JKL Toy Company enables single signon for HTTP Server

This scenario discusses how to enable single signon for security for an IBM® HTTP Server for i Web server.

About this task

To learn more about Kerberos and network security on IBM i servers, see Network authentication service.

Scenario

About this task

The JKL Web administrator, John Day, wants to enable single signon for the JKL Toy Company network. The network consists of several IBM i systems and a Windows 2000 server, where the users are registered in Microsoft Windows Active Directory. Based on John Day's research, he knows that Microsoft Active Directory uses the Kerberos protocol to authenticate Windows users. John Day also knows that IBM i provides a single signon solution based on an implementation of Kerberos authentication, called network authentication service, in conjunction with Enterprise Identity Mapping (EIM).

While excited about the benefits of a single signon environment, John Day wants to thoroughly understand single signon configuration and usage before using it across the entire enterprise. Consequently, John Day decides to configure a test environment first.

After considering the various groups in the company, John Day decides to create the test environment for the MYCO Order Receiving department, a subsidiary of JKL Toys. The employees in the Order Receiving department use multiple applications, including HTTP Server, on one IBM i system to handle incoming customer orders. John Day uses the Order Receiving department as a testing area to create a single signon test environment that can be used to better understand how single signon works and how to plan a single signon implementation across the JKL enterprise.

This scenario has the following advantages:

  • Allows you to see some of the benefits of single signon on a small scale to better understand how you can take full advantage of it before you create a large-scale, single signon environment.
  • Provides you with a better understanding of the planning process required to successfully and quickly implement a single signon environment across your entire enterprise.

As the network administrator at JKL Toy Company, John Day wants to create a small single signon test environment that includes a small number of users and a single IBM i server, Systemi A. John Day wants to perform thorough testing to ensure that user identities are correctly mapped within the test environment. The first step is to enable a single signon environment for the IBM i server and applications on Systemi A, including the HTTP Server. After implementing the configuration successfully, John Day eventually wants to expand the test environment to include the other systems and users in the JKL enterprise.

The objectives of this scenario are as follows:

  • The IBM i system, known as Systemi A, must be able to use Kerberos within the MYCO.COM realm to authenticate the users and services that are participating in this single signon test environment. To enable the system to use Kerberos, Systemi A must be configured for network authentication service.
  • The directory server on Systemi A must function as the domain controller for the new EIM domain.
    Note: Two types of domains play key roles in the single signon environment: an EIM domain and a Windows 2000 domain. Although both of these terms contain the word domain, these entities have very different definitions.

    Use the following descriptions to understand the differences between these two types of domains. For more information about these terms, see the EIM and Network authentication service topics.

    EIM domain
    An EIM domain is a collection of data, which includes the EIM identifiers, EIM associations, and EIM user registry definitions that are defined in that domain. This data is stored in a Lightweight Directory Access Protocol (LDAP) server, such as the IBM Tivoli® Directory Server for IBM i, which can run on any system in the network defined in that domain. Administrators can configure systems (EIM clients), such as IBM i, to participate in the domain so that systems and applications can use domain data for EIM lookup operations and identity mapping. To find out more about an EIM domain, see EIM.
    Windows 2000 domain
    In the context of single signon, a Windows 2000 domain is a Windows network that contains several systems that operate as clients and servers, as well as a variety of services and applications that the systems use. The following are some of the components pertinent to single signon that you may find within a Windows 2000 domain:
    • Realm

      A realm is a collection of machines and services. The main purpose of a realm is to authenticate clients and services. Each realm uses a single Kerberos server to manage the principals for that particular realm.

    • Kerberos server
      A Kerberos server, also known as a key distribution center (KDC), is a network service that resides on the Windows 2000 server and provides tickets and temporary session keys for network authentication service. The Kerberos server maintains a database of principals (users and services) and their associated secret keys. It is composed of the authentication server and the ticket granting server. A Kerberos server uses Microsoft Windows Active Directory to store and manage the information in a Kerberos user registry.
      Note: These servers should be in the same subnet to ensure that the tokens can be validated.
    • Microsoft Windows Active Directory

      Microsoft Windows Active Directory is an LDAP server that resides on the Windows 2000 server along with the Kerberos server. The Active Directory is used to store and manage the information in a Kerberos user registry. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism. Therefore, if you are using Microsoft Active Directory to manage your users, you are already using Kerberos technology.

  • One user profile on Systemi A and one Kerberos principal must each be mapped to a single EIM identifier.
  • A Kerberos service principal must be used to authenticate the user to the IBM HTTP Server for i.

Details

About this task

The following figure illustrates the network environment for this scenario:

Single signon test environment diagram

The figure illustrates the following points relevant to this scenario.

EIM domain data defined for the enterprise

  • An EIM domain called MyCoEimDomain.
  • An EIM registry definition for Systemi A called SystemiA.MYCO.COM.
  • An EIM registry definition for the Kerberos registry called MYCO.COM.
  • An EIM identifier called John Day. This identifier uniquely identifies John Day, the administrator for MyCo.
  • A source association for the jday Kerberos principal on the Windows 2000 server.
  • A target association for the JOHND user profile on Systemi A to access HTTP Server.

Windows 2000 server

  • Acts as the Kerberos server (kdc1.myco.com), also known as a key distribution center (KDC), for the network.
  • The default realm for the Kerberos server is MYCO.COM.
  • A Kerberos principal of jday is registered with the Kerberos server on the Windows 2000 server. This principal will be used to create a source association to the EIM identifier, John Day.

Systemi A

  • Runs IBM i 5.4, or later, with the following options and licensed products installed:
    • IBM i Host Servers
    • Qshell Interpreter
    • IBM i Access for Windows
    • Network Authentication Enablement
  • The IBM Tivoli Directory Server for IBM i (LDAP) on Systemi A will be configured to be the EIM domain controller for the new EIM domain, MyCoEimDomain. Systemi A participates in the EIM domain, MyCoEimDomain.
  • The principal name for Systemi A is krbsvr400/Systemia.myco.com@MYCO.COM.
  • The principal name for the HTTP Server on Systemi A is HTTP/Systemia.myco.com@MYCO.COM.
  • The user profile of JOHND exists on Systemi A. You create a target association between this user profile and the EIM identifier, John Day.
  • The home directory for the IBM i user profile, JOHND, (/home/JOHND) is defined on Systemi A.

Client PC used for single signon administration

  • Runs Microsoft Windows 2000 operating system.
  • Runs IBM i Access for Windows V5R4, or later.
  • Runs System i® Navigator with the following subcomponents installed:
    • Network
    • Security
  • Serves as the primary logon system for administrator John Day.
  • Configured to be part of the MYCO.COM realm (Windows domain).

Prerequisites

About this task

Successful implementation of this scenario requires that the following assumptions and prerequisites are met:

  1. It is assumed you have read Scenarios: HTTP Server.
  2. All system requirements, including software and operating system installation, have been verified.
    Ensure that all the necessary licensed programs are installed. To verify that the licensed programs have been installed, complete the following:
    1. In System i Navigator, expand your system > Configuration and Service > Software > Installed Products.
  3. All necessary hardware planning and setup is complete.
  4. TCP/IP and basic system security are configured and tested on each system.
  5. The directory server and EIM are not previously configured on Systemi A.
    Note: Instructions in this scenario are based on the assumption that the directory server has not been previously configured on Systemi A. However, if you have previously configured the directory server, you can still use these instructions with only slight differences. These differences are noted in the appropriate places within the configuration steps.
  6. A single DNS server is used for host name resolution for the network. Host tables are not used for host name resolution.
    Note: The use of host tables with Kerberos authentication may result in name resolution errors or other problems.

Configuration steps

About this task

Note: Before you implement this scenario, you need to thoroughly understand the concepts related to single signon, including network authentication service and Enterprise Identity Mapping (EIM). See the following information to learn about the terms and concepts related to single signon:

These are the configuration steps John Day completed. Follow these configuration steps to enable a single signon environment for your IBM i system.

Step 1: Planning work sheet

About this task

The following planning work sheets are tailored to fit this scenario. These planning work sheets demonstrate the information that you need to gather and the decisions you need to make to prepare the single signon implementation described by this scenario. To ensure a successful implementation, you must be able to answer Yes to all prerequisite items in the work sheet and be able to gather all the information necessary to complete the work sheets before you perform any configuration tasks.

Table 1. Single signon prerequisite work sheet
Prerequisite work sheet Answers
Are you running IBM i 5.4 or later? Yes
Are the following options and licensed products installed on Systemi A?
  • IBM i Host Servers
  • Qshell Interpreter
  • IBM i Access for Windows
  • Network Authentication Enablement
 Yes
Have you installed an application that is enabled for single signon on each of the PCs that will participate in the single signon environment?
Note: For this scenario, all of the participating PCs have IBM i Access for Windows installed and Systemis A has the IBM HTTP Server for i installed.
 Yes
Is System i Navigator installed on the administrator's PC?
  • Is the Security subcomponent of System i Navigator installed on the administrator's PC?
  • Is the Network subcomponent of System i Navigator installed on the administrator's PC?
 Yes
Have you installed the latest IBM i Access for Windows service pack? See System i Access Link outside Information Center for the latest service pack. Yes
Do you, the administrator, have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? Yes
Do you have one of the following systems in the network acting as the Kerberos server (also known as the KDC)? If yes, specify which system.
  1. Windows 2000 Server
    Note: Microsoft Windows 2000 Server uses Kerberos authentication as its default security mechanism.
  2. Windows Server 2003
  3. IBM Portable Application Solutions Environment for i
  4. AIX® server
  5. System z®
 Yes, Windows 2000 Server
Are all your PCs in your network configured in a Windows (R) 2000 domain? Yes
Have you applied the latest program temporary fixes (PTFs)? Yes
Is the IBM i system time within 5 minutes of the system time on the Kerberos server? If not see Synchronize system times. Yes

You need this information to configure EIM and network authentication service to create a single signon test environment.

Table 2. Single signon configuration planning work sheet for Systemi A.

Use the following information to complete the EIM Configuration wizard. The information in this work sheet correlates with the information you need to supply for each page in the wizard:
Configuration planning work sheet for Systemi A Answers
How do you want to configure EIM for your system?
  • Join an existing domain
  • Create and join a new domain
    Note: This option allows you to configure the current system's directory server as the EIM domain controller when the directory server is not already configured as the EIM domain controller.
 Create and join a new domain
Note: This will configure the directory server on the same system on which you are currently configuring EIM.
Do you want to configure network authentication service?
Note: You must configure network authentication service to configure single signon.
 Yes
The Network Authentication Service wizard launches from the EIM Configuration wizard. Use the following information to complete the Network Authentication Service wizard:
Note: You can launch the Network Authentication Service wizard independently of the EIM Configuration wizard.
What is the name of the Kerberos default realm to which your system belongs?
Note: A Windows 2000 domain is similar to a Kerberos realm. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism.
 MYCO.COM
Are you using Microsoft Active Directory? Yes
What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens?
  • KDC: kdc1.myco.com
  • Port:88
Note: This is the default port for the Kerberos server.
Do you want to configure a password server for this default realm? If yes, answer the following questions:

What is name of the password server for this Kerberos server? What is the port on which the password server listens?

 Yes
  • Password server: kdc1.myco.com
  • Port: 464
Note: This is the default port for the Kerberos server.
For which services do you want to create keytab entries?
  • IBM i Kerberos Authentication
  • LDAP
  • IBM HTTP Server for i
  • IBM i NetServer
 IBM i Kerberos Authentication
Note: A keytab entry for HTTP Server must be done manually as described later in the configuration steps.
What is the password for your service principal or principals? Systemisa123
Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.
Do you want to create a batch file to automate adding the service principals for Systemi A to the Kerberos registry? Yes
Do you want to include passwords with the IBM i service principals in the batch file? Yes
As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard:
Specify user information for the wizard to use when configuring the directory server. This is the connection user. You must specify the port number, administrator distinguished name, and a password for the administrator.
Note: Specify the LDAP administrator's distinguished name (DN) and password to ensure the wizard has enough authority to administer the EIM domain and the objects in it.
  • Port: 389
  • Distinguished name: cn=administrator
  • Password: mycopwd
Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, do not use these passwords as part of your own configuration.
What is the name of the EIM domain that you want to create? MyCoEimDomain
Do you want to specify a parent DN for the EIM domain? No
Which user registries do you want to add to the EIM domain? Local IBM i--SystemiA.MYCO.COM Kerberos--MYCO.COM
Note: The Kerberos principals stored on the Windows 2000 server are not case sensitive; therefore do not select Kerberos user identities are case sensitive.
Which EIM user do you want Systemi A to use when performing EIM operations? This is the system user
Note: If you have not configured the directory server prior to configuring single signon, the only distinguished name (DN) you can provide for the system user is the LDAP administrator's DN and password.
  • User type: Distinguished name and password
  • User: cn=administrator
  • Password: mycopwd
Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.
After you complete the EIM Configuration wizard, use the following information to complete the remaining steps required for configuring single signon:
What is the IBM i user profile name for the user? JOHND
What is the name of the EIM identifier that you want to create? John Day
What kinds of associations do you want to create?
  • Source association: Kerberos principal jday
  • Target association: IBM i user profile JOHND
What is the name of the user registry that contains the Kerberos principal for which you are creating the source association? MYCO.COM
What is the name of the user registry that contains the IBM i user profile for which you are creating the target association? SystemiA.MYCO.COM

Step 2: Create a basic single signon configuration for Systemi A

About this task

You need to create a basic single signon configuration using the System i Navigator. The EIM configuration wizard will assist in the configuration process. Use the information from your planning work sheets to configure EIM and network authentication service on Systemi A.

Note: For more information about EIM, see the EIM concepts topic.

Procedure

  1. Start System i Navigator.
  2. Expand Systemi A > Network > Enterprise Identity Mapping.
  3. Right-click Configuration and select Configure to start the EIM Configuration wizard.
  4. On the Welcome page, select Create and join a new domain. Click Next.
  5. On the Specify EIM Domain Location page, select On the local Directory server.
  6. Click Next and the Network Authentication Service wizard is displayed.
    Note: The Network Authentication Service wizard only displays when the system determines that you need to enter additional information to configure network authentication service for the single signon implementation.
  7. Complete these tasks to configure network authentication service:
    1. On the Configure Network Authentication Service page, select Yes.
      Note: This launches the Network Authentication Service wizard. With this wizard, you can configure several IBM i interfaces and services to participate in the Kerberos realm.
    2. On the Specify Realm Information page, enter MYCO.COM in the Default realm field and select Microsoft Active Directory is used for Kerberos authentication. Click Next.
    3. On the Specify KDC Information page, enter kdc1.myco.com in the KDC field and enter 88 in the Port field. Click Next.
    4. On the Specify Password Server Information page, select Yes. Enter kdc1.myco.com in the Password server field and 464 in the Port field. Click Next.
    5. On the Select Keytab Entries page, select IBM i Kerberos Authentication. Click Next.
    6. On the Create OS/400 Keytab Entry page, enter and confirm a password, and click Next. For example, Systemi A123. This password will be used when Systemi A is added to the Kerberos server.
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration
    7. On the Create Batch File page, select Yes, specify the following information, and click Next:
      • Batch file: Add the text Systemi A to the end of the default batch file name. For example, C:\Documents and Settings\All Users\Documents\IBM\Client Access\NASConfigiSeries A.bat.
      • Select Include password: This ensures that all passwords associated with the IBM i service principal are included in the batch file. It is important to note that passwords are displayed in clear text and can be read by anyone with read access to the batch file. Therefore, it is recommended that you delete the batch file from the Kerberos server and from your PC immediately after use.
      Note: If you do not include the password, you will be prompted for the password when the batch file is run.
      Note: You must have ktpass and SETSPN (set service principal name) installed on your Windows 2000 server before running this bat file. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. The SETSPN tool is included in the Microsoft Windows 2000 Resource Kit and can be downloaded from the Microsoft website.
    8. On the Summary page, review the network authentication service configuration details. Click Finish to complete the Network Authentication Service wizard and return to the EIM Configuration wizard.
  8. On the Configure Directory Server page, enter the following information, and click Next:
    Note: If you configured the directory server before you started this scenario, you will see the Specify User for Connection page instead of the Configure Directory Server page. In that case, you must specify the distinguished name and password for the LDAP administrator.
    • Port: 389
    • Distinguished name: cn=administrator
    • Password: mycopwd
    Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.
  9. On the Specify Domain page, enter the name of the domain in the Domain field, and click Next. For example, MyCoEimDomain.
  10. On the Specify Parent DN for Domain page, select No, and click Next.
    Note: If the directory server is active, a message is displayed that indicates you need to end and restart the directory server for the changes to take effect. Click Yes to restart the directory server.
  11. On the Registry Information page, select Local OS/400 and Kerberos, and click Next.
    Note:
    • Registry names must be unique to the domain.
    • You can enter a specific registry definition name for the user registry if you want to use a specific registry definition naming plan. However, for this scenario you can accept the default values.
  12. On the Specify EIM System User page, select the user for the operating system to use when performing EIM operations on behalf of operating system functions, and click Next:
    Note: Because you did not configure the directory server prior to performing the steps in this scenario, the only distinguished name (DN) that you can choose is the LDAP administrator's DN.
    • User type: Distinguished name and password
    • Distinguished name: cn=administrator
    • Password: mycopwd
    Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.
  13. On the Summary page, confirm the EIM configuration information. Click Finish.

Step 3: Add principal names to the KDC

About this task

To add the system to the Windows 2000 KDC, use the documentation for your KDC that describes the process of adding principals. By convention, the IBM i system name can be used as the username. Add the following principal names to the KDC:

krbsvr400/SystemiA.ordept.myco.com@ORDEPT.MYCO.COM
HTTP/Systemia.myco.com@MYCO.COM

On a Windows 2000 server, follow these steps:

Procedure

  1. Use the Active Directory Management tool to create a user account for the IBM i system (select the Users folder, right-click, select New, then select User.) Specify SystemiA as the Active Directory user and HTTPSystemiA as the service principal for HTTP.
  2. Access the properties on the Active Directory user SystemiA and the service principal HTTPSystemiA. From the Account tab, select the Account is trusted for delegation. This will allows the HTTPSystemiA service principal to access other services on behalf of a signed-in user.
  3. Map the user account to the principal by using the ktpass command. This needs to be done twice, once for Systemia and once for HTTPSystemiA. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. To map the user account, open the ktpass command window and enter the following: 
    ktpass -princ krbsvr400/SystemiA.ordept.myco.com@ORDEPT.MYCO.COM -mapuser Systemi A -pass Systemia123

    Then add the HTTP Server to the KDC:

    ktpass -princ HTTP/Systemia.myco.com@MYCO.COM -mapuser Systemi A -pass Systemia123

    For HTTP, an additional step (setspn - set service principal name) is required after the ktpass is done:

    SETSPN -A HTTP/SystemiA.myco.com@MYCO.COM HTTPSystemiA
    Note: The SETSPN tool is included in the Microsoft Windows 2000 Resource Kit and can be downloaded from the Microsoft website.
    Note: The value Systemia123 is the password that you specified when you configured network authentication service. Any and all passwords used within this scenario are for example purposes only. Do not use the passwords during an actual configuration.

Step 4: Add Kerberos keytab

About this task

You need keytab entries for authentication purposes as well as for generating the authorization identity. The network authentication service (the IBM i implementation of the Kerberos protocol) wizard creates a keytab entry for SystemiA, however a keytab for HTTP must be manually created. The wizard is only able to create keytab entries for the system and certain applications that the code is aware are Kerberos-enabled. The network authentication service wizard configures network authentication service (Kerberos) for you. The wizard is called by the EIM wizard if you have not already configure network authentication service on the system or if your network authentication service configuration is not complete.

The kinit command is used to initiate Kerberos authentication. A Kerberos ticket-granting ticket (TGT) is obtained and cached for the HTTP Server principal. Use kinit to perform the ticket exchange for the HTTP Server principal. The ticket is cached for reuse.

Procedure

  1. Start a 5250 session on Systemi A.
  2. Type QSH.
  3. Type keytab add HTTP/Systemia.myco.com.
  4. Type Systemi123 for the password.
  5. Type Systemi123 again to confirm the password.
  6. Type keytab list.
    Note: The keytab list command lists the keytab information on your IBM i system.
  7. Now test the password entered in the keytab to make sure it matches the password used for this service principal on the KDC. Do this with the following command: kinit -k HTTP/Systemia.myco.com
    The -k option tells the kinit command not to prompt for a password; only use the password that is in the keytab. If the kinit command fails, it is likely that different passwords were used on either the ktpass command done on the Windows Domain controller or on the keytab command entered in QSH.
  8. Now test the IBM i Kerberos authentication to make sure the keytab password is the same as the password stored in the KDC. Do this with the following command: kinit -k krbsvr400/Systemia.myco.com
    Note: The Network Authentication Service wizard created this keytab entry.
  9. Type klist.
    Note: If the kinit command returns without errors, then klist will show your ticket cache.

Step 5: Create home directory for John Day on Systemi A

About this task

You need to create a directory in the /home directory to store your Kerberos credentials cache. To create a home directory, complete the following:

Procedure

  1. Start a 5250 session on Systemi A.
  2. Type QSH.
  3. On a command line, enter: CRTDIR '/home/user profile' where user profile is your IBM i user profile name. For example: CRTDIR '/home/JOHND'.

Step 6: Test network authentication service configuration on Systemi A

About this task

Now that you have completed the network authentication service configuration tasks for Systemi A, you need to test that your configuration. You can do this by requesting a ticket-granting ticket for the HTTP principal name, HTTP/Systemia.myco.com.

To test the network authentication service configuration, complete these steps:

Note: Ensure that you have created a home directory for your IBM i user profile before performing this procedure.

Procedure

  1. On a command line, enter QSH to start the Qshell Interpreter.
  2. Enter keytab list to display a list of principals registered in the keytab file. In this scenario, HTTP/Systemia.myco.com@MYCO.COM displays as the principal name for Systemi A.
  3. Enter kinit -k HTTP/Systemia.myco.com@MYCO.COM. If this is successful, then the kinit command is displayed without errors.
  4. Enter klist to verify that the default principal is HTTP/Systemia.myco.com@MYCO.COM.

Step 7: Create EIM identifier for John Day

About this task

Now that you have performed the initial steps to create a basic single signon configuration, you can begin to add information to this configuration to complete your single signon test environment. You need to create the EIM identifier that you specified in Step 1: Planning work sheet. In this scenario, this EIM identifier is a name that uniquely identifies John Day in the enterprise.

To create an EIM identifier, follow these steps:

Procedure

  1. Start System i Navigator.
  2. Expand Systemi A > Network > Enterprise Identity Mapping > Domain Management > MyCoEimDomain
    Note: If the domain is not listed under Domain Management, you may need to add the domain. You may be prompted to connect to the domain controller. In that case, the Connect to EIM Domain Controller dialog is displayed. You must connect to the domain before you can perform actions in it. To connect to the domain controller, provide the following information and click OK:
    • User type: Distinguished name
    • Distinguished name: cn=administrator
    • Password: mycopwd
    Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, never use these passwords as part of your own configuration.
  3. Right-click Identifiers and select New Identifier....
  4. On the New EIM Identifier dialog, enter a name for the new identifier in the Identifier field, and click OK. For example, John Day.

Step 8: Create a source association and target association for the new EIM identifier

About this task

You must create the appropriate associations between the EIM identifier and the user identities that the person represented by the identifier uses. These identifier associations, when properly configured, enable the user to participate in a single signon environment.

In this scenario, you need to create two identifier associations for the John Day identifier:

  • A source association for the jday Kerberos principal, which is the user identity that John Day, the person, uses to log in to Windows and the network. The source association allows the Kerberos principal to be mapped to another user identity as defined in a corresponding target association.
  • A target association for the JOHND IBM i user profile, which is the user identity that John Day, the person, uses to log in to System i Navigator and other IBM i applications on Systemi A. The target association specifies that a mapping lookup operation can map to this user identity from another one as defined in a source association for the same identifier.

Now that you have created the John Day identifier, you need to create both a source association and a target association for it.

To create a source association between the Kerberos principal jday identifier, follow these steps:

Procedure

  1. Start System i Navigator.
  2. Expand Systemi A > Enterprise Identity Mapping > Domain Management > MyCoEimDomain > Identifiers
  3. Right-click John Day, and select Properties.
  4. On the Associations page, click Add.
  5. In the Add Association dialog, specify or click Browse... to select the following information, and click OK:
    • Registry: MYCO.COM
    • User: jday
    • Association type: Source
  6. Click OK to close the Add Association dialog.

    To create a target association between the IBM i user profile and the John Day identifier, follow these steps:

  7. On the Associations page, click Add.
  8. On the Add Association dialog, specify or Browse... to select the following information, and click OK:
    • Registry: SystemiA.MYCO.COM
    • User: JOHND
    • Association type: Target
  9. Click OK to close the Add Association dialog.
  10. Click OK to close the Properties dialog.

Step 9: Configure IBM i Access for Windows applications to use Kerberos authentication

About this task

You must use Kerberos to authenticate before you can use System i Navigator to access Systemi A. Therefore, from your PC, you need to configure IBM i Access for Windows to use Kerberos authentication. Jay Day will use IBM i Access for Windows to monitor the status of the HTTP Server and monitor the other activities on the IBM i system.

To configure IBM i Access for Windows applications to use Kerberos authentication, complete the following steps:

Procedure

  1. Log on to the Windows 2000 domain by logging on to your PC.
  2. In System i Navigator on your PC, right-click Systemi A and select Properties.
  3. On the Connection page, select Use Kerberos principal name, no prompting. This allows IBM i Access for Windows connections to use the Kerberos principal name and password for authentication.
  4. A message is displayed that indicates you need to close and restart all applications that are currently running for the changes to the connection settings to take effect. Click OK. Then, end and restart System i Navigator.

Step 10: Add Systemi A to and existing EIM domain

About this task

The IBM i does not require mapping, per the EIM configuration, as it is not a signon-type entity. You do, however, have to add the system to an existing EIM domain.

Note: IF EIM resides on the same IBM i system as the HTTP Server, then skip this step.

Procedure

  1. Start System i Navigator.
  2. Expand Systemi A > Enterprise Identity Mapping > Configuration.
  3. Click Configure system for EIM.
  4. Click Join an existing domain. Click Next.
  5. Type Systemia.myco.com in the Domain controller name field.
  6. Type 389 in the Port field. Click Next.
  7. Select Distinguished name and password from the User type field.
  8. Type cn=administrator in the Distinguished name field.
  9. Type mycopwd in the Password field.
  10. Type mycopwd in the Confirm password field. Click Next.
  11. Select MyCoEimDomain from the Domain column. Click Next.
  12. Select Systemia.myco.com for Local OS/400 and kdc1.myco.com for Kerberos.
  13. Select Kerberos user identities are case sensitive. Click Next.
  14. Select Distinguished name and password from the User type list.
  15. Type cn=administrator in the Distinguished name field.
  16. Type mycopwd in the Password field.
  17. Type mycopwd in the Confirm password field. Click Next.
  18. Review the information and click Finish.

Step 11: Configure HTTP Server for single signon

About this task

After the basic test environment is working, John Day configures the HTTP Server to participate in the single signon environment. Once single signon is enabled, John Day can access the HTTP Server without being prompted for a user ID and password after signing on to the Windows environment

To set up Kerberos for your HTTP Server, complete the following steps:

Procedure

  1. Start the Web Administration for i interface.
  2. Click the Manage tab.
  3. Click the HTTP Servers subtab.
  4. Select the HTTP Server you want to work with from the Server list.
  5. Select the resource from the server area (a directory or a file) you want to work with from the Server area list.
  6. Expand Server Properties.
  7. Click Security.
  8. Click the Authentication tab.
  9. Select Kerberos under User authentication method.
  10. Select enable or disable to match the source user identity (user ID) associated with the server ticket with an IBM i system profile defined in a target association.
    If enabled when Kerberos is specified for the AuthType directive, the server will use EIM to attempt to match the user ID associated with the server ticket with an IBM i system profile. If there is no appropriate target association for an IBM i system profile, the HTTP request will fail.
  11. Click Apply.

Results

Restart the HTTP Server instance to use your new Kerberos settings.

Example

Your configuration file will now include new code for the Kerberos options you selected.

Note: These examples are used as reference only. Your configuration file may differ from what is shown.

Processing requests using client's authority is Disable:

<Directory />
   Require valid-user
   PasswdFile %%KERBEROS%%
   AuthType Kerberos
</Directory>

Processing requests using client's authority is Enabled:

<Directory />
   Require valid-user
   PasswdFile %%KERBEROS%%
   UserID %%CLIENT%%
   AuthType Kerberos
</Directory>
Note: If your Directory or File server area does not contain any control access restrictions, perform the following steps:
  1. Start the Web Administration for i interface.
  2. Click the Manage tab.
  3. Click the HTTP Servers subtab.
  4. Select your HTTP Server from the Server list.
  5. Select the server area you want to work with from the Server area list.
  6. Expand Server Properties.
  7. Click Security.
  8. Click the Control Access tab.
  9. Select Control access based on specific authorization of Control access field.
  10. Click Add Authorization button under the Authorization for control access table
  11. Select Require host from the new row Authorization or Container list.
  12. Type *.jkl.com in the Host name table to allow clients in the JKL domain to access the resource.
    Note: You should type the host name of your server. If you do not, no client is allowed access to the resources.
  13. Click Continue.
  14. Click OK.

Step 12: (Optional) Post configuration considerations

What to do next

Now that you finished this scenario, the only EIM user you have defined that EIM can use is the Distinguished Name (DN) for the LDAP administrator. The LDAP administrator DN that you specified for the system user on Systemi A has a high level of authority to all data on the directory server. Therefore, you might consider creating one or more DNs as additional users that have more appropriate and limited access control for EIM data. The number of additional EIM users that you define depends on your security policy's emphasis on the separation of security duties and responsibilities. Typically, you might create at least the two following types of DNs:

  • A user that has EIM administrator access control

    This EIM administrator DN provides the appropriate level of authority for an administrator who is responsible for managing the EIM domain. This EIM administrator DN could be used to connect to the domain controller when managing all aspects of the EIM domain by means of System i Navigator.

  • At least one user that has all of the following access controls:
    • Identifier administrator
    • Registry administrator
    • EIM mapping operations

    This user provides the appropriate level of access control required for the system user that performs EIM operations on behalf of the operating system.

Note: To use the new DN for the system user instead of the LDAP administrator DN, you must change the EIM configuration properties for the system user on each system.

To use Microsoft Internet Explorer to access a Kerberos protected resource, the Integrated Windows Authentication option must be enabled. To enable it, from Internet Explorer go to Tools > Internet options > Advanced tab and Enable Integrated Windows Authentication.