friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalveservermst.htm

190 lines
12 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Enterprise Identity Mapping overview" />
<meta name="abstract" content="Use this information to learn about the problems that Enterprise Identity Mapping (EIM) can help you solve, current industry approaches to these problems, and why the EIM approach is a better solution." />
<meta name="description" content="Use this information to learn about the problems that Enterprise Identity Mapping (EIM) can help you solve, current industry approaches to these problems, and why the EIM approach is a better solution." />
<meta name="DC.Relation" scheme="URI" content="rzalvmst.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzamz/rzamzsso.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalveservermst" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Enterprise Identity Mapping overview</title>
</head>
<body id="rzalveservermst"><a name="rzalveservermst"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Enterprise Identity Mapping overview</h1>
<div><p>Use this information to learn about the problems that Enterprise
Identity Mapping (EIM) can help you solve, current industry approaches to
these problems, and why the EIM approach is a better solution.</p>
<p>Today's network environments are made up of a complex group of systems
and applications, resulting in the need to manage multiple user registries.
Dealing with multiple user registries quickly grows into a large administrative
problem that affects users, administrators, and application developers. Consequently,
many companies are struggling to securely manage authentication and authorization
for systems and applications. EIM is an IBM<sup>®</sup> <img src="eserver.gif" alt="e(logo)server" /> infrastructure technology that allows administrators and application
developers to address this problem more easily and inexpensively than previously
possible.</p>
<p>The following information describes the problems, outlines current industry
approaches, and explains why the EIM approach is better.</p>
<div class="section"><h4 class="sectionscenariobar">The problem of managing multiple
user registries</h4><p>Many administrators manage networks that include
different systems and servers, each with a unique way of managing users through
various user registries. In these complex networks, administrators are responsible
for managing each user's identities and passwords across multiple systems.
Additionally, administrators often must synchronize these identities and passwords
and users are burdened with remembering multiple identities and passwords
and with keeping them in sync. The user and administrator overhead in this
environment is excessive. Consequently, administrators often spend valuable
time troubleshooting failed logon attempts and resetting forgotten passwords
instead of managing the enterprise.</p>
<p>The problem of managing multiple
user registries also affects application developers who want to provide multiple-tier
or heterogeneous applications. These developers understand that customers
have important business data spread across many different types of systems,
with each system possessing its own user registries. Consequently, developers
must create proprietary user registries and associated security semantics
for their applications. Although this solves the problem for the application
developer, it increases the overhead for users and administrators.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Current<sup>®</sup> approaches</h4><p>Several
current industry approaches for solving the problem of managing multiple user
registries are available, but they all provide incomplete solutions. For example,
Lightweight Directory Access Protocol (LDAP) provides a distributed user registry
solution. However, using LDAP (or other popular solutions such as Microsoft<sup>®</sup> Passport)
means that administrators must manage yet another user registry and security
semantics or must replace existing applications that are built to use those
registries.</p>
<p>Using this type of solution, administrators must manage
multiple security mechanisms for individual resources, thereby increasing
administrative overhead and potentially increasing the likelihood of security
exposures. When multiple mechanisms support a single resource, the chances
of changing the authority through one mechanism and forgetting to change the
authority for one or more of the other mechanisms is much higher. For example,
a security exposure can result when a user is appropriately denied access
through one interface, but allowed access through one or more other interfaces.</p>
<p>After
completing this work, administrators find that they have not completely solved
the problem. Generally, enterprises have invested too much money in current
user registries and in their associated security semantics to make using this
type of solution practical. Creating another user registry and associated
security semantics solves the problem for the application provider, but not
the problems for users or administrators.</p>
<p>One other possible solution
is to use a single signon approach. Several products are available that allow
administrators to manage files that contain all of a user's identities and
passwords. However, this approach has several weaknesses:</p>
<ul><li>It addresses only one of the problems that users face. Although it allows
users to sign on to multiple systems by supplying one identity and password,
it does not eliminate the need for the user to have passwords on other systems,
or the need to manage these passwords.</li>
<li>It introduces a new problem by creating a security exposure because clear-text
or decryptable passwords are stored in these files. Passwords should never
be stored in clear-text files or be easily accessible by anyone, including
administrators.</li>
<li>It does not solve the problems of third-party application developers that
provide heterogeneous, multiple-tier applications. They must still provide
proprietary user registries for their applications.</li>
</ul>
<p>Despite these weaknesses, some enterprises have chosen to adopt these
approaches because they provide some relief for the multiple user registry
problems.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">The EIM approach</h4><p>EIM
offers a new approach for inexpensively building solutions to more easily
manage multiple user registries and user identities in a multiple tier, heterogeneous
application environment. EIM is an architecture for describing the relationships
between individuals or entities (such as file servers and print servers) in
the enterprise and the many identities that represent them within an enterprise.
In addition, EIM provides a set of APIs that allow applications to ask questions
about these relationships.</p>
<p>For example, given a person's user identity
in one user registry, you can determine which user identity in another user
registry represents that same person. If the user has authenticated with one
user identity and you can map that user identity to the appropriate identity
in another user registry, the user does not need to provide credentials for
authentication again. You know who the user is and only need to know which
user identity represents that user in another user registry. Therefore, EIM
provides a generalized identity mapping function for the enterprise.</p>
<p>EIM
allows one-to-many mappings (in other words, a single user with more than
one user identity in a single user registry). However, the administrator does
not need to have specific individual mappings for all user identities in a
user registry. EIM also allows many-to-one mappings (in other words, multiple
users mapped to a single user identity in a single user registry).</p>
<p>The
ability to map between a user's identities in different user registries provides
many benefits. Primarily, it means that applications may have the flexibility
of using one user registry for authentication while using an entirely different
user registry for authorization. For example, an administrator could map a Windows<sup>®</sup> user
identity in a Kerberos registry to an i5/OS™ user profile in a different user
registry to access i5/OS resources to which the i5/OS user profile is authorized.</p>
<p>EIM
is an open architecture that administrators may use to represent identity
mapping relationships for any registry. It does not require copying existing
data to a new repository and trying to keep both copies synchronized. The
only new data that EIM introduces is the relationship information. EIM stores
this data in an LDAP directory, which provides the flexibility of managing
the data in one place and having replicas wherever the information is used.
Ultimately, EIM gives enterprises and application developers the flexibility
to easily work in a wider range of environments with less cost than would
be possible without this support.</p>
<p>EIM, used in conjunction with network
authentication service, the i5/OS implementation of Kerberos, provides a single
signon solution. Applications can be written that use GSS APIs and EIM to
accept Kerberos tickets and map to another, associated user identity in a
different user registry. The association between user identities that provides
this identity mapping can be accomplished by creating identifier associations
that indirectly associate one user identity with another through an EIM identifier
or by creating policy associations that directly associate one user identity
in a group with a single specific user identity.</p>
<p>The use of identity
mapping requires that administrators do the following:</p>
<ol><li>Configure an EIM domain in the network. You can use the iSeries™ EIM
Configuration wizard to create a domain controller for the domain and configure
access to the domain. When you use the wizard you can choose to create a new
EIM domain and create a domain controller on the local system or a remote
system. Or, if an EIM domain already exists, you can choose to participate
in an existing EIM domain.</li>
<li>Determine which users defined to the directory server that hosts the EIM
domain controller are allowed to manage or access specific information in
the EIM domain and assign them to appropriate EIM access control groups.</li>
<li>Create EIM registry definitions for those user registries that will participate
in the EIM domain. Although you can define any user registry to an EIM domain,
you must define user registries for those applications and operating systems
that are EIM-enabled.</li>
<li>Based on your EIM implementation needs, determine which of the following
tasks to perform to complete your EIM configuration:<ul><li>Create EIM identifiers for each unique user in the domain and create identifier
associations for them. </li>
<li>Create policy associations. </li>
<li>Create a combination of these.</li>
</ul>
</li>
</ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalvmst.htm">Enterprise Identity Mapping</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzamz/rzamzsso.htm">Single Signon Information Center Topic</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink