1 / 9

Single signon possibilities for iSeries

Single signon possibilities for iSeries. Mandy Shaw, Logicalis (with many thanks to Pat Botz of IBM Rochester). Simplify your infrastructure: single level signon. What Every Enterprise Wants Protect access to enterprise resources at lowest possible cost What Every User Wants

urian
Download Presentation

Single signon possibilities for iSeries

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single signon possibilities for iSeries Mandy Shaw, Logicalis (with many thanks to Pat Botz of IBM Rochester)

  2. Simplify your infrastructure: single level signon • What Every Enterprise Wants • Protect access to enterprise resources at lowest possible cost • What Every User Wants • Highest possible convenience and productivity • Not to have to remember or change passwords

  3. SSO Definition • What we mean by SSO • The ability of an end user to sign in to the enterprise network and run multi-tier applications without being prompted again for authentication data, and without requiring the end user to have the same user ID and/or password on every system. • What we don’t mean by SSO • Same user id everywhere • Same password everywhere • Centralized storing/caching of passwords • LDAP Authentication

  4. Kerberos and Enterprise Identity Mapping • Kerberos involves the acceptance of a single authentication by ‘Kerberised’ applications, avoiding the need for passwords • EIM links user ids for different servers, at individual or group level • EIM can be used without Kerberos; Kerberos can be used without EIM

  5. Nirvana Windows 2000/NT NetServer NDS Extranet / Internet WebSphere Linux iSeries intranet User AIX RACF z/OS John Smith's user ID: u:JSimth p:myonepwd

  6. OS/400 approach gets you here Windows NT/98/95 Windows 2000/2003 Server NetServer WebSphere NDS intranet User Linux John Smith's user IDs: iSeries u:John Smith u:JSimth u:John u:Smith1 u:JoSm05 etc.. John Smith's user IDs: u:JohnSmith p:myonepwd u:simthj p:*NONE u:John p:*NONE u:Smith1 p:*NONE u:JoSm05 p:*NONE etc.. RACF z/OS AIX

  7. OS/400 implementation elements • Kerberos • OS/400 can store KDC and do Kerberos authentication • Typically, it won’t • EIM • Identifiers for individuals • Maps identifiers to user ids in registries • Network Authentication Service • Identifies where the Kerberos authentication is done, and for which apps • LDAP directory • used purely to store EIM data • Applications • NetServer, iSeries Navigator, Management Central, PC5250, QFileSvr.400, …

  8. Benefits • Whatever the user profile password is set to, it is not used for authentication, therefore can be set to *NONE • No need to store/cache passwords • Exploits signon technology that the significant majority of end users use when they sign on • Comparatively small overhead to implement and manage over time • Use within application development

  9. Things to consider • EIM doesn’t create or delete users: it just maps them and saves management time • Use with V5R2 requires appropriate PTFs • Kerberos authentication doesn’t yet cover all possible OS/400 applications (e.g. FTP) • Domino and WebSphere currently require special treatment • Domino: consider Active Directory integration • WebSphere: consider identity tokens or Domino integration

More Related