JKL Toy Company enables single signon for HTTP Server
This scenario discusses how to enable single signon for security for an IBM® HTTP Server for i Web server.
About this task
To learn more about Kerberos and network security on IBM i servers, see Network authentication service.
Scenario
About this task
The JKL Web administrator, John Day, wants to enable single signon for the JKL Toy Company network. The network consists of several IBM i systems and a Windows 2000 server, where the users are registered in Microsoft Windows Active Directory. Based on John Day's research, he knows that Microsoft Active Directory uses the Kerberos protocol to authenticate Windows users. John Day also knows that IBM i provides a single signon solution based on an implementation of Kerberos authentication, called network authentication service, in conjunction with Enterprise Identity Mapping (EIM).
While excited about the benefits of a single signon environment, John Day wants to thoroughly understand single signon configuration and usage before using it across the entire enterprise. Consequently, John Day decides to configure a test environment first.
After considering the various groups in the company, John Day decides to create the test environment for the MYCO Order Receiving department, a subsidiary of JKL Toys. The employees in the Order Receiving department use multiple applications, including HTTP Server, on one IBM i system to handle incoming customer orders. John Day uses the Order Receiving department as a testing area to create a single signon test environment that can be used to better understand how single signon works and how to plan a single signon implementation across the JKL enterprise.
This scenario has the following advantages:
- Allows you to see some of the benefits of single signon on a small scale to better understand how you can take full advantage of it before you create a large-scale, single signon environment.
- Provides you with a better understanding of the planning process required to successfully and quickly implement a single signon environment across your entire enterprise.
As the network administrator at JKL Toy Company, John Day wants to create a small single signon test environment that includes a small number of users and a single IBM i server, Systemi A. John Day wants to perform thorough testing to ensure that user identities are correctly mapped within the test environment. The first step is to enable a single signon environment for the IBM i server and applications on Systemi A, including the HTTP Server. After implementing the configuration successfully, John Day eventually wants to expand the test environment to include the other systems and users in the JKL enterprise.
The objectives of this scenario are as follows:
- The IBM i system, known as Systemi A, must be able to use Kerberos within the MYCO.COM realm to authenticate the users and services that are participating in this single signon test environment. To enable the system to use Kerberos, Systemi A must be configured for network authentication service.
- The directory server on Systemi A must function as the domain
controller for the new EIM domain.Note: Two types of domains play key roles in the single signon environment: an EIM domain and a Windows 2000 domain. Although both of these terms contain the word domain, these entities have very different definitions.
Use the following descriptions to understand the differences between these two types of domains. For more information about these terms, see the EIM and Network authentication service topics.
- EIM domain
- An EIM domain is a collection of data, which includes the EIM identifiers, EIM associations, and EIM user registry definitions that are defined in that domain. This data is stored in a Lightweight Directory Access Protocol (LDAP) server, such as the IBM Tivoli® Directory Server for IBM i, which can run on any system in the network defined in that domain. Administrators can configure systems (EIM clients), such as IBM i, to participate in the domain so that systems and applications can use domain data for EIM lookup operations and identity mapping. To find out more about an EIM domain, see EIM.
- Windows 2000 domain
- In the context of single signon, a Windows 2000
domain is a Windows network that contains
several systems that operate as clients and servers, as well as a
variety of services and applications that the systems use. The following
are some of the components pertinent to single signon that you may
find within a Windows 2000 domain:
- Realm
A realm is a collection of machines and services. The main purpose of a realm is to authenticate clients and services. Each realm uses a single Kerberos server to manage the principals for that particular realm.
- Kerberos serverA Kerberos server, also known as a key distribution center (KDC), is a network service that resides on the Windows 2000 server and provides tickets and temporary session keys for network authentication service. The Kerberos server maintains a database of principals (users and services) and their associated secret keys. It is composed of the authentication server and the ticket granting server. A Kerberos server uses Microsoft Windows Active Directory to store and manage the information in a Kerberos user registry.Note: These servers should be in the same subnet to ensure that the tokens can be validated.
- Microsoft Windows Active
Directory
Microsoft Windows Active Directory is an LDAP server that resides on the Windows 2000 server along with the Kerberos server. The Active Directory is used to store and manage the information in a Kerberos user registry. Microsoft Windows Active Directory uses Kerberos authentication as its default security mechanism. Therefore, if you are using Microsoft Active Directory to manage your users, you are already using Kerberos technology.
- Realm
- One user profile on Systemi A and one Kerberos principal must each be mapped to a single EIM identifier.
- A Kerberos service principal must be used to authenticate the user to the IBM HTTP Server for i.
Details
About this task
The following figure illustrates the network environment for this scenario:
The figure illustrates the following points relevant to this scenario.
EIM domain data defined for the enterprise
- An EIM domain called MyCoEimDomain.
- An EIM registry definition for Systemi A called SystemiA.MYCO.COM.
- An EIM registry definition for the Kerberos registry called MYCO.COM.
- An EIM identifier called John Day. This identifier uniquely identifies John Day, the administrator for MyCo.
- A source association for the jday Kerberos principal on the Windows 2000 server.
- A target association for the JOHND user profile on Systemi A to access HTTP Server.
Windows 2000 server
- Acts as the Kerberos server (kdc1.myco.com), also known as a key distribution center (KDC), for the network.
- The default realm for the Kerberos server is MYCO.COM.
- A Kerberos principal of jday is registered with the Kerberos server on the Windows 2000 server. This principal will be used to create a source association to the EIM identifier, John Day.
Systemi A
- Runs IBM i 5.4,
or later, with the following options and licensed products installed:
- IBM i Host Servers
- Qshell Interpreter
- IBM i Access for Windows
- Network Authentication Enablement
- The IBM Tivoli Directory Server for IBM i (LDAP) on Systemi A will be configured to be the EIM domain controller for the new EIM domain, MyCoEimDomain. Systemi A participates in the EIM domain, MyCoEimDomain.
- The principal name for Systemi A is krbsvr400/Systemia.myco.com@MYCO.COM.
- The principal name for the HTTP Server on Systemi A is HTTP/Systemia.myco.com@MYCO.COM.
- The user profile of JOHND exists on Systemi A. You create a target association between this user profile and the EIM identifier, John Day.
- The home directory for the IBM i user profile, JOHND, (/home/JOHND) is defined on Systemi A.
Client PC used for single signon administration
- Runs Microsoft Windows 2000 operating system.
- Runs IBM i Access for Windows V5R4, or later.
- Runs System i® Navigator with
the following subcomponents installed:
- Network
- Security
- Serves as the primary logon system for administrator John Day.
- Configured to be part of the MYCO.COM realm (Windows domain).
Prerequisites
About this task
Successful implementation of this scenario requires that the following assumptions and prerequisites are met:
- It is assumed you have read Scenarios: HTTP Server.
- All system requirements, including software and operating system
installation, have been verified.Ensure that all the necessary licensed programs are installed. To verify that the licensed programs have been installed, complete the following:
- In System i Navigator, expand your .
- All necessary hardware planning and setup is complete.
- TCP/IP and basic system security are configured and tested on each system.
- The directory server and EIM are not previously configured on Systemi
A.Note: Instructions in this scenario are based on the assumption that the directory server has not been previously configured on Systemi A. However, if you have previously configured the directory server, you can still use these instructions with only slight differences. These differences are noted in the appropriate places within the configuration steps.
- A single DNS server is used for host name resolution for the network.
Host tables are not used for host name resolution.Note: The use of host tables with Kerberos authentication may result in name resolution errors or other problems.
Configuration steps
About this task
These are the configuration steps John Day completed. Follow these configuration steps to enable a single signon environment for your IBM i system.
- Step 1: Planning work sheet
- Step 2: Create a basic single signon configuration for Systemi A
- Step 3: Add principal names to the KDC
- Step 4: Add Kerberos keytab
- Step 5: Create home directory for John Day on Systemi A
- Step 6: Test network authentication service configuration on Systemi A
- Step 7: Create EIM identifier for John Day
- Step 8: Create a source association and target association for the new EIM identifier
- Step 9: Configure IBM i Access for Windows applications to use Kerberos authentication
- Step 10: Add Systemi A to and existing EIM domain
- Step 11: Configure HTTP Server for single signon
- Step 12: (Optional) Post configuration considerations
Step 1: Planning work sheet
About this task
The following planning work sheets are tailored to fit this scenario. These planning work sheets demonstrate the information that you need to gather and the decisions you need to make to prepare the single signon implementation described by this scenario. To ensure a successful implementation, you must be able to answer Yes to all prerequisite items in the work sheet and be able to gather all the information necessary to complete the work sheets before you perform any configuration tasks.
Prerequisite work sheet | Answers |
---|---|
Are you running IBM i 5.4 or later? | Yes |
Are the following options and licensed products
installed on Systemi A?
|
Yes |
Have you installed an application that is enabled
for single signon on each of the PCs that will participate in the
single signon environment? Note: For this scenario, all of the participating
PCs have IBM i
Access for Windows installed
and Systemis A has the IBM HTTP
Server for i installed.
|
Yes |
Is System
i Navigator installed
on the administrator's PC?
|
Yes |
Have you installed the latest IBM i Access for Windows service pack? See System i Access for the latest service pack. | Yes |
Do you, the administrator, have *SECADM, *ALLOBJ, and *IOSYSCFG special authorities? | Yes |
Do you have one of the following systems in
the network acting as the Kerberos server (also known as the KDC)?
If yes, specify which system.
|
Yes, Windows 2000 Server |
Are all your PCs in your network configured in a Windows (R) 2000 domain? | Yes |
Have you applied the latest program temporary fixes (PTFs)? | Yes |
Is the IBM i system time within 5 minutes of the system time on the Kerberos server? If not see Synchronize system times. | Yes |
You need this information to configure EIM and network authentication service to create a single signon test environment.
Configuration planning work sheet for Systemi A | Answers |
---|---|
How do you want to configure EIM for your system?
|
Create and join a new domain Note: This will
configure the directory server on the same system on which you are
currently configuring EIM.
|
Do you want to configure network authentication
service? Note: You must configure network authentication service to
configure single signon.
|
Yes |
The Network Authentication Service
wizard launches from the EIM Configuration wizard. Use the following
information to complete the Network Authentication Service wizard: Note: You
can launch the Network Authentication Service wizard independently
of the EIM Configuration wizard.
|
|
What is the name of the Kerberos default realm
to which your system belongs? Note: A Windows 2000
domain is similar to a Kerberos realm. Microsoft Windows Active Directory uses Kerberos authentication
as its default security mechanism.
|
MYCO.COM |
Are you using Microsoft Active Directory? | Yes |
What is the Kerberos server, also known as a key distribution center (KDC), for this Kerberos default realm? What is the port on which the Kerberos server listens? |
Note: This is the default port for the Kerberos server.
|
Do you want to configure a password server for
this default realm? If yes, answer the following questions: What is name of the password server for this Kerberos server? What is the port on which the password server listens? |
Yes
Note: This is the default port for the Kerberos server.
|
For which services do you want to create keytab
entries?
|
IBM i Kerberos
Authentication Note: A keytab entry for HTTP Server must be done manually
as described later in the configuration steps.
|
What is the password for your service principal or principals? | Systemisa123 Note: Any and
all passwords specified in this scenario are for example purposes
only. To prevent a compromise to your system or network security,
never use these passwords as part of your own configuration.
|
Do you want to create a batch file to automate adding the service principals for Systemi A to the Kerberos registry? | Yes |
Do you want to include passwords with the IBM i service principals in the batch file? | Yes |
As you exit the Network Authentication Service wizard, you will return to the EIM Configuration wizard. Use the following information to complete the EIM Configuration wizard: | |
Specify user information for the wizard to use
when configuring the directory server. This is the connection user.
You must specify the port number, administrator distinguished name,
and a password for the administrator. Note: Specify the LDAP administrator's
distinguished name (DN) and password to ensure the wizard has enough
authority to administer the EIM domain and the objects in it.
|
Note: Any and all passwords specified in this scenario are for
example purposes only. To prevent a compromise to your system or network
security, do not use these passwords as part of your own configuration.
|
What is the name of the EIM domain that you want to create? | MyCoEimDomain |
Do you want to specify a parent DN for the EIM domain? | No |
Which user registries do you want to add to the EIM domain? | Local IBM i--SystemiA.MYCO.COM Kerberos--MYCO.COM Note: The
Kerberos principals stored on the Windows 2000
server are not case sensitive; therefore do not select Kerberos
user identities are case sensitive.
|
Which EIM user do you want Systemi A to use
when performing EIM operations? This is the system user Note: If you
have not configured the directory server prior to configuring single
signon, the only distinguished name (DN) you can provide for the system
user is the LDAP administrator's DN and password.
|
Note: Any and all passwords specified in this scenario are for
example purposes only. To prevent a compromise to your system or network
security, never use these passwords as part of your own configuration.
|
After you complete the EIM Configuration wizard, use the following information to complete the remaining steps required for configuring single signon: | |
What is the IBM i user profile name for the user? | JOHND |
What is the name of the EIM identifier that you want to create? | John Day |
What kinds of associations do you want to create? |
|
What is the name of the user registry that contains the Kerberos principal for which you are creating the source association? | MYCO.COM |
What is the name of the user registry that contains the IBM i user profile for which you are creating the target association? | SystemiA.MYCO.COM |
Step 2: Create a basic single signon configuration for Systemi A
About this task
You need to create a basic single signon configuration using the System i Navigator. The EIM configuration wizard will assist in the configuration process. Use the information from your planning work sheets to configure EIM and network authentication service on Systemi A.
Procedure
Step 3: Add principal names to the KDC
About this task
To add the system to the Windows 2000 KDC, use the documentation for your KDC that describes the process of adding principals. By convention, the IBM i system name can be used as the username. Add the following principal names to the KDC:
krbsvr400/SystemiA.ordept.myco.com@ORDEPT.MYCO.COM
HTTP/Systemia.myco.com@MYCO.COM
On a Windows 2000 server, follow these steps:
Procedure
Step 4: Add Kerberos keytab
About this task
You need keytab entries for authentication purposes as well as for generating the authorization identity. The network authentication service (the IBM i implementation of the Kerberos protocol) wizard creates a keytab entry for SystemiA, however a keytab for HTTP must be manually created. The wizard is only able to create keytab entries for the system and certain applications that the code is aware are Kerberos-enabled. The network authentication service wizard configures network authentication service (Kerberos) for you. The wizard is called by the EIM wizard if you have not already configure network authentication service on the system or if your network authentication service configuration is not complete.
The kinit command is used to initiate Kerberos authentication. A Kerberos ticket-granting ticket (TGT) is obtained and cached for the HTTP Server principal. Use kinit to perform the ticket exchange for the HTTP Server principal. The ticket is cached for reuse.
Procedure
Step 5: Create home directory for John Day on Systemi A
About this task
You need to create a directory in the /home directory to store your Kerberos credentials cache. To create a home directory, complete the following:
Procedure
- Start a 5250 session on Systemi A.
- Type QSH.
- On a command line, enter: CRTDIR '/home/user profile' where user profile is your IBM i user profile name. For example: CRTDIR '/home/JOHND'.
Step 6: Test network authentication service configuration on Systemi A
About this task
Now that you have completed the network authentication service configuration tasks for Systemi A, you need to test that your configuration. You can do this by requesting a ticket-granting ticket for the HTTP principal name, HTTP/Systemia.myco.com.
To test the network authentication service configuration, complete these steps:
Procedure
- On a command line, enter QSH to start the Qshell Interpreter.
- Enter keytab list to display a list of principals registered in the keytab file. In this scenario, HTTP/Systemia.myco.com@MYCO.COM displays as the principal name for Systemi A.
- Enter kinit -k HTTP/Systemia.myco.com@MYCO.COM. If this is successful, then the kinit command is displayed without errors.
- Enter klist to verify that the default principal is HTTP/Systemia.myco.com@MYCO.COM.
Step 7: Create EIM identifier for John Day
About this task
Now that you have performed the initial steps to create a basic single signon configuration, you can begin to add information to this configuration to complete your single signon test environment. You need to create the EIM identifier that you specified in Step 1: Planning work sheet. In this scenario, this EIM identifier is a name that uniquely identifies John Day in the enterprise.
To create an EIM identifier, follow these steps:
Procedure
Step 8: Create a source association and target association for the new EIM identifier
About this task
You must create the appropriate associations between the EIM identifier and the user identities that the person represented by the identifier uses. These identifier associations, when properly configured, enable the user to participate in a single signon environment.
In this scenario, you need to create two identifier associations for the John Day identifier:
- A source association for the jday Kerberos principal, which is the user identity that John Day, the person, uses to log in to Windows and the network. The source association allows the Kerberos principal to be mapped to another user identity as defined in a corresponding target association.
- A target association for the JOHND IBM i user profile, which is the user identity that John Day, the person, uses to log in to System i Navigator and other IBM i applications on Systemi A. The target association specifies that a mapping lookup operation can map to this user identity from another one as defined in a source association for the same identifier.
Now that you have created the John Day identifier, you need to create both a source association and a target association for it.
To create a source association between the Kerberos principal jday identifier, follow these steps:
Procedure
Step 9: Configure IBM i Access for Windows applications to use Kerberos authentication
About this task
You must use Kerberos to authenticate before you can use System i Navigator to access Systemi A. Therefore, from your PC, you need to configure IBM i Access for Windows to use Kerberos authentication. Jay Day will use IBM i Access for Windows to monitor the status of the HTTP Server and monitor the other activities on the IBM i system.
To configure IBM i Access for Windows applications to use Kerberos authentication, complete the following steps:
Procedure
- Log on to the Windows 2000 domain by logging on to your PC.
- In System i Navigator on your PC, right-click Systemi A and select Properties.
- On the Connection page, select Use Kerberos principal name, no prompting. This allows IBM i Access for Windows connections to use the Kerberos principal name and password for authentication.
- A message is displayed that indicates you need to close and restart all applications that are currently running for the changes to the connection settings to take effect. Click OK. Then, end and restart System i Navigator.
Step 10: Add Systemi A to and existing EIM domain
About this task
The IBM i does not require mapping, per the EIM configuration, as it is not a signon-type entity. You do, however, have to add the system to an existing EIM domain.
Procedure
- Start System i Navigator.
- Expand .
- Click Configure system for EIM.
- Click Join an existing domain. Click Next.
- Type Systemia.myco.com in the Domain controller name field.
- Type 389 in the Port field. Click Next.
- Select Distinguished name and password from the User type field.
- Type cn=administrator in the Distinguished name field.
- Type mycopwd in the Password field.
- Type mycopwd in the Confirm password field. Click Next.
- Select MyCoEimDomain from the Domain column. Click Next.
- Select Systemia.myco.com for Local OS/400 and kdc1.myco.com for Kerberos.
- Select Kerberos user identities are case sensitive. Click Next.
- Select Distinguished name and password from the User type list.
- Type cn=administrator in the Distinguished name field.
- Type mycopwd in the Password field.
- Type mycopwd in the Confirm password field. Click Next.
- Review the information and click Finish.
Step 11: Configure HTTP Server for single signon
About this task
After the basic test environment is working, John Day configures the HTTP Server to participate in the single signon environment. Once single signon is enabled, John Day can access the HTTP Server without being prompted for a user ID and password after signing on to the Windows environment
To set up Kerberos for your HTTP Server, complete the following steps:
Procedure
- Start the Web Administration for i interface.
- Click the Manage tab.
- Click the HTTP Servers subtab.
- Select the HTTP Server you want to work with from the Server list.
- Select the resource from the server area (a directory or a file) you want to work with from the Server area list.
- Expand Server Properties.
- Click Security.
- Click the Authentication tab.
- Select Kerberos under User authentication method.
- Select enable or disable to
match the source user identity (user ID) associated with the server
ticket with an IBM i system
profile defined in a target association. If enabled when Kerberos is specified for the AuthType directive, the server will use EIM to attempt to match the user ID associated with the server ticket with an IBM i system profile. If there is no appropriate target association for an IBM i system profile, the HTTP request will fail.
- Click Apply.
Results
Restart the HTTP Server instance to use your new Kerberos settings.
Example
Your configuration file will now include new code for the Kerberos options you selected.
Processing requests using client's authority is Disable:
<Directory />
Require valid-user
PasswdFile %%KERBEROS%%
AuthType Kerberos
</Directory>
Processing requests using client's authority is Enabled:
<Directory />
Require valid-user
PasswdFile %%KERBEROS%%
UserID %%CLIENT%%
AuthType Kerberos
</Directory>
- Start the Web Administration for i interface.
- Click the Manage tab.
- Click the HTTP Servers subtab.
- Select your HTTP Server from the Server list.
- Select the server area you want to work with from the Server area list.
- Expand Server Properties.
- Click Security.
- Click the Control Access tab.
- Select Control access based on specific authorization of Control access field.
- Click Add Authorization button under the Authorization for control access table
- Select Require host from the new row Authorization or Container list.
- Type *.jkl.com in the Host name table to allow clients
in the JKL domain to access the resource.Note: You should type the host name of your server. If you do not, no client is allowed access to the resources.
- Click Continue.
- Click OK.
Step 12: (Optional) Post configuration considerations
What to do next
Now that you finished this scenario, the only EIM user you have defined that EIM can use is the Distinguished Name (DN) for the LDAP administrator. The LDAP administrator DN that you specified for the system user on Systemi A has a high level of authority to all data on the directory server. Therefore, you might consider creating one or more DNs as additional users that have more appropriate and limited access control for EIM data. The number of additional EIM users that you define depends on your security policy's emphasis on the separation of security duties and responsibilities. Typically, you might create at least the two following types of DNs:
- A user that has EIM administrator access control
This EIM administrator DN provides the appropriate level of authority for an administrator who is responsible for managing the EIM domain. This EIM administrator DN could be used to connect to the domain controller when managing all aspects of the EIM domain by means of System i Navigator.
- At least one user that has all of the following access controls:
- Identifier administrator
- Registry administrator
- EIM mapping operations
This user provides the appropriate level of access control required for the system user that performs EIM operations on behalf of the operating system.
To use Microsoft Internet Explorer to access a Kerberos protected resource, the Integrated Windows Authentication option must be enabled. To enable it, from Internet Explorer go to Tools > Internet options > Advanced tab and Enable Integrated Windows Authentication.