Single Sign-on Implementation Best Practices Thomas Barlen Senior Managing Consultant barlen@de.ibm.com
Agenda Implementation challenges Best practices setup Ongoing administration 2
Single Sign-On with IBM i EIM Domain Controller So Ty urc pe e ID Identifier: barlen@de.ibm.com Registry: WIN.DOM.COM User: Thomas.Barlen Type Kerberos ServerA ServerB IntraNet SysA BARLENT TBARLEN barlen BARLEN1 i5/os RACF AIX i5/os u om yo n fr? do l e A r, ar YS lle.b S r o as n nt m s o co h o i M T OM EI ho.c ar w M De ow.do kn I N W 4 Key Distribution Center (KDC) AS TGS Windows Domain Controller S Ca n ser I h av vi c e S e a tic YS 1 A? ket fo r ur us e, he er Th r e i s om t as. he tic Ba r l e ket f o 2 n. r TGT request is not shown t ID e rg Ta pe Ty Target ID Type Ye s, i ti Tar g Typ etid e Ta sb A Ty rg R p e LE e ti D SSL N1 5 is name e in. y M. t m e y tick Please let m 3 s i Here rlen. a B. s a Thom Thomas 6 N1 BARLE e m o elc Hey. W 3 SysA
Kerberos and EIM-enabled applications Host servers (used by IBM i Access for Windows) Telnet server used by PC5250 from IBM i Access, WebSphere Host On-Demand V8, 5250 emulator in IBM i Access for Linux V1.8, IBM Access Client Solutions, IBM Personal Communications 5.9 IBM i Telnet client (V7R2) QFileSrv.400 Distributed Relational Database Architecture (DRDA), Open Database Connectivity (ODBC), Java Database Connectivity (JDBC) HTTP Server for IBM i (powered by Apache) Management Central Lightweight Directory Access Protocol (LDAP) Server (Kerberos authentication only, no EIM involved) Windows Integration FTP Client and Server (V7R2) NetServer IBM WebSphere Application Server Network File System (NFS) 4
1. Challenge: Domain Name Services Before setting up Kerberos, all IP addresses of services in a network should be resolved to the same host name IBM i DNS entry can have multiple A records / aliases per IP address must have only one pointer (PTR) record per IP address Fully qualified host name of IBM i partition needs to be added as first name in IBM i local hosts table DNS lookup when requesting a service ticket Forward lookup: host name to IP addr Example: DNS query: Prodsys1 DNS response: 172.16.5.1 Reverse lookup: IP addr to host name Example: DNS query: 172.16.5.1 DNS response: prodsys1.domain.local 5
2. Challenge: Time Kerberos is time sensitive By default, system times of all participating hosts must be within 5 minutes difference Correct time zone must be configured Use network time protocol client to synchronize time Corporate Time Server SNTP Client SNTP Client SNTP Client 6
3. Challenge: Mass deployment Enabling SSO on the client side mostly requires configuration changes Configurations reside in different places Manual reconfiguration unfeasible for 100s or 1000s of clients Need to identify client products including their versions and figure out where the relevant configuration parameters are stored Windows 8 IBM i Navigator PC5250 emulation ws Windo ry t Regis Windows 8 IBM i Access Client Solution 5250 Java emulator Conf ig Files Ubuntu Linux IBM i Access Client Solution 5250 Java emulator Registry and Config Files 7
Implementation Use the configuration wizards for Network Authentication Service (NAS) and Enterprise Identity Mapping (EIM) to perform the basic setup Everything described in the IBM i knowledge base Security Single sign-on However wizards are made to simplify the configuration some of the wizard generated configurations are not considered a good practice 8
Implementation: NetServer considerations All IBM i related client applications need to be configured to use Kerberos authentication rather than user/password EXCEPT ------> The Microsoft SMB client SMB client behavior when mapping a drive from IBM i NetServer StolenInitiate from Thomas mappingbarlen Windows always requests Krb ticket from KDC (AD) Yes Authenticate with Krb Tkt Kerberos configured for NetServer? Authentication failed No Authenticate with user/pwd Usr/Pwd valid? Yes No No Tkt from AD? Ticket valid? No Yes Yes No EIM mapping found? Yes Authentication successful 9 Typical problem
Implementation: NetServer considerations (cont d) During the implementation and test phase it is recommended to Register only a service principal name (SPN) that is not being used for mapping a drive by the workstations cifs/iprod1.dom.local@windows.domain cifs/iprod1@windows.domain cifs/qiprod1@windows.domain cifs/10.1.1.70@windows.domain Test your mapping function with the NetServer \\10.1.1.70\QIBM Once all testing is complete and ALL EIM mappings have been defined, register the remaining SPNs in AD cifs/iprod1.dom.local@windows.domain cifs/iprod1@windows.domain cifs/qiprod1@windows.domain 10
Making life easy for Windows administrators Windows administrators tend to be reluctant changing THEIR Windows AD Simplify as much as possible the configuration of the required service accounts for the IBM i Kerberos service principals Take the IBM i configuration wizard Windows batch file DSADD user cn=prodsys_1_krbsvr400,cn=users,dc=win,dc=dom,dc=com -pwd krb76fwall -display prodsys_1_krbsvr400 KTPASS -MAPUSER prodsys_1_krbsvr400 -PRINC krbsvr400/prodsys.win.dom.com@win.dom.com -PASS krb76fwall -mapop set Modify it so that the Windows admin just needs to run it Must be provided by Windows admin DSADD user cn=prodsys_1_krbsvr400,ou=serviceaccounts,dc=win,dc=dom,dc=com -pwd krb76fwall -display prodsys_1_krbsvr400 -pwdneverexpires yes -desc "IBM i Kerberos services for system PRODSYS1" KTPASS -MAPUSER prodsys_1_krbsvr400 -PRINC krbsvr400/prodsys.win.dom.com@win.dom.com -PASS krb76fwall -mapop set 11
EIM system account During the EIM setup, an EIM system account is specified Defaults to the wizard admin account The problem when the LDAP server administrator password gets changed, SSO stops working the password stored in the EIM properties does not match the password of the admin anymore 12
EIM system account (cont d) Prior to running the EIM configuration wizard create a LDAP sub-tree to hold EIM domain data and user entry Following example shows an LDIF file to generate these entries Browse : /home/barlen/eim.ldif Record : 1 of 15 by Control : 18 root...+...1...+...2...+...3...+...4...+...5. ************Beginning of data************** dn: o=eim objectclass: organization o: eim o=eim description: EIM domain data dn: cn=eimsystem,o=eim objectclass: inetorgperson objectclass: eperson cn: eimsystem sn: EIM description: EIM system user uid: eimsystem userpassword: kl75frqk0s ************End of Data******************** cn=eimsystem ibm-eimdomainname=eim 13
EIM system account (cont d) Create the entries via command line (easy) ldapadd h localhost D cn=administrator w? f /home/barlen/eim.ldif Alternatively you can use the IBM Tivoli Directory Web Management Tool 14
EIM system account (cont d) Grant the EIM system user permissions for EIM operations 15
EIM system account (cont d) Use the EIM system user in the EIM configuration wizard 16
Mass deployment of SSO - EIM EIM is only used on the server side no need for client setup Recommended to use tools or write a program to automatically create EIM identifier and associations Example: Lab Services IBM PowerSC Tools for IBM i SSO Suite for EIM 17
Mass deployment of SSO - Kerberos Client configuration needs to be changed from user/password to Kerberos authentication Exception is the SMB client to access the NetServer Typically the configuration change is manual 18
Mass deployment of SSO Kerberos (cont d) SSO configuration settings are stored in various places IBM i Navigator provides a central switch to turn SSO on or off for IBM i Navigator, PC5250, ODBC Each application can override the Navigator settings IBM i Navigator stores the configuration setting in the Windows registry 1 = Use default user 2 = Prompt every time 3 = Use Windows user name 4 = Use Kerberos 19
Mass deployment of SSO Kerberos (cont d) IBM i Navigator registry setting can be exported to.reg file and used for automatic import via login scripts As an alternative to the registry approach for IBM i Navigator you can also use the IBM i Access for Windows cwbenv command Export a connection environment including its settings (includes all connections) cwbenv /E "My connections" ibmienv.fil Import a connection environment cwbenv /I /O ibmienv.fil /O overrides existing connections with new settings IBM Access Client Solutions stores the settings in the prefs.dat file \Documents\IBM\iAccessClient\Settings\client.configuration\com.ibm...\systname\ 20
EIM domain controller availability Using a single EIM domain controller for multiple IBM i partitions introduces a single point of failure (SPOF) P3 P4 EIM Domain Controller de e n i o J If system is down SSO stops working on all systems main o d IM P5 Joined E IM doma in Jo ine de IM do ma in P2 SPOF 21
EIM domain controller availability (cont d) EIM domain data are stored in a LDAP server (IBM Directory Server) LDAP replication functions can be used to improve availability IBM i provides master-replica, master-forwarder-replica, and multi-master replication Master/Peer 1 Master/Peer 3 Peer 2 ldapmodify ldapmodify Administrator 22
EIM domain controller availability (cont d) Once the replication has been set up change the EIM properties on each system to point to itself as the EIM domain controller Use the same approach for HA environments between the production and DR system P4 Replication using TLS P5 LDAP Server EIM Ctrl LDAP Server EIM Ctrl EIM Config: CTRL: Master1 EIM Config: CTRL: Master2 23
Ongoing administration Recommended to use tools or write a program to automatically create EIM identifier and associations If naming conventions exist for user names, use an exit program for the QIBM_QSY_CRT_PROFILE / QIBM_QSY_DLT_PROFILE exits to create and delete EIM mappings NAS does not require any administration unless the service account passwords change 24
Conclusion Implementation challenges DNS name resolution Time synchronization Mass deployment Best practices setup NetServer considerations Make life easy for Windows administrators EIM system user and LDAP server setup Automate workstation configuration High availability environment Ongoing administration Enterprise Identity Mapping (EIM) administration 25
Thanks IBM Systems Lab Services and Training Our Mission and Profile Support the IBM Systems Agenda and accelerate the adoption of new products and solutions Maximize performance of our clients existing IBM systems Deliver technical training, conferences, and other services tailored to meet client needs Team with IBM Service Providers to optimize the deployment of IBM solutions (GTS, GBS, SWG Lab Services and our IBM Business Partners) Our Competitive Advantage Leverage relationships with the IBM development labs to build deep technical skills and exploit the expertise of our developers Combined expertise of Lab Services and the Training for Systems team Skills can be deployed worldwide to assure all client needs can be met 26