Single Sign-On Capability to Debut with OS/400 V5R2

by Alex Woodie

With EIM, users will be authenticated the first time they log on to a participating server; they will then be able to move freely around the network, across many applications and incompatible servers. As the user goes from application to application within that same session, EIM will automatically detect when an application is asking for authentication and will provide that application with the correct user name and password. EIM is a tacit admission on the part of IBM that users will maintain unique passwords and user names for particular servers and applications, and that they will also lose track of them, which causes big headaches for help desks. By having EIM keep track of many user names and passwords for each individual user, users can automatically and transparently roam around to the applications they have access to.

Besides ease of use, there are security benefits to using EIM, IBM says. Users will be more apt to keep secure passwords if they only have to remember one, and it will be much easier for systems administrators to deactivate accounts for employees that leave the company, since there will be only one account directory.

IBM wanted to use technologies based on open standards to build EIM, so it chose Kerberos and Lightweight Directory Access Protocol. Kerberos is an authentication system developed at the Massachusetts Institute of Technology that embeds unique, cryptographic keys, called "tickets," into messages that identify the sender of that message as it move across a network. LDAP is a set of protocols that allow virtually any application, running on practically any platform, to share directory information such as names, e-mail addresses, and passwords.

Systems administrators will be able to configure EIM through iSeries Navigator, the new name IBM has given to Operations Navigator with OS/400 V5R2. There will be a self- guided GUI to help administrators configure EIM and set up the central registry, or domain controller, as it will be called in iSeries lingo, said Amit Dave, product marketing for iSeries and enterprise software at IBM.

When EIM becomes available with OS/400 V5R2, this August, IBM plans to deliver an API that will allow users and software vendors to tie into the EIM system so they can map to EIM's authentication process. As long as the third-party applications can support Kerberos and LDAP, they will be able to extend the single sign-on capability to the people who use those applications.

The API that IBM will deliver will be freely available and easy to use, by users and software vendors alike, Dave said. "You don’t need a rocket scientist," he said. "We've been discussing this with the business partners, and they're very eager to work with it."

Companies won't have to pay extra for EIM, because it will be delivered with iSeries Navigator, which is part of Client Access Express.

It's interesting to note that, while EIM is part of IBM's eLiza initiative, much of its development was spearheaded by IBM's Rochester, Minnesota, labs, the home of the iSeries. The eLiza Project was launched by IBM one year ago, with the goal of creating technologies, such as computers that can self-heal and self-administer, that can be applied across IBM's entire eServer line. Patrick Botz, IBM's iSeries security architect, was the key force driving EIM at Rochester and within IBM, Dave said.

EIM will debut first in IBM's eServer iSeries, while IBM's zSeries team is still working on its implementation and should have it ready by the summer. EIM should also be supported with Windows 2000 at that time, Dave said, while EIM support will then be brought to the pSeries and its AIX operating system at a later date. IBM is expected to launch AIX 5L 5.2 around October, and we may see EIM appear then for AIX as well.

This article has been edited since its original publication. The iSeries security architect mentioned is named Patrick Botz, not Patrick Boutz, as originally written. Guild Companies regrets the error. [Correction made 05/3/02]