Use the following scenario to become familiar with the prerequisites
and objectives for enabling single signon for i5/OS™.
Situation
You are
a network administrator that manages a network and network security for your
company, including the Order Receiving department. You oversee the IT operations
for a large number of employees who take customer orders over the telephone.
You also supervise two other network administrators who help you maintain
the network.
The employees in the Order Receiving department use Windows® 2000
and i5/OS and
require multiple passwords for the different applications they use every day.
Consequently, you spend a lot of time managing and troubleshooting problems
related to passwords and user identities, such as resetting forgotten passwords.
As
the company's network administrator, you are always looking for ways to improve
the business, starting with the Order Receiving department. You know that
most of your employees need the same type of authority to access the application
that they use to query inventory status. It seems redundant and time consuming
for you to maintain individual user profiles and numerous passwords that are
required in this situation. In addition, you know that all of your employees
can benefit by using fewer user IDs and passwords. You want to do these things:
- Simplify the task of password management for the Order Receiving department.
Specifically, you want to efficiently manage user access to the application
your employees routinely use for customer orders.
- Decrease the use of multiple user IDs and passwords for the department
employees, as well as for the network administrators. However, you do not
want to make the Windows 2000 IDs and i5/OS user profiles the same nor do you
want to use password caching or synching.
Based on your research, you know that i5/OS supports
single signon, a solution that allows your users to log
on once to access multiple applications and services that normally require
them to log on with multiple user IDs and passwords. Because your users do
not need to provide as many user IDs and passwords to do their jobs, you have
fewer password problems to solve for them. Single signon seems to be an ideal
solution because it allows you to simplify password management in the following
ways:
- For typical users that require the same authority to an application, you
can create policy associations. For example, you want the order clerks in
the Order Receiving department to be able to log on once with their Windows user
name and password and then be able to access a new inventory query application
in the manufacturing department without having to be authenticated again.
However, you also want to ensure that the level of authorization that they
have when using this application is appropriate. To attain this goal, you
decide to create a policy association that maps the Windows 2000
user identities for this group of users to a single i5/OS user profile that has the appropriate
level of authority for running the inventory query application. Because this
is a query-only application in which users cannot change data, you are not
as concerned about detailed auditing for this application. Consequently, you
feel confidant that using a policy association in this situation conforms
to your security policy.
You create a policy association to map the group
of order clerks with similar authority requirements to a single i5/OS user profile
with the appropriate level of authority for the inventory query application.
Your users benefit by having one less password to remember and one less logon
to perform. As the administrator, you benefit by having to maintain only one
user profile for user access to the application instead of multiple user profiles
for everyone in the group.
- For each of your network administrators who have user profiles with special
authorities, such as *ALLOBJ and *SECADM, you can create identifier associations.
For example, you want all of the user identities for a single network administrator
to be precisely and individually mapped to one another because of the administrator's
high level of authority.
Based on your company's security policy, you decide
to create identifier associations to map specifically from each network administrator's Windows identity
to his i5/OS user
profile. You can more easily monitor and trace the activity of the administrator
because of the one-to-one mapping that identifier associations provide. For
example, you can monitor the jobs and objects that run on the system for a
specific user identity. Your network administrator benefits by having one
less password to remember and one less logon to perform. As the network administrator,
you benefit by tightly controlling the relationships between all of your administrator's
user identities.
This scenario has the following advantages:
- Simplifies authentication process for users.
- Simplifies managing access to applications.
- Eases the overhead of managing access to servers in the network.
- Minimizes the threat of password theft.
- Avoids the need for multiple signons.
- Simplifies user identity management across the network.
Objectives
In this
scenario, you are the administrator at MyCo, Inc. who wants to enable single
signon for the users in the Order Receiving department.
The objectives
of this scenario are as follows:
- iSeries™ A
and iSeries B
must participate in the MYCO.COM realm to authenticate the users and services
that are participating in this single signon environment. To enable the systems
to use Kerberos, iSeries A
and iSeries B
must be configured for network authentication service.
- The IBM® Directory
Server for iSeries (LDAP)
on iSeries A
must function as the domain controller for the new EIM domain.
Note: Refer
to
domains to
learn how two different types of domains, an EIM domain and a Windows 2000
domain, fit into the single signon environment.
- All user identities in the Kerberos registry must map successfully to
a single i5/OS user
profile with appropriate authority for user access to the inventory query
application.
- Based on your security policy, two administrators, John Day and Sharon
Jones, who also have user identities in the Kerberos registry, must have identifier
associations to map these identities to their i5/OS user profiles which have *SECADM
special authority. These one-to-one mappings enable you to closely monitor
the jobs and objects that run on the system for these user identities.
- A Kerberos service principal must be used to authenticate the users to
the IBM iSeries Access
for Windows applications,
including iSeries Navigator.
Details
The following
figure illustrates the network environment for this scenario.
The figure illustrates the following points
relevant to this scenario.
EIM domain data defined for the enterprise- Three registry definition names:
- A registry definition name of MYCO.COM for the Windows 2000 server registry. You will
define this when you use the EIM configuration wizard on iSeries A.
- A registry definition name of ISERIESA.MYCO.COM for the i5/OS registry
on iSeries A.
You will define this when you use the EIM configuration wizard on iSeries A.
- A registry definition name of ISERIESB.MYCO.COM for the i5/OS registry
on iSeries B.
You will define this when you use the EIM configuration wizard on iSeries B.
- Two default
registry policy associations:
Note: EIM lookup operation processing assigns the highest priority
to identifier associations. Therefore, when a user identity is defined as
a source in both a policy association and an identifier association, only
the identifier association maps that user identity. In this scenario, two
network administrators, John Day and Sharon Jones, both have user identities
in the MYCO.COM registry, which is the source of the default registry policy
associations. However, as shown below, these administrators also have identifier
associations defined for their user identities in the MYCO.COM registry. The
identifier associations ensure that their MYCO.COM user identities are not
mapped by the policy associations. Instead, the identifier associations ensure
that their user identities in the MYCO.COM registry are individually mapped
to other specific individual user identities.
- One default registry policy association maps all user identities in the Windows 2000
server registry called MYCO.COM, to a single i5/OS user profile called SYSUSERA in the
ISERIESA.MYCO.COM registry on iSeries A. For this scenario, mmiller
and ksmith represent two of these user identities.
- One default registry policy association maps all user identities in the Windows 2000
server registry called MYCO.COM, to a single i5/OS user profile called SYSUSERB in the
ISERIESB.MYCO.COM registry on iSeries B. For this scenario, mmiller
and ksmith represent two of these user identities.
- Two EIM identifiers named John Day and Sharon Jones to represent the two
network administrators in the company who have those names.
- For the John Day EIM identifier, these identifier associations are defined:
- A source association for the jday user identity, which is a Kerberos principal
in the Windows 2000 server registry.
- A target association for the JOHND user identity, which is a user profile
in the i5/OS registry
on iSeries A.
- A target association for the DAYJO user identity, which is a user profile
in the i5/OS registry
on iSeries B.
- For the Sharon Jones EIM identifier, these identifier associations are
defined:
- A source association for the sjones user identity, which is a Kerberos
principal in the Windows 2000 server registry.
- A target association for the SHARONJ user identity, which is a user profile
in the i5/OS registry
on iSeries A.
- A target association for the JONESSH user identity, which is a user profile
in the i5/OS registry
on iSeries B.
Windows 2000 server- Acts as the Kerberos server (kdc1.myco.com), also known as a
key distribution center (KDC), for the network.
- The default realm for the Kerberos server is MYCO.COM.
- All Microsoft® Windows Active Directory users that
do not have identifier associations are mapped to a single i5/OS user profile
on each of the iSeries systems.
iSeries B- Runs i5/OS Version 5 Release 3 (V5R3) or later with the
following options and licensed products installed:
- i5/OS Host
Servers (5722-SS1 Option 12)
- Qshell Interpreter (5722-SS1 Option 30)
- iSeries Access
for Windows (5722-XE1)
- Network Authentication Enablement (5722-NAE) if you are using
V5R4 or later
- Cryptographic Access Provider (5722-AC3) if you are running
V5R3
- Has the fully qualified host name of iseriesb.myco.com. This
name is registered in a single Domain Name System (DNS) to which all PCs and
servers in the network point.
- The principal name for iSeries B is krbsvr400/iseriesb.myco.com@MYCO.COM.
- Participates in the EIM domain, MyCoEimDomain.
- Home directories on iSeries B store the Kerberos credentials caches for i5/OS user
profiles.
Administrative PC- Runs Microsoft Windows 2000 operating system.
- Runs iSeries Access
for Windows (5722-XE1).
- Runs iSeries Navigator
with the following subcomponents installed:
- Network
- Security
- Users and Groups
- Serves as the primary logon system for the administrator.
- Configured to be part of the MYCO.COM realm (Windows domain).
Note: The KDC server name,
kdc1.myco.com, and
the hostname,
iseriesa.myco.com are fictitious names used in this scenario.
Configuration steps
Note: You
need to thoroughly understand the concepts related to single signon, which
include network authentication service and Enterprise Identity Mapping (EIM)
concepts, before you implement this scenario. See the following information
to learn about the terms and concepts related to single signon:
To configure single signon on your system, complete
these steps.