IBM i enablement

The IBM® i implementation of Enterprise Identity Mapping (EIM) and Kerberos (referred to as network authentication services) provides a true multi-tier single sign-on environment.

The network authentication service is IBM's implementation of Kerberos and the Generic Security Service (GSS) APIs. You can use EIM to define associations that will provide a mapping between a Kerberos principal and an IBM i user profile. You can then use this association to determine which EIM identifier corresponds to a local IBM i user profile or Kerberos principal. This is one of the benefits of enabling single sign-on in IBM i on the server.

IBM i enablement of single sign-on

To enable a single sign-on environment, IBM exploits two technologies that work together: EIM and network authentication service, which is IBM's implementation of Kerberos and the GSS APIs. By configuring these two technologies, an administrator can enable a single sign-on environment. Windows, AIX®, and z/OS® use Kerberos protocol to authenticate users to the network. Kerberos involves the use of a network-based, secure, key distribution center which authenticates principals (Kerberos users) to the network. The fact that a user has authenticated to the KDC is represented by a Kerberos ticket. A ticket can be passed from a user to a service that accepts tickets. The service accepting a ticket uses it to determine who the user claims to be (within the Kerberos user registry and realm) and that they are in fact who they claim to be.

While network authentication service allows a server to participate in a Kerberos realm, EIM provides a mechanism for associating these Kerberos principals to a single EIM identifier that represents that user within the entire enterprise. Other user identities, such as an IBM i user name, can also be associated with this EIM identifier. Based on these associations, EIM provides a mechanism for IBM i and applications to determine which IBM i user profile represents the person or entity represented by the Kerberos principal. You can think of the information in EIM as a tree with an EIM identifier as the root, and the list of user identities associated with the EIM identifier as the branches.

Enabling single sign-on for your server simplifies the task of managing IBM i user profiles and reduces the number of sign-ons that a user must perform to access multiple IBM i applications and servers. Additionally, it reduces the amount of time that is required for password management by each user. Single sign-on allows each user to remember and use fewer passwords to access applications and servers, thereby simplifying their IBM i experience.

IBM i client and server applications currently enabled for single sign-on

  • IBM i Host Servers is currently used by IBM i Access Client Solutions.
  • Telnet server: currently used by PC5250 and IBM WebSphere® Host On-Demand Version 8: Web Express Logon feature.
  • Start of changeTelnet clientEnd of change
  • Open DataBase Connectivity (ODBC): allows single sign-on access to IBM i databases through ODBC.
  • Java™ Database Connectivity (JDBC): allows single sign-on access to IBM i databases through ODBC.
  • Distributed Relational Database Architecture™ (DRDA): allows single sign-on access to IBM i databases through ODBC.
  • QFileSrv.400
  • Start of changeFTP client and FTP serverEnd of change