ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzos400enable.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="i5/OS enablement" />
<meta name="abstract" content="This information explains the i5/OS considerations for the enablement of single signon, and which i5/OS applications and programs can participate in a single signon environment." />
<meta name="description" content="This information explains the i5/OS considerations for the enablement of single signon, and which i5/OS applications and programs can participate in a single signon environment." />
<meta name="DC.Relation" scheme="URI" content="rzamzconcepts.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzos400enable" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>i5/OS enablement</title>
</head>
<body id="rzamzos400enable"><a name="rzamzos400enable"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">i5/OS enablement</h1>
<div><p>This information explains the <span class="keyword">i5/OS™</span> considerations
for the enablement of single signon, and which <span class="keyword">i5/OS</span> applications
and programs can participate in a single signon environment.</p>
<p>The <span class="keyword">i5/OS</span> implementation
of Enterprise Identity Mapping (EIM) and Kerberos (referred to as network
authentication services) provides a true multi-tier single signon environment.
The network authentication service is IBM's implementation of Kerberos and
the Generic Security Service (GSS) APIs. You can use EIM to define associations
that will provide a mapping between a Kerberos principal and an <span class="keyword">i5/OS</span> user
profile. You can then use this association to determine which EIM identifier
corresponds to a local <span class="keyword">i5/OS</span> user
profile or Kerberos principal. This is one of the benefits of enabling single
signon in <span class="keyword">i5/OS</span> on the
server.</p>
<div class="section"><h4 class="sectiontitle">i5/OS enablement
of single signon</h4><p>To enable a single signon environment, IBM<sup>®</sup> exploits two
technologies that work together: EIM and Network authentication service, which
is IBM's implementation of Kerberos and the GSS APIs. By configuring these
two technologies, an administrator can enable a single signon environment. <span class="keyword">Windows<sup>®</sup> 2000</span>, XP, AIX<sup>®</sup>, and zSeries<sup>®</sup> use Kerberos protocol to authenticate
users to the network. Kerberos involves the use of a network-based, secure,
key distribution center which authenticates principals (Kerberos users) to
the network. The fact that a user has authenticated to the KDC is represented
by a Kerberos ticket. A ticket can be passed from a user to a service that
accepts tickets. The service accepting a ticket uses it to determine who the
user claims to be (within the Kerberos user registry and realm) and that they
are in fact who they claim to be.</p>
<p>While network authentication service
allows a server to participate in a Kerberos realm, EIM provides a mechanism
for associating these Kerberos principals to a single EIM identifier that
represents that user within the entire enterprise. Other user identities,
such as an <span class="keyword">i5/OS</span> user name,
can also be associated with this EIM identifier. Based on these associations,
EIM provides a mechanism for <span class="keyword">i5/OS</span> and
applications to determine which <span class="keyword">i5/OS</span> user
profile represents the person or entity represented by the Kerberos principal.
You can think of the information in EIM as a tree with an EIM identifier as
the root, and the list of user identities associated with the EIM identifier
as the branches.</p>
<p>Enabling single signon for your server simplifies the
task of managing <span class="keyword">i5/OS</span> user
profiles and reduces the number of sign-ons that a user must perform to access
multiple <span class="keyword">i5/OS</span> applications
and servers. Additionally, it reduces the amount of time that is required
for password management by each user. Single signon allows each user to remember
and use fewer passwords to access applications and servers, thereby simplifying
their <span class="keyword">iSeries™</span> experience.</p>
</div>
<div class="section"><h4 class="sectiontitle">i5/OS client
and server applications currently enabled for single signon</h4><ul><li><span class="keyword">i5/OS</span> Host Servers
(5722-SS1 Option 12): currently used by <span class="keyword">iSeries Access for Windows</span> and <span class="keyword">iSeries Navigator</span>.</li>
<li>Telnet server: currently used by PC5250 and IBM WebSphere<sup>®</sup> Host On-Demand Version 8:
Web Express Logon feature.</li>
<li>Open DataBase Connectivity (ODBC): allows single signon access to <span class="keyword">i5/OS</span> databases through ODBC.</li>
<li>Java™ Database
Connectivity (JDBC): allows single signon access to <span class="keyword">i5/OS</span> databases
through ODBC.</li>
<li>Distributed
Relational Database Architecture™ (DRDA<sup>®</sup>): allows single signon access to <span class="keyword">i5/OS</span> databases through ODBC.</li>
<li>QFileSrv.400</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzconcepts.htm" title="Use this information to learn about the underlying concepts for single signon for a better understanding of how you can plan to use single signon in your enterprise.">Concepts</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="i5/OS enablement" />`
			`<meta name="abstract" content="This information explains the i5/OS considerations for the enablement of single signon, and which i5/OS applications and programs can participate in a single signon environment." />`
			`<meta name="description" content="This information explains the i5/OS considerations for the enablement of single signon, and which i5/OS applications and programs can participate in a single signon environment." />`
			`<meta name="DC.Relation" scheme="URI" content="rzamzconcepts.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzamzos400enable" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>i5/OS enablement</title>`
			`</head>`
			`<body id="rzamzos400enable"><a name="rzamzos400enable"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">i5/OS enablement</h1>`
			`<div><p>This information explains the <span class="keyword">i5/OS™</span> considerations`
			`for the enablement of single signon, and which <span class="keyword">i5/OS</span> applications`
			`and programs can participate in a single signon environment.</p>`
			`<p>The <span class="keyword">i5/OS</span> implementation`
			`of Enterprise Identity Mapping (EIM) and Kerberos (referred to as network`
			`authentication services) provides a true multi-tier single signon environment.`
			`The network authentication service is IBM's implementation of Kerberos and`
			`the Generic Security Service (GSS) APIs. You can use EIM to define associations`
			`that will provide a mapping between a Kerberos principal and an <span class="keyword">i5/OS</span> user`
			`profile. You can then use this association to determine which EIM identifier`
			`corresponds to a local <span class="keyword">i5/OS</span> user`
			`profile or Kerberos principal. This is one of the benefits of enabling single`
			`signon in <span class="keyword">i5/OS</span> on the`
			`server.</p>`
			`<div class="section"><h4 class="sectiontitle">i5/OS enablement`
			`of single signon</h4><p>To enable a single signon environment, IBM<sup>®</sup> exploits two`
			`technologies that work together: EIM and Network authentication service, which`
			`is IBM's implementation of Kerberos and the GSS APIs. By configuring these`
			`two technologies, an administrator can enable a single signon environment. <span class="keyword">Windows<sup>®</sup> 2000</span>, XP, AIX<sup>®</sup>, and zSeries<sup>®</sup> use Kerberos protocol to authenticate`
			`users to the network. Kerberos involves the use of a network-based, secure,`
			`key distribution center which authenticates principals (Kerberos users) to`
			`the network. The fact that a user has authenticated to the KDC is represented`
			`by a Kerberos ticket. A ticket can be passed from a user to a service that`
			`accepts tickets. The service accepting a ticket uses it to determine who the`
			`user claims to be (within the Kerberos user registry and realm) and that they`
			`are in fact who they claim to be.</p>`
			`<p>While network authentication service`
			`allows a server to participate in a Kerberos realm, EIM provides a mechanism`
			`for associating these Kerberos principals to a single EIM identifier that`
			`represents that user within the entire enterprise. Other user identities,`
			`such as an <span class="keyword">i5/OS</span> user name,`
			`can also be associated with this EIM identifier. Based on these associations,`
			`EIM provides a mechanism for <span class="keyword">i5/OS</span> and`
			`applications to determine which <span class="keyword">i5/OS</span> user`
			`profile represents the person or entity represented by the Kerberos principal.`
			`You can think of the information in EIM as a tree with an EIM identifier as`
			`the root, and the list of user identities associated with the EIM identifier`
			`as the branches.</p>`
			`<p>Enabling single signon for your server simplifies the`
			`task of managing <span class="keyword">i5/OS</span> user`
			`profiles and reduces the number of sign-ons that a user must perform to access`
			`multiple <span class="keyword">i5/OS</span> applications`
			`and servers. Additionally, it reduces the amount of time that is required`
			`for password management by each user. Single signon allows each user to remember`
			`and use fewer passwords to access applications and servers, thereby simplifying`
			`their <span class="keyword">iSeries™</span> experience.</p>`
			`</div>`
			`<div class="section"><h4 class="sectiontitle">i5/OS client`
			`and server applications currently enabled for single signon</h4><ul><li><span class="keyword">i5/OS</span> Host Servers`
			`(5722-SS1 Option 12): currently used by <span class="keyword">iSeries Access for Windows</span> and <span class="keyword">iSeries Navigator</span>.</li>`
			`<li>Telnet server: currently used by PC5250 and IBM WebSphere<sup>®</sup> Host On-Demand Version 8:`
			`Web Express Logon feature.</li>`
			`<li>Open DataBase Connectivity (ODBC): allows single signon access to <span class="keyword">i5/OS</span> databases through ODBC.</li>`
			`<li>Java™ Database`
			`Connectivity (JDBC): allows single signon access to <span class="keyword">i5/OS</span> databases`
			`through ODBC.</li>`
			`<li>Distributed`
			`Relational Database Architecture™ (DRDA<sup>®</sup>): allows single signon access to <span class="keyword">i5/OS</span> databases through ODBC.</li>`
			`<li>QFileSrv.400</li>`
			`</ul>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzconcepts.htm" title="Use this information to learn about the underlying concepts for single signon for a better understanding of how you can plan to use single signon in your enterprise.">Concepts</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`