costs of SSO with EIM
- 1.4.4 Benefits of EIM
- 1.4.5 SSO in the on demand world
- 1.5 Currently enabled iSeries applications
- Chapter 2. Planning for Network Authentication Service and Enterprise Identity Mapping implementation
- 2.1 Required OS/400 components
- 2.2 Required network components
- 2.2.1 General TCP/IP considerations
- 2.2.2 Time / SNTP
- 2.3 Planning your EIM implementation
- 2.3.1 Selecting the system to act as the domain controller
- 2.3.2 Administering EIM
- 2.3.3 Naming conventions
- 2.3.4 EIM associations
- 2.4 Information to collect before you start
- Chapter 3. The redbook example scenario
- 3.1 Scenario overview
- 3.2 Objectives
- 3.2.1 Make effective use of Kerberos
- 3.2.2 Network Authentication Service
- 3.2.3 EIM in action
- 3.2.4 Managing users in EIM
- 3.2.5 Backing up EIM
- 3.2.6 Kerberos enabling an application
- 3.2.7 EIM enabling an application
- 3.2.8 A second iSeries
- Part 2 Building blocks for single signon and Enterprise Identity Mapping
- Chapter 4. Kerberos Network Authentication
- 4.1 An introduction to Kerberos
- 4.1.1 The need for Kerberos.
- 4.1.2 Kerberos versions
- 4.1.3 Authentication versus authorization
- 4.2 The components of the Kerberos protocol
- 4.2.1 Kerberos Tickets
- 4.2.2 Principals and realms
- 4.2.3 The Key Distribution Center
- 4.2.4 Kerberos Security
- 4.2.5 Kerberos and Microsoft
- 4.2.6 Kerberos commands
- 4.3 Kerberos summary
- 4.3.1 Where to obtain Kerberos
- Chapter 5. iSeries Network Authentication Service
- 5.1 Managing Network Authentication Service
- 5.1.1 Parameters in the General window
- 5.1.2 Parameters on the Host Resolution window
- 5.1.3 Parameters on the Checksum window
- 5.1.4 Parameters on the Tickets window
- 5.2 Administrative tasks in iSeries Navigator
- 5.2.1 Adding a realm
- 5.2.2 Deleting a Realm
- 5.2.3 Adding and Removing Key Distribution Centers
- 5.2.4 Adding and Removing Password Servers
- 5.2.5 Creating and removing cross realm trusts
- 5.3 Kerberos Client tasks through Qshell Interpreter
- 5.3.1 Using the kinit command
- 5.3.2 Using the klist command
- 5.3.3 Using the keytab command
- 5.3.4 Using the kpasswd command
- 5.3.5 Using the kdestroy command
- 5.3.6 Using the ksetup command
- 5.4 More information
- Chapter 6. Enterprise Identity Mapping
- 6.1 EIM overview
- 6.1.1 The problem of managing multiple user registries
- 6.1.2 Current approaches
- 6.1.3 The EIM approach
- 6.2 Benefits of single signon
- 6.2.1 Benefits for users
- 6.2.2 Benefits for administrators
- 6.2.3 Benefits for application developers
- 6.3 EIM components
- 6.3.1 EIM domain controller
- 6.3.2 EIM domain
- 6.3.3 EIM identifiers
- 6.3.4 EIM registry definitions
- 6.3.5 EIM associations
- 6.3.6 EIM lookup operations
- 6.3.7 EIM authorities
- 6.3.8 Setting Up EIM Authorities
- 6.4 APIs available to work with the EIM environment
- 6.5 Three steps to success
- 6.5.1 Collection
- 6.5.2 Collation
- 6.5.3 Population.
- 6.6 EIM User Management
- 6.6.1 Disabling users
- 6.6.2 Users changing names
- 6.6.3 Changing roles
- 6.6.4 Consolidated passwords
- 6.7 EIM server management situations
- 6.7.1 Clustered servers
- 6.7.2 Server migration and consolidation
- 6.7.3 Application registries and user groups
- Part 3 Installation and configuration
- Chapter 7. Enabling Network Authentication Service and Enterprise Identity Mapping
- 7.1 Configure Network Authentication Service
- 7.1.1 Setting up Network Authentication Service with iSeries Navigator wizard
- 7.1.2 Create Kerberos principal for your iSeries server
- 7.1.3 Verify Network Authentication Service setup
- 7.2 Enable EIM
- 7.2.1 Using EIM configuration wizard
- 7.2.2 Add the EIM domain to be managed
- 7.2.3 Using iSeries Navigator to add identifiers and associations
- 7.3 Enable IBM iSeries applications for single signon
- 7.3.1 Getting ready
- 7.3.2 Enabling iSeries Navigator single signon
- 7.3.3 iSeries Access 5250 emulation single signon
- Chapter 8. Other scenarios
- 8.1 The Bike Shop scenario
- 8.1.1 EIM solution overview
- 8.1.2 The components
- 8.1.3 The J2EE application in more detail
- 8.1.4 The EIS applications
- 8.1.5 Notes about setting up and compiling the example code
- 8.1.6 Compiling files and setting up the physical file and logical file authorities
- 8.1.7 Compiling the RPGLE examples
- 8.1.8 Compiling and deploying the Java examples
- 8.2 Using remote SQL with single signon
- 8.3 Enabling another iSeries server for single signon
- 8.3.1 Before you begin
- 8.3.2 Configuring the Network Authentication Service
- 8.3.3 Adding the iSeries server to the EIM domain
- 8.3.4 Adding associations
- 8.3.5 Verify single signon for your new iSeries server
- 8.4 Enabling NetServer for single signon
- 8.4.1 Getting ready.
- 8.4.2 Preparing NetServer for parallel use of SSO and legacy connection
- 8.4.3 Checking and setting up NetServer properties
- 8.4.4 Creating the NetServer Kerberos principals
- 8.4.5 Creating the key tables on the iSeries server
- 8.4.6 Verifying single signon with the NetServer
- 8.5 Enabling Domino Web Access for single signon and EIM
- 8.5.1 Overview
- 8.5.2 Prerequisites
- 8.5.3 Set up
- 8.5.4 Downloading the source code
- 8.5.5 Recompilation of the DSAPI exit program on your iSeries
- 8.6 Where to find more information
- 8.7 Enabling Web Express Logon for WebSphere Host on-Demand
- Chapter 9. Programming APIs and examples
- 9.1 Java EIM API
- 9.2 Java classes and interfaces
- 9.2.1 DomainManager class
- 9.2.2 The java.util.Set class
- 9.2.3 Domain class
- 9.2.4 Registry interface
- 9.2.5 SystemRegistry interface
- 9.2.6 ApplicationRegistry interface
- 9.2.7 RegistryAlias class
- 9.2.8 Eid interface
- 9.2.9 RegistryUser interface
- 9.2.10 ConnectInfo class
- 9.2.11 SSLInfo class
- 9.2.12 AccessContext interface
- 9.2.13 UserAccess class
- 9.2.14 EIMException class
- 9.3 Security in the Java classes
- 9.3.1 DomainManager class
- 9.3.2 Domain class
- 9.3.3 Registry interface
- 9.3.4 Eid class
- 9.3.5 RegistryUser class
- 9.4 Java example: ReportEIM
- 9.4.1 Constants
- 9.4.2 The createAssociationTypeMap method
- 9.4.3 The createRegistryTypeHashMap method
- 9.4.4 The getDomain method
- 9.4.5 The getAllDomains method
- 9.4.6 The createDomain method
- 9.4.7 The getRegistries method
- 9.4.8 The createRegistries method
- 9.4.9 The getEids method
- 9.4.10 The createEids method
- 9.4.11 The outputDomainInfo method
- 9.4.12 The outputRegistryInformation method
- 9.4.13 The outputRegistryAliasInformation method
- 9.4.14 The outputRegistryUserInfo method
- 9.4.15 The outputEidInfo method.
- 9.4.16 The outputStringInformation method
- 9.4.17 The outputAssociationInfo method
- 9.4.18 The deleteEIMDomain method
- 9.4.19 The startReport method
- 9.5 Java example: EIMAuthorities
- 9.5.1 The createEIMAuthoritiesHashMap method
- 9.5.2 Using the AccessContext class
- 9.5.3 Using the UserAccess class
- 9.6 Kerberizing an application
- 9.7 C EIM API
- 9.8 C Generic Security Service (GSS) API
- 9.9 EIM demo tool
- Part 4 Appendices
- Appendix A. Backup and recovery
- Microsoft Active Directory
- Objects on your iSeries system
- The iSeries Network Authentication Service objects
- The EIM domain on the iSeries LDAP directory server
- The iSeries EIM configuration
- Sample CL program to save your data
- Appendix B. Troubleshooting
- Common problems and solutions
- Unable to connect to domain controller
- List EIM identifiers takes a long time
- EIM Configuration wizard hangs during finish processing
- EIM handle is no longer valid
- Cannot connect with NetServer
- Kerberos authentication and diagnostic messages
- Errors when running client commands in QSH
- iSeries Access Diagnostic Tools
- Troubleshooting WebSphere Host On-Demand
- Appendix C. Windows 2000 Kerberos tools
- Introduction
- Support tools installation
- Support tools verification
- Finding the ktpass command
- Verify the system path
- Running the ktpass command
- Klist command
- Kerbtray
- Appendix D. Planning forms
- Prerequisites checklist
- Configuration planning worksheets
- Appendix E. Available EIM products
- BlueNotes EIM Administration Suite
- Overview
- Collection and collation
- Population
- Summary
- SafeStone's AxcessIT - Automated EIM Management
- Overview
- Orphaned Target Account processing
- Register Target Account processing
- Population process
- Technical overview
- TriAWorks Identity Manager for Single Sign-On.
- Population.
