Admin Alert: Configuring an i5/OS-based EIM Table for Single Sign-On
May 18, 2005 Joe Hertvik
In previous columns, I introduced several concepts and configurations for enabling IBM‘s Single Sign-On (SSO) technology, in which Windows domain users access a Kerberos server to automatically authenticate and authorize themselves to use i5/OS applications without entering an OS/400 user profile and password. While previous articles focused on network configuration, this week I’ll look at how you create and use an Enterprise Identity Mapping (EIM) domain to tell Kerberos which i5/OS user profiles to use to automatically sign a user on to an i5 or iSeries partition.
Please note that this article is the next installment of a group of articles on configuring SSO for i5/OS. These articles cover the following information:
- Requirements and pre-configuration tasks for enabling SSO on your iSeries partitions (from two weeks ago)
- Configuring your i5/OS partitions and a Windows Key Distribution Center server (KDC) to exchange Kerberos information for SSO (last week’s story)
- Configuring an Enterprise Identity Mapping table (EIM) inside i5/OS to tell Kerberos which i5/OS user profiles Windows users should be signed on as (mapped to) when they access i5/OS partitions and applications transparently through SSO (this week)
- User desktop configurations for using SSO for i5 access from a Windows client machine (coming soon)
The step-by-step information for configuring SSO can be found in IBM’s Windows-based Single Sign-On and the EIM Framework on the IBM eServer iSeries Server Redbook (SG24-6975-00), which I’ll refer to as “the redbook.” While I won’t repeat the exact configurations that IBM uses in the redbook, I will summarize and supplement the EIM configuration process with additional comments. Also note that all references to i5/OS refer to an i5, iSeries, or AS/400 machine running OS/400 V5R2 or above.
Under SSO, users are automatically authorized and authenticated to i5 applications using information contained in an Enterprise Identity Mapping domain (EIM). EIM is basically a look-up table where each user’s identities (user IDs) in different user registries (target platforms and applications) are mapped to a source identity in a Windows domain containing a Kerberos Key Distribution Center server (KDC). Using EIM in an SSO environment means that, after a Windows user is authenticated by the Kerberos KDC, Windows-based applications that access different i5/OS partitions (such as iSeries 5250 or ODBC) can query the EIM table to discover which user identity the authenticated user should be assigned to for that user registry. The user is then allowed to automatically sign on to the user registry specified in the requesting application by using the target user ID specified in the EIM table (no password is required).
To create an EIM table that target applications can access, you need to perform the following steps on your iSeries or i5 boxes:
- Configure an EIM domain and an EIM domain controller for your network. In this article, the domain controller uses a Lightweight Directory Access Protocol server (LDAP) running on an i5/OS machine, although the controller can be configured to run on another platform. (I discussed how to configure LDAP for SSO usage in a previous article in this series)
- For each additional i5 partition that you want to enable SSO for, configure IBM’s Network Authentication Service (NAS) on that partition, as described in my previous article and in sections 8.3-8.3.2 of the redbook. You will also need to add the new i5-iSeries partition to the EIM domain, as described in section 8.3 of the redbook.
- Add one user identifier to your EIM domain for each user that will be using SSO to automatically sign-on to i5 target applications. The identifier will contain a descriptive name for each user, the user ID the user signs on as for the source Kerberos KDC server in your Windows domain, and target entries that contain the i5/OS user ID that will be used when the source user requests a service from each of your target i5 partitions.
- Configure your target applications on the user’s desktop to use Kerberos and EIM to automatically authorize and authenticate the user to sign on to i5/OS applications without entering a user ID or password (covered next issue).
To perform these configurations, here’s the process I followed by using the redbook, other IBM materials (referenced below), and advice from IBM technical support. By following these steps in conjunction with the redbook, you should be able to configure and verify that your i5 partitions can run SSO.
1. Make sure you have a filled out copy of the Configuration Planning Worksheets from Appendix D of the redbook. Also be sure to review the earlier articles in this series to insure that you’ve completed all the necessary configuration tasks that are needed before setting up EIM. On the worksheet, you will decide which iSeries LDAP server you want to configure your EIM domain on (as specified by the fully qualified name of the i5/OS box the EIM table will be hosted on), the name of your EIM domain, and the Administrator Distinguished Name (DN) and password for the LDAP server that will be used as the EIM domain controller.
2. Review chapter six of the redbook to understand the concepts behind EIM. Chapter six explains EIM issues, and it provides a good basis for understanding what’s involved in an EIM configuration.
3. Configure your EIM domain and EIM domain controller by using the EIM configuration wizard in iSeries Navigator. The exact steps for performing this function are detailed in section 7.2.1 of the redbook. For the EIM domain controller, you specify that you want to create and join a new EIM domain by using the values from the worksheet. The wizard asks for two sets of distinguished names and passwords. The first set–on the Specify User for Connection window–is used only by the EIM wizard when the wizard connects to the LDAP server to perform the configuration. The second set–which is listed on the Specify EIM System User window–is used by various system functions to connect to the EIM domain. Both sets of distinguished names and passwords can be the same. The wizard will stop and restart your i5/OS LDAP server during this process. The wizard’s final configuration window will contain a summary of all your configuration choices. You may want to print a copy of that window for future reference.
4. Add the EIM domain you just created to a list of EIM domains that you want to manage from your iSeries Navigator client. This allows you to manage, add, and modify EIM information from your local PC. This configuration option is local to the iSeries Navigator installation you are currently working on. This step is also necessary to perform the user identifier configuration listed in step six. If you want to manage the domain from a second PC running iSeries Navigator, you will need to run this configuration step a second time on that PC. Setting up iSeries Navigator to manage your EIM domain is a simple process that is performed by using the instructions listed in section 7.2.2 of the redbook.
5. If you want to add another i5 or iSeries partition to your EIM domain, follow the instructions in section 8.3 of the redbook. This may require you to first enable the Network Authentication Service (NAS) service on your additional i5/OS partition, as well as specifying that these additional partitions are joining an already existing EIM domain, rather than creating a new domain for each partition. As you did when you created the EIM domain in step three, you add i5/OS partitions to an existing EIM domain by using the EIM wizard. There are a few different configuration options when adding a new i5/OS partition to an existing domain, so follow the steps in section 8.3.3 carefully, particularly on the Welcome window and when specifying registries on the Registry Information window.
6. Use iSeries Navigator to add user identifiers and associations to your EIM domain. Users are set up to use SSO on i5/OS boxes by adding user identifiers and associations to your EIM domain. These steps are described in section 7.2.3 and 8.3.4 of the redbook.
A user identifier contains a set of entries that describes that user in your EIM domain. It’s helpful to think of a user identifier as a container that holds all the associations needed to enable SSO for i5 boxes residing in a Windows network. Once a user identifier is added, you need to add one source association and at least one target association to that identifier for each user in your EIM domain. A source association specifies the registry name (a fully qualified domain name) and the user name that is used to sign on to your domain’s Kerberos KDC server. Source entries are specified by an Association type of source. Once a source association is defined for a user identifier, you can define as many target associations as necessary for that same identifier. Each target association contains the fully qualified registry name of an SSO enabled i5 or iSeries partition, as well as the i5/OS user profile name that the source user will use when as it is automatically signed on to that partition through SSO. Target entries are specified by an Association type of target.
By entering this information for each user into EIM, a user identifier creates a map for what user profiles a Windows network domain user should use when he is automatically signed on to an i5 or iSeries box through SSO.
At this point, you’ve configured an EIM table on an i5/OS box. The next step is to configure Windows desktop applications to enable your Windows desktop applications–such as iSeries Navigator, ODBC, and iSeries Access 5250 emulation–to access your Kerberos-EIM implementation to automatically sign users on to your target i5 boxes when an SSO enabled user calls those applications. And that will be the focus of our next article.
Admin Alert: Getting Ready for Single Sign-On, Four Hundred Guru, April 27, 2005, Joe Hertvik
Admin Alert: Configuring i5/OS and a Windows Network Server for SSO, Four Hundred Guru, May 4, 2005, Joe Hertvik
Windows-Based Single Sign-On and the EIM Framework on the IBM eServer iSeries Server, IBM Redbook (SG24-6975-00)
Introduction to Single Sign-On with OS/400 and i5/OS (Presentation Slides), Skyview Partners as hosted on the COMMON Belgium Web site, Carol Woodbury
Single Sign-On Myths, IT Jungle, August 19, 2003, Pat Botz