ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamm_5.4.0.1/rzammeimconfig.htm

188 lines
17 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure Enterprise Identity Mapping" />
<meta name="abstract" content="In order to enable Single sign-on (SSO) with WebSphere and iSeries Access for Web, you must configure Enterprise Identity Mapping (EIM). This topic provides an overview of the steps to configure EIM. These steps are intended as a guide to administrators when planning and configuring the EIM environment." />
<meta name="description" content="In order to enable Single sign-on (SSO) with WebSphere and iSeries Access for Web, you must configure Enterprise Identity Mapping (EIM). This topic provides an overview of the steps to configure EIM. These steps are intended as a guide to administrators when planning and configuring the EIM environment." />
<meta name="DC.Relation" scheme="URI" content="rzammsso.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalvmst.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakh000.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzammeimconfig" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure Enterprise Identity Mapping</title>
</head>
<body id="rzammeimconfig"><a name="rzammeimconfig"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure Enterprise Identity Mapping</h1>
<div><p>In order to enable Single sign-on (SSO) with WebSphere<sup>®</sup> and iSeries™ Access
for Web, you must configure Enterprise Identity Mapping (EIM). This topic
provides an overview of the steps to configure EIM. These steps are intended
as a guide to administrators when planning and configuring the EIM environment. </p>
<div class="section">EIM is part of the Network subcomponent of iSeries Navigator. For information about
EIM, see the Enterprise Identity Mapping topic. Configuring EIM involves these
steps:<ul><li>Create an EIM domain. See step <a href="#rzammeimconfig__createdomain">1</a>.</li>
<li>Add EIM domain to Domain Management. See step <a href="#rzammeimconfig__adddomain">2</a>.</li>
<li>Create EIM source user registry. See step <a href="#rzammeimconfig__createreg">3</a>.</li>
<li>Create EIM identifier for each user. See step <a href="#rzammeimconfig__createids">4</a>.</li>
<li>Add associations to EIM identifiers. See step <a href="#rzammeimconfig__addassns">5</a>.</li>
</ul>
<p><strong>Steps to configure Enterprise Identity Mapping:</strong></p>
</div>
<ol><li class="stepexpand" id="rzammeimconfig__createdomain"><a name="rzammeimconfig__createdomain"><!-- --></a><span>Create an EIM domain.</span> EIM domain information
is stored on a Lightweight Directory Access Protocol (LDAP) directory server.
The LDAP administrator distinguished name and password is required in order
to create an EIM domain. To create an EIM domain, follow these steps:<ol type="a"><li class="substepexpand"><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">&lt;<var class="varname">ServerName</var>&gt;</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span></span>.</span></li>
<li class="substepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure</span> (or <span class="uicontrol">Reconfigure</span>,
if EIM has been previously configured) to start the EIM configuration wizard. </span></li>
<li class="substepexpand"><span>On the <span class="wintitle">Welcome</span> page, select <span class="uicontrol">Create
and join a new domain</span>. Select <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="wintitle">Specify EIM Domain Location</span> page,
select one of these as appropriate:</span> <ul><li><span class="uicontrol">On the local Directory server</span></li>
<li><span class="uicontrol">On a remote Directory server</span></li>
</ul>
Select <span class="uicontrol">Next</span>.</li>
<li class="substepexpand"><span>On the <span class="wintitle">Configure Network Authentication Service</span> page,
select <span class="uicontrol">No</span>. Select <span class="uicontrol">Next</span>. </span> <div class="note"><span class="notetitle">Note:</span> Network Authentication Service is not required for EIM in WebSphere environments.
For more information about Network Authentication Service, see the "Network
authentication service" topic. </div>
</li>
<li class="substepexpand"><span>Either the <span class="wintitle">Specify User for Connection</span> or
the <span class="wintitle">Configure Directory Server</span> page is displayed. Specify
the <span class="uicontrol">Distinguished name</span> and <span class="uicontrol">Password</span> of
the directory server administrator, as well as the <span class="uicontrol">Directory server
port number</span>, as appropriate. </span> For example: <p>Distinguished name: <samp class="codeph">cn=administrator</samp>  <br />
Password: <samp class="codeph">myadminpwd</samp> <br />
Port: <samp class="codeph">389</samp></p>
Select <span class="uicontrol">Next</span>.</li>
<li class="substepexpand" id="rzammeimconfig__specregname"><a name="rzammeimconfig__specregname"><!-- --></a><span>On the Specify Domain page, provide a name
for the EIM domain. </span> For example: Domain: <samp class="codeph">EimDomain</samp> Select <span class="uicontrol">Next</span>.</li>
<li class="substepexpand"><span>On the <span class="wintitle">Specify Parent DN for Domain</span> page,
select <strong>No</strong>. Select <strong>Next</strong>. </span></li>
<li class="substepexpand"><span>If the directory server is active, a message is displayed indicating
to end and restart the directory server for the changes to take effect. Select <strong>Yes</strong> to
restart the directory server. </span></li>
<li class="substepexpand" id="rzammeimconfig__regname"><a name="rzammeimconfig__regname"><!-- --></a><span>On the <span class="wintitle">Registry Information</span> page,
select <span class="uicontrol">Local OS/400</span> and de-select <span class="uicontrol">Kerberos</span>.
Write down the Local OS/400<sup>®</sup> registry name. This registry name will be used
when creating associations for EIM identifiers.</span> For example: <samp class="codeph">MYISERIES.MYCOMPANY.COM</samp> Select <span class="uicontrol">Next</span>.</li>
<li class="substepexpand"><span>On the <span class="wintitle">Specify EIM System User</span> page, let
it default to using the directory server administrator distinguished name
and password when performing EIM operations on behalf of operating system
functions. Select <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="wintitle">Summary</span> page, confirm the EIM configuration
information. Select <span class="uicontrol">Finish</span>.</span></li>
</ol>
</li>
<li class="stepexpand" id="rzammeimconfig__adddomain"><a name="rzammeimconfig__adddomain"><!-- --></a><span>Add EIM domain to Domain Management. To add the
EIM domain to Domain Management, follow these steps: </span><ol type="a"><li class="substepexpand"><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">&lt;<var class="varname">ServerName</var>&gt;</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span></span>.</span></li>
<li class="substepexpand"><span>Right-click <span class="uicontrol">Domain Management</span>, and select <span class="uicontrol">Add
Domain</span>.</span></li>
<li class="substepexpand"><span>On the <span class="wintitle">Add Domain</span> dialog, select the EIM
domain name specified in step <a href="#rzammeimconfig__specregname">1.g</a> of
the Create an EIM domain step. </span> For example: <samp class="codeph">EimDomain</samp>. Select <span class="uicontrol">OK</span>.</li>
<li class="substepexpand"><span>The domain is added to iSeries Navigator. Expand the domain
by Selecting the + next to the domain name. </span></li>
<li class="substepexpand"><span>Specify the directory server administrator distinguished name
and password at the Connect to EIM domain controller prompt. </span></li>
<li class="substepexpand"><span>Two subcategories are displayed, User Registries and Identifiers.</span></li>
</ol>
</li>
<li class="stepexpand" id="rzammeimconfig__createreg"><a name="rzammeimconfig__createreg"><!-- --></a><span>Create EIM source user registry. To create an EIM
source user registry, follow these steps. </span><ol type="a"><li class="substepexpand"><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">&lt;<var class="varname">ServerName</var>&gt;</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span> &gt; <span class="uicontrol">Domain Management</span> &gt; <span class="uicontrol">&lt;<var class="varname">DomainName</var>&gt;</span> &gt; <span class="uicontrol">User Registries</span></span>.</span></li>
<li class="substepexpand"><span>Right-click <span class="uicontrol">User Registries</span>, and select <span class="menucascade"><span class="uicontrol">Add Registry</span> &gt; <span class="uicontrol">System</span></span>.</span></li>
<li class="substepexpand" id="rzammeimconfig__userregistry"><a name="rzammeimconfig__userregistry"><!-- --></a><span>On the <span class="wintitle">Add System Registry</span> dialog,
provide a registry name.</span> For example: Registry: <samp class="codeph">WebSphereUserRegistry</samp></li>
<li class="substepexpand"><span>Select <span class="uicontrol">LDAP - short name</span> from the registry
type selection list. </span> Registry type <span class="uicontrol">LDAP - short
name</span> is not available in iSeries Navigator releases prior to V5R4M0.
If you are using an earlier release of iSeries Navigator, specify <samp class="codeph">1.3.18.0.2.33.14-caseIgnore</samp>
as the registry type. This is the ObjectIdentifier-normalization (OID) form
of registry types whose principals are identified by the LDAP short name attribute.
This OID is mapped to "LDAP - short name" in V5R4M0 iSeries Navigator. Select <strong>OK</strong>.</li>
</ol>
</li>
<li class="stepexpand" id="rzammeimconfig__createids"><a name="rzammeimconfig__createids"><!-- --></a><span>Create EIM identifier for each user. An EIM identifier
must be created for each user in the WebSphere user registry. When new
users are added to the WebSphere user registry, an EIM identifier must
be created for each new user. To create an EIM identifier for a user in the WebSphere user
registry, follow these steps: </span><ol type="a"><li class="substepexpand"><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">&lt;<var class="varname">ServerName</var>&gt;</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span> &gt; <span class="uicontrol">Domain Management</span> &gt; <span class="uicontrol">&lt;<var class="varname">DomainName</var>&gt;</span> &gt; <span class="uicontrol">Identifiers</span></span>.</span></li>
<li class="substepexpand" id="rzammeimconfig__twoid"><a name="rzammeimconfig__twoid"><!-- --></a><span>Right-click <span class="uicontrol">Identifiers</span>, and
select <span class="uicontrol">New Identifier</span>.</span></li>
<li class="substepexpand" id="rzammeimconfig__threeid"><a name="rzammeimconfig__threeid"><!-- --></a><span>On the <span class="wintitle">New EIM Identifier</span> dialog,
provide a unique identifier name and optional description. </span> For
example: <samp class="codeph">Thomas R. Smith</samp>. Select <span class="uicontrol">OK</span>.</li>
<li class="substepexpand"><span>Repeat steps <a href="#rzammeimconfig__twoid">4.b</a> and <a href="#rzammeimconfig__threeid">4.c</a> for each WebSphere user that uses iSeries Access
for Web.</span></li>
</ol>
</li>
<li class="stepexpand" id="rzammeimconfig__addassns"><a name="rzammeimconfig__addassns"><!-- --></a><span>Add associations to EIM identifiers. Each EIM identifier
requires two EIM associations. These associations link the WebSphere user
identity (source identity) to an i5/OS™ user profile (target identity). To
add associations to an EIM identifier, follow these steps. When new EIM identifiers
are added to represent new users in the WebSphere user registry, repeat these
steps to create the corresponding EIM associations.</span><ol type="a"><li class="substepexpand"><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">&lt;<var class="varname">ServerName</var>&gt;</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Enterprise Identity Mapping</span> &gt; <span class="uicontrol">Domain Management</span> &gt; <span class="uicontrol">&lt;<var class="varname">DomainName</var>&gt;</span> &gt; <span class="uicontrol">Identifiers</span></span>. A list of identifiers is
displayed in the right pane of iSeries Navigator.</span></li>
<li class="substepexpand"><span>Right-click an identifier and select <span class="uicontrol">Properties</span>.</span> For example: <samp class="codeph">Thomas R. Smith</samp></li>
<li class="substepexpand"><span>From the <span class="wintitle">Associations</span> tabbed page, select <span class="uicontrol">Add</span> to
add a WebSphere user
registry source association.</span></li>
<li class="substepexpand"><span>On the <span class="wintitle">Add Association</span> dialog, provide
values for the following fields. </span> You can specify a value or select <span class="uicontrol">Browse...</span> to
select from a list of known values.<ul><li><strong>Registry:</strong> Specify the source registry name from step <a href="#rzammeimconfig__userregistry">3.c</a> of
the Create EIM source user registry step. For example: <samp class="codeph">WebSphereUserRegistry</samp></li>
<li><strong>User:</strong> Specify the user's WebSphere user identity. For example:
<samp class="codeph">tsmith</samp> </li>
<li><strong>Association type:</strong> Source</li>
</ul>
<p>Select <strong>OK</strong>.</p>
</li>
<li class="substepexpand"><span>From the <span class="wintitle">Associations</span> tabbed page, select <span class="uicontrol">Add</span> to
add an i5/OS user
profile target association.</span></li>
<li class="substepexpand"><span>On the <span class="wintitle">Add Association</span> dialog, provide
values for following fields. </span> You can specify a value or select <span class="uicontrol">Browse...</span> to
select from a list of known values.<ul><li><strong>Registry:</strong> Specify the target registry name from step <a href="#rzammeimconfig__regname">1.j</a> of
the Create EIM domain step. For example: <samp class="codeph">MYISERIES.MYCOMPANY.COM</samp></li>
<li><strong>User:</strong> Specify the user's i5/OS user profile name. For example: <samp class="codeph">TOMSMITH</samp>
</li>
<li><strong>Association type:</strong> Target</li>
</ul>
<p>Select <span class="uicontrol">OK</span> to add the target association.</p>
</li>
<li class="substepexpand"><span>Select <span class="uicontrol">OK</span> to close the <span class="wintitle">Properties</span> dialog.</span></li>
</ol>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzammsso.htm" title="Learn about considerations associated with using single sign-on in a Web application server environment.">Single sign-on considerations</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzalv/rzalvmst.htm">Enterprise Identity Mapping</a></div>
<div><a href="../rzakh/rzakh000.htm">Network authentication service</a></div>
</div>
</div>
</body>
</html>