Single Sign-on Implementation Best Practices

Similar documents
Security Single sign-on

How to Integrate an External Authentication Server

VMware Identity Manager Administration

DoD Common Access Card Authentication. Feature Description

Comodo Certificate Manager

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

Security Enterprise Identity Mapping

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

ZENworks 11 Support Pack 4 User Source and Authentication Reference. October 2016

User Registry Configuration in WebSphere Application Server(WAS)

IBM Security Access Manager Version December Release information

LDAP Configuration Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Managing External Identity Sources

INUVIKA TECHNICAL GUIDE

IBM Security Access Manager v8.x Kerberos Part 2

Authenticating and Importing Users with AD and LDAP

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

Connecting to System i System i Access for Web

Novell Kerberos Login Method for NMASTM

Implementing Single-Sign-On(SSO) for APM UI

SINGLE SIGN ON. The following document describes the configuration of Single Sign On (SSO) using a Windows 2008 R2 or Windows SBS server.

Expanding Single Sign-on for SAP Landscapes on i5/os

Exam Name: IBM Certified System Administrator - WebSphere Application Server Network Deployment V7.0

Xcalar Installation Guide

Realms and Identity Policies

Security Provider Integration: Kerberos Server

Linux Administration

Security Provider Integration Kerberos Authentication

Entrust GetAccess 7.0 Technical Integration Brief for IBM WebSphere Portal 5.0

FreeIPA - Control your identity

Load Balancing Censornet USS Gateway. Deployment Guide v Copyright Loadbalancer.org

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

NotifySCM Integration Overview

VII. Corente Services SSL Client

PostgreSQL in the Enterprise

Advanced SUSE Linux Enterprise Server Administration (Course 3038) Chapter 3 Configure Network Services

Security Provider Integration Kerberos Server

CA SiteMinder Federation Standalone

Simplifying SAP on i5/os with Single Sign-on

Host Access Management and Security Server Administrative Console Users Guide. August 2016

IBM i Version 7.2. Security Single sign-on IBM

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

SAML-Based SSO Configuration

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Networking i5/os NetServer

Authenticating and Importing Users with AD and LDAP

IBM Tivoli Access Manager for e-business V6.1.1 Implementation

SAS Web Infrastructure Kit 1.0. Administrator s Guide

Migrating vrealize Automation 6.2 to 7.2

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

IBM Exam IBM Tivoli Identity Manager V5.1 Implementation Version: 5.0 [ Total Questions: 158 ]

Administration Of Active Directory Schema Version Checking

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

IBM Single Sign On for Bluemix Version December Identity Bridge Configuration topics

Realms and Identity Policies

Authenticating and Importing Users with Active Directory and LDAP

IBM WebSphere Message Broker for z/os V6.1 delivers the enterprise service bus built for connectivity and transformation

KERBEROS PARTY TRICKS

Single Sign On (SSO) with Polarion 17.3

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

Extended Search Administration

Installing and Configuring vrealize Automation for the Rainpole Scenario. 12 April 2018 vrealize Automation 7.4

IBM i Version 7.2. Networking IBM i NetServer IBM

IBM Tivoli Identity Manager V5.1 Fundamentals

Identity Management Scaling Out and Up

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Setting Up Identity Management

vcenter Server Installation and Setup Update 1 Modified on 30 OCT 2018 VMware vsphere 6.7 vcenter Server 6.7

Using an LDAP With ActiveWorkflow

Configure Pass-Through Authentication on IBM Tivoli Directory Server

Advanced Service Design. vrealize Automation 6.2

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE VERSION 9. Setup Guide. This guide explains how to install and configure the Fusion Registry.

STRM Log Manager Administration Guide

IBM Tivoli Federated Identity Manager Version Installation Guide GC

Troubleshooting WebSphere Process Server: Integration with LDAP systems for authentication and authorization

Lotus Learning Management System R1

Sql Server 2008 R2 Default Schema Windows Grou

AirWatch Mobile Device Management

ZENworks Mobile Workspace. Integration Overview. Version June 2018 Copyright Micro Focus Software Inc. All rights reserved.

IBM Security Identity Manager Version 6.0. IBM Security Access Manager Adapter Installation and Configuration Guide IBM

WebSphere Portal Security Configuration

OIG 11G R2 Field Enablement Training

Understanding Active Directory Level 100

Installing ITDS WebAdmin Tool into WebSphere Application Server Network Deployment V7.0

Configuring Applications to Exploit LDAP

CONFIGURING IBM STORWIZE. for Metadata Framework 6.3

TPF Users Group Fall 2008 Title: z/tpf Support for OpenLDAP

What's new in IBM Rational Build Forge Version 7.1

Server Installation and Administration Guide

Lotus Learning Management System R1

WEBSPHERE APPLICATION SERVER

Directory Integration with VMware Identity Manager

Enterprise Steam Installation and Setup

Secure Web services with WebSphere Application Server and Microsoft Windows Communication Foundation

SHARE in Orlando Session 17436

Transcription:

Single Sign-on Implementation Best Practices Thomas Barlen Senior Managing Consultant barlen@de.ibm.com

Agenda Implementation challenges Best practices setup Ongoing administration 2

Single Sign-On with IBM i EIM Domain Controller So Ty urc pe e ID Identifier: barlen@de.ibm.com Registry: WIN.DOM.COM User: Thomas.Barlen Type Kerberos ServerA ServerB IntraNet SysA BARLENT TBARLEN barlen BARLEN1 i5/os RACF AIX i5/os u om yo n fr? do l e A r, ar YS lle.b S r o as n nt m s o co h o i M T OM EI ho.c ar w M De ow.do kn I N W 4 Key Distribution Center (KDC) AS TGS Windows Domain Controller S Ca n ser I h av vi c e S e a tic YS 1 A? ket fo r ur us e, he er Th r e i s om t as. he tic Ba r l e ket f o 2 n. r TGT request is not shown t ID e rg Ta pe Ty Target ID Type Ye s, i ti Tar g Typ etid e Ta sb A Ty rg R p e LE e ti D SSL N1 5 is name e in. y M. t m e y tick Please let m 3 s i Here rlen. a B. s a Thom Thomas 6 N1 BARLE e m o elc Hey. W 3 SysA

Kerberos and EIM-enabled applications Host servers (used by IBM i Access for Windows) Telnet server used by PC5250 from IBM i Access, WebSphere Host On-Demand V8, 5250 emulator in IBM i Access for Linux V1.8, IBM Access Client Solutions, IBM Personal Communications 5.9 IBM i Telnet client (V7R2) QFileSrv.400 Distributed Relational Database Architecture (DRDA), Open Database Connectivity (ODBC), Java Database Connectivity (JDBC) HTTP Server for IBM i (powered by Apache) Management Central Lightweight Directory Access Protocol (LDAP) Server (Kerberos authentication only, no EIM involved) Windows Integration FTP Client and Server (V7R2) NetServer IBM WebSphere Application Server Network File System (NFS) 4

1. Challenge: Domain Name Services Before setting up Kerberos, all IP addresses of services in a network should be resolved to the same host name IBM i DNS entry can have multiple A records / aliases per IP address must have only one pointer (PTR) record per IP address Fully qualified host name of IBM i partition needs to be added as first name in IBM i local hosts table DNS lookup when requesting a service ticket Forward lookup: host name to IP addr Example: DNS query: Prodsys1 DNS response: 172.16.5.1 Reverse lookup: IP addr to host name Example: DNS query: 172.16.5.1 DNS response: prodsys1.domain.local 5

2. Challenge: Time Kerberos is time sensitive By default, system times of all participating hosts must be within 5 minutes difference Correct time zone must be configured Use network time protocol client to synchronize time Corporate Time Server SNTP Client SNTP Client SNTP Client 6

3. Challenge: Mass deployment Enabling SSO on the client side mostly requires configuration changes Configurations reside in different places Manual reconfiguration unfeasible for 100s or 1000s of clients Need to identify client products including their versions and figure out where the relevant configuration parameters are stored Windows 8 IBM i Navigator PC5250 emulation ws Windo ry t Regis Windows 8 IBM i Access Client Solution 5250 Java emulator Conf ig Files Ubuntu Linux IBM i Access Client Solution 5250 Java emulator Registry and Config Files 7

Implementation Use the configuration wizards for Network Authentication Service (NAS) and Enterprise Identity Mapping (EIM) to perform the basic setup Everything described in the IBM i knowledge base Security Single sign-on However wizards are made to simplify the configuration some of the wizard generated configurations are not considered a good practice 8

Implementation: NetServer considerations All IBM i related client applications need to be configured to use Kerberos authentication rather than user/password EXCEPT ------> The Microsoft SMB client SMB client behavior when mapping a drive from IBM i NetServer StolenInitiate from Thomas mappingbarlen Windows always requests Krb ticket from KDC (AD) Yes Authenticate with Krb Tkt Kerberos configured for NetServer? Authentication failed No Authenticate with user/pwd Usr/Pwd valid? Yes No No Tkt from AD? Ticket valid? No Yes Yes No EIM mapping found? Yes Authentication successful 9 Typical problem

Implementation: NetServer considerations (cont d) During the implementation and test phase it is recommended to Register only a service principal name (SPN) that is not being used for mapping a drive by the workstations cifs/iprod1.dom.local@windows.domain cifs/iprod1@windows.domain cifs/qiprod1@windows.domain cifs/10.1.1.70@windows.domain Test your mapping function with the NetServer \\10.1.1.70\QIBM Once all testing is complete and ALL EIM mappings have been defined, register the remaining SPNs in AD cifs/iprod1.dom.local@windows.domain cifs/iprod1@windows.domain cifs/qiprod1@windows.domain 10

Making life easy for Windows administrators Windows administrators tend to be reluctant changing THEIR Windows AD Simplify as much as possible the configuration of the required service accounts for the IBM i Kerberos service principals Take the IBM i configuration wizard Windows batch file DSADD user cn=prodsys_1_krbsvr400,cn=users,dc=win,dc=dom,dc=com -pwd krb76fwall -display prodsys_1_krbsvr400 KTPASS -MAPUSER prodsys_1_krbsvr400 -PRINC krbsvr400/prodsys.win.dom.com@win.dom.com -PASS krb76fwall -mapop set Modify it so that the Windows admin just needs to run it Must be provided by Windows admin DSADD user cn=prodsys_1_krbsvr400,ou=serviceaccounts,dc=win,dc=dom,dc=com -pwd krb76fwall -display prodsys_1_krbsvr400 -pwdneverexpires yes -desc "IBM i Kerberos services for system PRODSYS1" KTPASS -MAPUSER prodsys_1_krbsvr400 -PRINC krbsvr400/prodsys.win.dom.com@win.dom.com -PASS krb76fwall -mapop set 11

EIM system account During the EIM setup, an EIM system account is specified Defaults to the wizard admin account The problem when the LDAP server administrator password gets changed, SSO stops working the password stored in the EIM properties does not match the password of the admin anymore 12

EIM system account (cont d) Prior to running the EIM configuration wizard create a LDAP sub-tree to hold EIM domain data and user entry Following example shows an LDIF file to generate these entries Browse : /home/barlen/eim.ldif Record : 1 of 15 by Control : 18 root...+...1...+...2...+...3...+...4...+...5. ************Beginning of data************** dn: o=eim objectclass: organization o: eim o=eim description: EIM domain data dn: cn=eimsystem,o=eim objectclass: inetorgperson objectclass: eperson cn: eimsystem sn: EIM description: EIM system user uid: eimsystem userpassword: kl75frqk0s ************End of Data******************** cn=eimsystem ibm-eimdomainname=eim 13

EIM system account (cont d) Create the entries via command line (easy) ldapadd h localhost D cn=administrator w? f /home/barlen/eim.ldif Alternatively you can use the IBM Tivoli Directory Web Management Tool 14

EIM system account (cont d) Grant the EIM system user permissions for EIM operations 15

EIM system account (cont d) Use the EIM system user in the EIM configuration wizard 16

Mass deployment of SSO - EIM EIM is only used on the server side no need for client setup Recommended to use tools or write a program to automatically create EIM identifier and associations Example: Lab Services IBM PowerSC Tools for IBM i SSO Suite for EIM 17

Mass deployment of SSO - Kerberos Client configuration needs to be changed from user/password to Kerberos authentication Exception is the SMB client to access the NetServer Typically the configuration change is manual 18

Mass deployment of SSO Kerberos (cont d) SSO configuration settings are stored in various places IBM i Navigator provides a central switch to turn SSO on or off for IBM i Navigator, PC5250, ODBC Each application can override the Navigator settings IBM i Navigator stores the configuration setting in the Windows registry 1 = Use default user 2 = Prompt every time 3 = Use Windows user name 4 = Use Kerberos 19

Mass deployment of SSO Kerberos (cont d) IBM i Navigator registry setting can be exported to.reg file and used for automatic import via login scripts As an alternative to the registry approach for IBM i Navigator you can also use the IBM i Access for Windows cwbenv command Export a connection environment including its settings (includes all connections) cwbenv /E "My connections" ibmienv.fil Import a connection environment cwbenv /I /O ibmienv.fil /O overrides existing connections with new settings IBM Access Client Solutions stores the settings in the prefs.dat file \Documents\IBM\iAccessClient\Settings\client.configuration\com.ibm...\systname\ 20

EIM domain controller availability Using a single EIM domain controller for multiple IBM i partitions introduces a single point of failure (SPOF) P3 P4 EIM Domain Controller de e n i o J If system is down SSO stops working on all systems main o d IM P5 Joined E IM doma in Jo ine de IM do ma in P2 SPOF 21

EIM domain controller availability (cont d) EIM domain data are stored in a LDAP server (IBM Directory Server) LDAP replication functions can be used to improve availability IBM i provides master-replica, master-forwarder-replica, and multi-master replication Master/Peer 1 Master/Peer 3 Peer 2 ldapmodify ldapmodify Administrator 22

EIM domain controller availability (cont d) Once the replication has been set up change the EIM properties on each system to point to itself as the EIM domain controller Use the same approach for HA environments between the production and DR system P4 Replication using TLS P5 LDAP Server EIM Ctrl LDAP Server EIM Ctrl EIM Config: CTRL: Master1 EIM Config: CTRL: Master2 23

Ongoing administration Recommended to use tools or write a program to automatically create EIM identifier and associations If naming conventions exist for user names, use an exit program for the QIBM_QSY_CRT_PROFILE / QIBM_QSY_DLT_PROFILE exits to create and delete EIM mappings NAS does not require any administration unless the service account passwords change 24

Conclusion Implementation challenges DNS name resolution Time synchronization Mass deployment Best practices setup NetServer considerations Make life easy for Windows administrators EIM system user and LDAP server setup Automate workstation configuration High availability environment Ongoing administration Enterprise Identity Mapping (EIM) administration 25

Thanks IBM Systems Lab Services and Training Our Mission and Profile Support the IBM Systems Agenda and accelerate the adoption of new products and solutions Maximize performance of our clients existing IBM systems Deliver technical training, conferences, and other services tailored to meet client needs Team with IBM Service Providers to optimize the deployment of IBM solutions (GTS, GBS, SWG Lab Services and our IBM Business Partners) Our Competitive Advantage Leverage relationships with the IBM development labs to build deep technical skills and exploit the expertise of our developers Combined expertise of Lab Services and the Training for Systems team Skills can be deployed worldwide to assure all client needs can be met 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback