friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamz_5.4.0.1/rzamzenablessoos400.htm

369 lines
26 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Enable single signon for i5/OS" />
<meta name="abstract" content="View this scenario to learn how to configure network authentication service and EIM to create a single signon environment across multiple systems in an enterprise. This scenario expands on the concepts and tasks presented in the previous scenario which demonstrates how to create a simple single signon test environment." />
<meta name="description" content="View this scenario to learn how to configure network authentication service and EIM to create a single signon environment across multiple systems in an enterprise. This scenario expands on the concepts and tasks presented in the previous scenario which demonstrates how to create a simple single signon test environment." />
<meta name="DC.Relation" scheme="URI" content="rzamzscenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcompletetheplanningworksheets2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateabasicsinglesignonconfigurationforiseriesa2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzaddbothos400serviceprincipalstothekerberosserver.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateuserprofilesoniseriesaandiseriesb.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreatehomedirectoriesoniseriesaandiseriesb.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamztestnetworkauthenticationserviceoniseriesaandiseriesb.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateeimidentifiersfortwoadministratorsjohndayandsharonjones.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateidentifierassociationsforjohnday.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreateidentifierassociationsforsharonjones.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzcreatedefaultregistrypolicyassociations.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzenableregistriestoparticipateinlookupoperationsandtousepolicyassociations.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamztesteimidentitymappings2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzconfigureiseriesaccess1a.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzverifynetworkauthenticationserviceandeimconfiguration2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamzoptionalpostconfigurationconsiderations1a.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhpdns.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalveservercncpts.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzakh/rzakhconcept.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamzenablessoos400" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Enable single signon for i5/OS</title>
</head>
<body id="rzamzenablessoos400"><a name="rzamzenablessoos400"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Enable single signon for i5/OS</h1>
<div><p> View this scenario to learn how to configure network authentication
service and EIM to create a single signon environment across multiple systems
in an enterprise. This scenario expands on the concepts and tasks presented
in the previous scenario which demonstrates how to create a simple single
signon test environment.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are
a network administrator that manages a network and network security for your
company, including the Order Receiving department. You oversee the IT operations
for a large number of employees who take customer orders over the telephone.
You also supervise two other network administrators who help you maintain
the network.</p>
<p>The employees in the Order Receiving department use <span class="keyword">Windows<sup>®</sup> 2000</span> and <span class="keyword">i5/OS™</span> and
require multiple passwords for the different applications they use every day.
Consequently, you spend a lot of time managing and troubleshooting problems
related to passwords and user identities, such as resetting forgotten passwords.</p>
<div class="p">As
the company's network administrator, you are always looking for ways to improve
the business, starting with the Order Receiving department. You know that
most of your employees need the same type of authority to access the application
that they use to query inventory status. It seems redundant and time consuming
for you to maintain individual user profiles and numerous passwords that are
required in this situation. In addition, you know that all of your employees
can benefit by using fewer user IDs and passwords. You want to do these things: <ul><li>Simplify the task of password management for the Order Receiving department.
Specifically, you want to efficiently manage user access to the application
your employees routinely use for customer orders.</li>
<li>Decrease the use of multiple user IDs and passwords for the department
employees, as well as for the network administrators. However, you do not
want to make the <span class="keyword">Windows 2000</span> IDs
and <span class="keyword">i5/OS</span> user profiles
the same nor do you want to use password caching or synching.</li>
</ul>
</div>
<div class="p">Based on your research, you know that <span class="keyword">i5/OS</span> supports <a href="rzamzoverview.htm">single signon</a>, a solution that allows your
users to log on once to access multiple applications and services that normally
require them to log on with multiple user IDs and passwords. Because your
users do not need to provide as many user IDs and passwords to do their jobs,
you have fewer password problems to solve for them. Single signon seems to
be an ideal solution because it allows you to simplify password management
in the following ways: <ul><li>For typical users that require the same authority to an application, you
can create policy associations. For example, you want the order clerks in
the Order Receiving department to be able to log on once with their Windows user
name and password and then be able to access a new inventory query application
in the manufacturing department without having to be authenticated again.
However, you also want to ensure that the level of authorization that they
have when using this application is appropriate. To attain this goal, you
decide to create a policy association that maps the <span class="keyword">Windows 2000</span> user
identities for this group of users to a single <span class="keyword">i5/OS</span> user
profile that has the appropriate level of authority for running the inventory
query application. Because this is a query-only application in which users
cannot change data, you are not as concerned about detailed auditing for this
application. Consequently, you feel confidant that using a policy association
in this situation conforms to your security policy.<p>You create a policy
association to map the group of order clerks with similar authority requirements
to a single<span class="keyword">i5/OS</span> user profile
with the appropriate level of authority for the inventory query application.
Your users benefit by having one less password to remember and one less logon
to perform. As the administrator, you benefit by having to maintain only one
user profile for user access to the application instead of multiple user profiles
for everyone in the group.</p>
</li>
<li>For each of your network administrators who have user profiles with special
authorities, such as *ALLOBJ and *SECADM, you can create identifier associations.
For example, you want all of the user identities for a single network administrator
to be precisely and individually mapped to one another because of the administrator's
high level of authority. <p>Based on your company's security policy, you decide
to create identifier associations to map specifically from each network administrator's Windows identity
to his <span class="keyword">i5/OS</span> user profile.
You can more easily monitor and trace the activity of the administrator because
of the one-to-one mapping that identifier associations provide. For example,
you can monitor the jobs and objects that run on the system for a specific
user identity. Your network administrator benefits by having one less password
to remember and one less logon to perform. As the network administrator, you
benefit by tightly controlling the relationships between all of your administrator's
user identities.</p>
</li>
</ul>
</div>
<div class="p">This scenario has the following advantages: <ul><li>Simplifies authentication process for users.</li>
<li>Simplifies managing access to applications.</li>
<li>Eases the overhead of managing access to servers in the network.</li>
<li>Minimizes the threat of password theft.</li>
<li>Avoids the need for multiple signons.</li>
<li>Simplifies user identity management across the network.</li>
</ul>
</div>
</div>
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
scenario, you are the administrator at MyCo, Inc. who wants to enable single
signon for the users in the Order Receiving department.</p>
<p>The objectives
of this scenario are as follows:</p>
<ul><li><span class="keyword">iSeries™</span> A and <span class="keyword">iSeries</span> B must participate in the MYCO.COM
realm to authenticate the users and services that are participating in this
single signon environment. To enable the systems to use Kerberos, <span class="keyword">iSeries</span> A and <span class="keyword">iSeries</span> B
must be configured for network authentication service.</li>
<li>The IBM<sup>®</sup> Directory
Server for <span class="keyword">iSeries</span> (LDAP) on <span class="keyword">iSeries</span> A must function as the domain
controller for the new EIM domain.<div class="note"><span class="notetitle">Note:</span> Refer to <a href="rzamzdomains.htm">domains</a> to
learn how two different types of domains, an EIM domain and a <span class="keyword">Windows 2000</span> domain,
fit into the single signon environment.</div>
</li>
<li>All user identities in the Kerberos registry must map successfully to
a single <span class="keyword">i5/OS</span> user profile
with appropriate authority for user access to the inventory query application.</li>
<li>Based on your security policy, two administrators, John Day and Sharon
Jones, who also have user identities in the Kerberos registry, must have identifier
associations to map these identities to their <span class="keyword">i5/OS</span> user
profiles which have *SECADM special authority. These one-to-one mappings enable
you to closely monitor the jobs and objects that run on the system for these
user identities.</li>
<li>A Kerberos service principal must be used to authenticate the users to
the <span class="keyword">iSeries Access for Windows</span> applications,
including <span class="keyword">iSeries Navigator</span>.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
figure illustrates the network environment for this scenario.</p>
<p><br /><img src="rzakh512.gif" alt=" Single signon environment diagram" /><br /></p>
<p>The figure illustrates the following points relevant to this
scenario.</p>
<div class="p"><strong>EIM domain data defined for the enterprise</strong><ul><li>Three registry definition names:<ul><li>A registry definition name of MYCO.COM for the <span class="keyword">Windows 2000</span> server
registry. You will define this when you use the EIM configuration wizard on <span class="keyword">iSeries</span> A.</li>
<li>A registry definition name of ISERIESA.MYCO.COM for the <span class="keyword">i5/OS</span> registry
on <span class="keyword">iSeries</span> A. You will define
this when you use the EIM configuration wizard on <span class="keyword">iSeries</span> A.</li>
<li>A registry definition name of ISERIESB.MYCO.COM for the <span class="keyword">i5/OS</span> registry
on <span class="keyword">iSeries</span> B. You will define
this when you use the EIM configuration wizard on <span class="keyword">iSeries</span> B.</li>
</ul>
</li>
<li>Two <a href="../rzalv/rzalveserverassoc.htm">default
registry policy associations</a>:<div class="note"><span class="notetitle">Note:</span> <a href="../rzalv/rzalveservereimmaplookup.htm">EIM lookup operation</a> processing assigns the highest priority
to identifier associations. Therefore, when a user identity is defined as
a source in both a policy association and an identifier association, only
the identifier association maps that user identity. In this scenario, two
network administrators, John Day and Sharon Jones, both have user identities
in the MYCO.COM registry, which is the source of the default registry policy
associations. However, as shown below, these administrators also have identifier
associations defined for their user identities in the MYCO.COM registry. The
identifier associations ensure that their MYCO.COM user identities are not
mapped by the policy associations. Instead, the identifier associations ensure
that their user identities in the MYCO.COM registry are individually mapped
to other specific individual user identities.</div>
<ul><li>One default registry policy association maps all user identities in the <span class="keyword">Windows 2000</span> server registry called MYCO.COM,
to a single <span class="keyword">i5/OS</span> user
profile called SYSUSERA in the ISERIESA.MYCO.COM registry on <span class="keyword">iSeries</span> A.
For this scenario, mmiller and ksmith represent two of these user identities.</li>
<li>One default registry policy association maps all user identities in the <span class="keyword">Windows 2000</span> server registry called MYCO.COM,
to a single <span class="keyword">i5/OS</span> user
profile called SYSUSERB in the ISERIESB.MYCO.COM registry on <span class="keyword">iSeries</span> B.
For this scenario, mmiller and ksmith represent two of these user identities.</li>
</ul>
</li>
<li>Two EIM identifiers named John Day and Sharon Jones to represent the two
network administrators in the company who have those names.</li>
<li>For the John Day EIM identifier, these identifier associations are defined:<ul><li>A source association for the jday user identity, which is a Kerberos principal
in the <span class="keyword">Windows 2000</span> server registry.</li>
<li>A target association for the JOHND user identity, which is a user profile
in the <span class="keyword">i5/OS</span> registry on <span class="keyword">iSeries</span> A.</li>
<li>A target association for the DAYJO user identity, which is a user profile
in the <span class="keyword">i5/OS</span> registry on <span class="keyword">iSeries</span> B.</li>
</ul>
</li>
<li>For the Sharon Jones EIM identifier, these identifier associations are
defined:<ul><li>A source association for the sjones user identity, which is a Kerberos
principal in the <span class="keyword">Windows 2000</span> server
registry.</li>
<li>A target association for the SHARONJ user identity, which is a user profile
in the <span class="keyword">i5/OS</span> registry on <span class="keyword">iSeries</span> A.</li>
<li>A target association for the JONESSH user identity, which is a user profile
in the <span class="keyword">i5/OS</span> registry on <span class="keyword">iSeries</span> B.</li>
</ul>
</li>
</ul>
</div>
<div class="p"><strong><span class="keyword">Windows 2000</span> server</strong><ul><li>Acts as the Kerberos server (<tt>kdc1.myco.com</tt>), also known as a
key distribution center (KDC), for the network.</li>
<li>The default realm for the Kerberos server is <tt>MYCO.COM</tt>.</li>
<li>All Microsoft<sup>®</sup> Windows Active Directory users that
do not have identifier associations are mapped to a single <span class="keyword">i5/OS</span> user
profile on each of the <span class="keyword">iSeries</span> systems.</li>
</ul>
</div>
<div class="p"><strong><span class="keyword">iSeries</span> A</strong><ul><li>Runs <span class="keyword">i5/OS</span> Version
5 Release 4 (V5R4) with the following options and licensed products installed:<ul><li><span class="keyword">i5/OS</span> Host Servers
(5722-SS1 Option 12)</li>
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
<li><span class="keyword">iSeries Access for Windows</span> (5722-XE1)</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> You can accomplish this scenario using a server that runs V5R2.
However, some of the configuration steps will be slightly different. In addition,
this scenario demonstrates some of the single signon function that is only
available in V5R3 or later such as policy associations. </div>
</li>
<li>The directory server on <span class="keyword">iSeries</span> A
will be configured to be the EIM domain controller for the new EIM domain,
MyCoEimDomain.</li>
<li>Participates in the EIM domain, MyCoEimDomain.</li>
<li>Has the service principal name of <tt>krbsvr400/iseriesa.myco.com@MYCO.COM</tt>.</li>
<li>Has the fully qualified host name of <tt>iseriesa.myco.com</tt>. This
name is registered in a single Domain Name System (DNS) to which all PCs and
servers in the network point.</li>
<li>Home directories on <span class="keyword">iSeries</span> A
store the Kerberos credentials caches for <span class="keyword">i5/OS</span> user
profiles.</li>
</ul>
</div>
<div class="p"><strong><span class="keyword">iSeries</span> B</strong><ul><li>Runs <span class="keyword">i5/OS</span> Version
5 Release 4 (V5R4) with the following options and licensed products installed:<ul><li><span class="keyword">i5/OS</span> Host Servers
(5722-SS1 Option 12)</li>
<li>Qshell Interpreter (5722-SS1 Option 30)</li>
<li><span class="keyword">iSeries Access for Windows</span> (5722-XE1)</li>
</ul>
</li>
<li>Has the fully qualified host name of <tt>iseriesb.myco.com</tt>. This
name is registered in a single Domain Name System (DNS) to which all PCs and
servers in the network point.</li>
<li>The principal name for <span class="keyword">iSeries</span> B
is <tt>krbsvr400/iseriesb.myco.com@MYCO.COM</tt>.</li>
<li>Participates in the EIM domain, MyCoEimDomain.</li>
<li>Home directories on <span class="keyword">iSeries</span> B
store the Kerberos credentials caches for<span class="keyword">i5/OS</span> user
profiles.</li>
</ul>
</div>
<div class="p"><strong>Administrative PC</strong><ul><li>Runs Microsoft <span class="keyword">Windows 2000</span> operating
system.</li>
<li>Runs <span class="keyword">i5/OS</span> V5R4 <span class="keyword">iSeries Access for Windows</span> (5722-XE1).</li>
<li>Runs <span class="keyword">iSeries Navigator</span> with the
following subcomponents installed:<ul><li>Network</li>
<li>Security</li>
<li>Users and Groups</li>
</ul>
</li>
<li>Serves as the primary logon system for the administrator.</li>
<li>Configured to be part of the MYCO.COM realm (Windows domain).</li>
</ul>
</div>
</div>
<div class="section"><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><p>Successful
completion of this scenario requires that the following assumptions and prerequisites
are met:</p>
<ol><li>All system requirements, including software and operating system installation,
have been verified.<div class="p">To verify that these licensed programs have been installed,
complete the following:<ol type="a"><li>In <span class="keyword">iSeries Navigator</span>, expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Configuration and Service</span> &gt; <span class="uicontrol">Software</span> &gt; <span class="uicontrol">Installed Products</span></span>.</li>
<li>Ensure that all the necessary licensed programs are installed.</li>
</ol>
</div>
</li>
<li>All necessary hardware planning and setup are complete.</li>
<li>TCP/IP and basic system security are configured and tested on each system.</li>
<li>The directory server and EIM should not be previously configured on <span class="keyword">iSeries</span> A.<div class="note"><span class="notetitle">Note:</span> Instructions in this
scenario are based on the assumption that the directory server has not been
previously configured on <span class="keyword">iSeries</span> A.
However, if you already configured the directory server, you can still use
these instructions with only slight differences. These differences are noted
in the appropriate places within the configuration steps.</div>
</li>
<li>A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.<div class="note"><span class="notetitle">Note:</span> The use of host tables
with Kerberos authentication may result in name resolution errors or other
problems. For more detailed information about how host name resolution works
with Kerberos authentication, see <a href="../rzakh/rzakhpdns.htm">Host name resolution considerations</a>.</div>
</li>
</ol>
</div>
<div class="section"><h4 class="sectionscenariobar">Configuration steps</h4><div class="note"><span class="notetitle">Note:</span> You
need to thoroughly understand the concepts related to single signon, which
include network authentication service and Enterprise Identity Mapping (EIM)
concepts, before you accomplish this scenario. If you are ready
to continue with this scenario complete the following steps: </div>
</div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzamzcompletetheplanningworksheets2.htm">Complete the planning work sheets</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreateabasicsinglesignonconfigurationforiseriesa2.htm">Create a basic single signon configuration for iSeries A</a><br />
</li>
<li class="olchildlink"><a href="rzamzconfigureiseriesbtoparticipateintheeimdomainandconfigureiseriesbfornetworkauthenticationservice.htm">Configure iSeries B to participate in the EIM domain and configure iSeries B for network authentication service</a><br />
</li>
<li class="olchildlink"><a href="rzamzaddbothos400serviceprincipalstothekerberosserver.htm">Add both i5/OS service principals to the Kerberos server</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreateuserprofilesoniseriesaandiseriesb.htm">Create user profiles on iSeries A and iSeries B</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreatehomedirectoriesoniseriesaandiseriesb.htm">Create home directories on iSeries A and iSeries B</a><br />
</li>
<li class="olchildlink"><a href="rzamztestnetworkauthenticationserviceoniseriesaandiseriesb.htm">Test network authentication service on iSeries A and iSeries B</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreateeimidentifiersfortwoadministratorsjohndayandsharonjones.htm">Create EIM identifiers for two administrators, John Day and Sharon Jones</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreateidentifierassociationsforjohnday.htm">Create identifier associations for John Day</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreateidentifierassociationsforsharonjones.htm">Create identifier associations for Sharon Jones</a><br />
</li>
<li class="olchildlink"><a href="rzamzcreatedefaultregistrypolicyassociations.htm">Create default registry policy associations</a><br />
</li>
<li class="olchildlink"><a href="rzamzenableregistriestoparticipateinlookupoperationsandtousepolicyassociations.htm">Enable registries to participate in lookup operations and to use policy associations</a><br />
</li>
<li class="olchildlink"><a href="rzamztesteimidentitymappings2.htm">Test EIM identity mappings</a><br />
</li>
<li class="olchildlink"><a href="rzamzconfigureiseriesaccess1a.htm">Configure iSeries Access for Windows applications to use Kerberos authentication</a><br />
</li>
<li class="olchildlink"><a href="rzamzverifynetworkauthenticationserviceandeimconfiguration2.htm">Verify network authentication service and EIM configuration</a><br />
</li>
<li class="olchildlink"><a href="rzamzoptionalpostconfigurationconsiderations1a.htm">(Optional) Post configuration considerations</a><br />
</li>
</ol>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamzscenarios.htm" title="Use this information to review scenarios that illustrate typical single signon implementation situations to help you plan your own certificate implementation as part of your server security policy.">Scenarios</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzakh/rzakhpdns.htm">Host name resolution considerations</a></div>
<div><a href="../rzalv/rzalveservercncpts.htm">Enterprise Identity Mapping (EIM)</a></div>
<div><a href="../rzakh/rzakhconcept.htm">Network authentication service</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink