[IBM i]

Configuring Enterprise Identity Mapping

Use the iSeries Navigator to configure Enterprise Identity Mapping (EIM) for use with the identity token connection factory.

Before you begin

For these steps, assume that your EIM controller, which is your Lightweight Directory Access Protocol (LDAP) directory server, is your local directory server and that it resides on the iSeries server that is being configured for EIM. For detailed information about EIM, see Enterprise Identity Mapping.

You need the LDAP server administrator distinguished name (DN) and password to perform this task.

Tip: A server can participate only in one EIM domain at a time. If your server is already joined to an EIM domain and the domain is added to domain management, use that domain, and skip to Create a source user registry definition in EIM.

Procedure

  1. The identity token connection factory requires you to configure an EIM domain.
    Create a domain in EIM:
    Note: Depending on the setup of the machine, these steps might appear in a slightly different order. This assumes that LDAP is already configured and the network authentication service has not been configured.
    1. Make sure that the LDAP server started.
      You can verify the LDAP server administrator distinguished name (DN) and password. However, be aware that the LDAP server is stopped by the wizard later on.
    2. In iSeries Navigator, expand server_name > Network > Enterprise Identity Mapping, where server_name is the name of your iSeries server.
    3. Click Enterprise Identity Mapping.
    4. Right-click Configuration and select Configure to start the EIM Configuration wizard.
      Note: This option is labeled Reconfigure if EIM has been previously configured on the system.
    5. On the Welcome page of the wizard, select Create and join a new domain.
    6. Click Next.
    7. On the Specify EIM Domain Location page, select On the local Directory server and then click Next.
    8. If the network authentication service has not been configured on the system to set up a single sign-on environment, the Configure Network Authentication Service page is displayed. Network Authentication Service is not required for the EIM identity token connection factory. Select No and then click Next.
    9. On the Specify User for Connection page, specify the distinguished name and password for the LDAP administrator to ensure that the wizard has enough authority to administer the EIM domain and the objects in it. Click Next.
      Note: If you have not configured the local directory server before you use the EIM Configuration wizard, the Configure Directory Server page displays instead. Use this page to specify the distinguished name and password for the LDAP administrator and continue with the next step in this procedure. The LDAP distinguished name (DN) identifies the LDAP administrator for the directory server. The EIM Configuration wizard creates this LDAP administrator DN and uses it to configure the directory server as the domain controller for the new domain that you are creating.
    10. On the Specify Domain page, provide the name of the EIM domain, and click Next.
    11. On the Specify Parent DN for Domain page, select Yes to specify a parent DN for the domain that you are creating, or specify No to have EIM data stored in a directory location with a suffix whose name is derived from the EIM domain name. Click Next.
    12. A message is displayed that indicates that you must stop the LDAP server. Click Yes to continue.
    13. On the Registry Information page, select Local OS/400 and then click Next.
    14. On the Specify EIM System User page, select Distinguished name and password as the user type, provide the DN and password for the directory server administrator, and optionally, verify the DN and password. Click Next.
    15. In the Summary panel, review the configuration information that you have provided. If all information is correct, click Finish.
  2. Add the domain to domain management:
    1. In the iSeries Navigator, expand system_name> Network > Enterprise Identity Mapping > Domain Management.
    2. Right-click Domain Management and then select Add Domain.
    3. In the Add Domain dialog, specify the domain you created earlier and click OK.
  3. Create a source user registry definition in EIM.

    The identity token connection factory requires a source user registry definition entry in EIM. The source user registry definition represents the registry that WebSphere® Application Server uses for authentication. This registry can be a local OS registry or an LDAP registry.

    1. In iSeries Navigator, expand system_name > Network > Enterprise Identity Mapping > Domain Management > domain_name> User Registries.
    2. If you are prompted for the LDAP server password, provide the password and click OK.
    3. Right-click User Registries and select Add Registry > System to start the configuration wizard that adds the registry to your domain.

      Provide the registry name and type. If your application server is hosted on an iSeries server and configured to use the local OS user registry, select OS/400 as the EIM user registry type. If your application server is configured to use the LDAP user registry, enter LDAP - short name as the EIM registry type.

      Note: Prior to IBM i V5R4, instead of LDAP - short name use 1.3.18.02.33.14-caseIgnore. The value 1.3.18.02.33.14-caseIgnore is the ObjectIdentifier-normalization form of the user registry type and principals are identified by the LDAP short name attribute. The wizard does not handle the descriptive name for this registry type.
    4. Click OK.
  4. Create user identifier in EIM

    The identity token connection factory requires a user identifier entry, which is equivalent to an EIM identifier; in EIM, the user identifier entry represents the user of the application.

    1. In iSeries Navigator, expand system > Network > Enterprise Identity Mapping > Domain Management > domain > Identifiers.
    2. Right-click Identifiers, and select New Identifier.
    3. Enter an identifier name, such as your full name, and click OK.
  5. Create a target association in EIM for the user identifier.

    A target association represents the user profile on the target iSeries server for the identifier created earlier.

    1. In iSeries Navigator, expand system > Network > Enterprise Identity Mapping > Domain Management > domain > Identifiers.
    2. Double-click the Application Identifier for the user created previously.
    3. Click the Associations tab.
    4. Click Add.
    5. Provide the IBM i user profile for the EIM identifier in the User field and click OK.
    6. Click OK to save the association.
  6. Create a source association in EIM for the user identifier.

    A source association is used to authenticate to WebSphere Application Server.

    1. In iSeries Navigator, expand system > Network > Enterprise Identity Mapping > Domain Management > domain > Identifiers.
    2. Double-click the Application Identifier for the user created previously.
    3. Click the Associations tab.
    4. Click Add.
    5. Click Browse and select the WebSphere Application Server user registry.
    6. Specify your WebSphere Application Server user ID, such as my_id.
    7. Select Source.
    8. Click OK to add the new association.
    9. Click OK to save the association.
  7. Optional: Test the connection to the EIM domain controller.

    Use the idsldapsearch command to test the connection to the EIM domain controller. For example, if the LDAP server is located on the my_server host, the EIM domain name is My_EIM_Domain, and the source user registry is WAS Registry, the steps to test the connection are as follows:

    1. Log on to the iSeries server that hosts your WebSphere Application Server profile.
    2. From a CL command line, specify QSH and press Enter.
    3. Specify the following command and press Enter: 
      idsldapsearch -h my_server -p 389 -D cn=administrator 
-w secret -b "ibm-eimDomainName=My_EIM_Domain" 
"ibm-eimRegistryName=WAS_Registry"
      where:
      • my_server is the name of the host server of the LDAP server.
      • 389 is the port that is used by the LDAP server.
      • cn=administrator is the LDAP DN of the LDAP administrator.
      • secret is the LDAP administrator password.
      • ibm-eimDomainName=My_EIM_Domain is the LDAP DN of the EIM domain name entry.

      The previous lines display as multiple lines for illustrative purposes only. Specify the command as one continuous line.

      In this example, no EIM domain parent name exists. If an EIM domain parent name did exist, such as dc=myserver,dc=ibm,dc=com, the LDAP DN is ibm-eimDomainName=My_EIM_Domain,dc=myserver,dc=ibm,dc=com.

Results

The expected output looks similar to the following example:

ibm-eimRegistryName=WAS Registry,cn=Registries,ibm-eimdomainname=My_EIM_Domain
   objectclass=top
   objectclass=ibm-eimRegistry
   objectclass=ibm-eimSystemRegistry
   ibm-eimRegistryName=WAS_Registry
   ibm-eimRegistryType=1.3.18.0.2.33.9-caseIgnore
   description=Example Registry for WebSphere Application Server

What to do next

Configure the EIM identity token connection factory. See Configuring the Enterprise Identity Mapping identity token connection factory.