Single Sign-on Implementation Best Practices -...
Transcript of Single Sign-on Implementation Best Practices -...
© 2017 IBM Corporation
™
© 2017 IBM Corporation
Single Sign-on Implementation Best PracticesThomas BarlenSenior Managing [email protected]
© 2017 IBM Corporation
™
Agenda
• Implementation challenges
• Best practices setup
• Ongoing administration
2
© 2017 IBM Corporation
™
Single Sign-On with IBM i
3
Windows DomainController
SSL
EIM Domain Controller
Registry: User: TypeWIN.DOM.COM Thomas.Barlen Kerberos
ServerA BARLENT i5/OSServerB TBARLEN RACFIntraNet barlen AIXSysA BARLEN1 i5/OS
Key Distribution Center(KDC)
AS TGS
Identifier: [email protected]
Target IDType
Can I have a ticket for
service SYSA?Sure, here is the ticket for
user Thomas.Barlen.
Here is my ticket. My name is
Thomas.Barlen. Please let me in.
Dear EIM controller, do you
know w
ho Thomas.Barlen from
WIN.DO
M.CO
M is on SYSA?
Yes, it isBARLEN1
Hey. Welcome BARLEN1
Thomas
SysATGT request is not shown
2
1
3
6
4
Sour
ce ID
Type
Target ID
Type
TargetIDType
TargetIDType
5
© 2017 IBM Corporation
™
Kerberos and EIM-enabled applications● Host servers (used by IBM i Access for Windows)● Telnet server used by PC5250 from IBM i Access, WebSphere Host On-Demand V8,
5250 emulator in IBM i Access for Linux V1.8, IBM Access Client Solutions,● IBM Personal Communications 5.9 ● IBM i Telnet client (V7R2)● QFileSrv.400● Distributed Relational Database Architecture (DRDA), Open Database Connectivity
(ODBC), Java Database Connectivity (JDBC)● HTTP Server for IBM i (powered by Apache)● Management Central● Lightweight Directory Access Protocol (LDAP) Server (Kerberos authentication only, no
EIM involved)● Windows Integration● FTP Client and Server (V7R2)● NetServer● IBM WebSphere Application Server ● Network File System (NFS)
Telnet server used by PC5250 from IBM i Access, WebSphere Host On-Demand V8, 5250 emulator in IBM i Access for Linux V1.8, IBM Access Client Solutions,IBM Personal Communications 5.9
IBM i Telnet client (V7R2)
QFileSrv.400
Distributed Relational Database Architecture (DRDA), Open Database Connectivity (ODBC), Java Database Connectivity (JDBC)
HTTP Server for IBM i (powered by Apache)
Management Central
Lightweight Directory Access Protocol (LDAP) Server (Kerberos authentication only, no EIM involved)
Windows Integration
FTP Client and Server (V7R2)
NetServer
IBM WebSphere Application Server
Network File System (NFS)
Telnet server used by PC5250 from IBM i Access, WebSphere Host On-Demand V8, 5250 emulator in IBM i Access for Linux V1.8, IBM Access Client Solutions,IBM Personal Communications 5.9
IBM i Telnet client (V7R2)
QFileSrv.400
Distributed Relational Database Architecture (DRDA), Open Database Connectivity (ODBC), Java Database Connectivity (JDBC)
HTTP Server for IBM i (powered by Apache)
Management Central
Lightweight Directory Access Protocol (LDAP) Server (Kerberos authentication only, no EIM involved)
Windows Integration
FTP Client and Server (V7R2)
NetServer
IBM WebSphere Application Server
Network File System (NFS)
4
© 2017 IBM Corporation
™
1. Challenge: Domain Name Services • Before setting up Kerberos, all IP addresses of services in a network should
be resolved to the same host name
• IBM i DNS entry – can have multiple A records / aliases per IP address– must have only one pointer (PTR) record per IP address
• Fully qualified host name of IBM i partition needs to be added as first name in IBM i local hosts table
5
DNS lookup when requesting a service ticket
Forward lookup: host name to IP addr
Reverse lookup: IP addr to host name
Example: DNS query: Prodsys1 DNS response: 172.16.5.1
Example: DNS query: 172.16.5.1 DNS response: prodsys1.domain.local
© 2017 IBM Corporation
™
2. Challenge: Time• Kerberos is time sensitive
• By default, system times of all participating hosts must be within 5 minutes difference
• Correct time zone must be configured• Use network time protocol client to synchronize time
6
Corporate Time Server
SNTPClient
SNTPClient
SNTPClient
© 2017 IBM Corporation
™
3. Challenge: Mass deployment• Enabling SSO on the client side mostly requires configuration changes
• Configurations reside in different places
• Manual reconfiguration unfeasible for 100s or 1000s of clients • Need to identify client products including their versions and figure out where
the relevant configuration parameters are stored
7
Windows 8IBM i Navigator
PC5250 emulation
Windows 8IBM i Access Client
Solution5250 Java emulator
Ubuntu LinuxIBM i Access Client
Solution5250 Java emulator
Windows
RegistryConfig Files
Registry and Config Files
© 2017 IBM Corporation
™
Implementation• Use the configuration wizards for Network Authentication Service (NAS) and
Enterprise Identity Mapping (EIM) to perform the basic setup
– Everything described in the IBM i knowledge baseSecurity → Single sign-on
• However……
– wizards are made to simplify the configuration
– some of the wizard generated configurations are not considered a good practice
8
© 2017 IBM Corporation
™
Implementation: NetServer considerations• All IBM i related client applications need to be configured to use Kerberos
authentication rather than user/password
• EXCEPT ------> The Microsoft SMB client
9
SMB client behavior when mapping a drive from IBM i NetServer
Stolen from Thomas BarlenInitiate mapping
Windows always requestsKrb ticket from KDC (AD)
Authenticate with user/pwdTkt fromAD?
NoAuthenticate with Krb Tkt
Yes
Kerberosconfigured forNetServer ?
EIM mappingfound ?
Yes
Authenticationfailed
NoNo
Authenticate with Krb Tkt
Ticketvalid ?
Yes
Usr/Pwdvalid ?
Authenticationsuccessful
No
YesYes
NoTypical problem
© 2017 IBM Corporation
™
Implementation: NetServer considerations (cont’d)• During the implementation and test phase it is recommended to
– Register only a service principal name (SPN) that is not being used for mapping a drive by the workstations
– Test your mapping function with the NetServer\\10.1.1.70\QIBM
– Once all testing is complete and ALL EIM mappings have been defined, register the remaining SPNs in AD
10
cifs/[email protected]/[email protected]/[email protected]/[email protected]
© 2017 IBM Corporation
™
Making life easy for Windows administrators• Windows administrators tend to be reluctant changing THEIR Windows AD
• Simplify as much as possible the configuration of the required service accounts for the IBM i Kerberos service principals
• Take the IBM i configuration wizard Windows batch file
• Modify it so that the Windows admin just needs to run it
11
DSADD user cn=prodsys_1_krbsvr400,cn=users,dc=WIN,dc=DOM,dc=COM -pwd krb76fwall -display prodsys_1_krbsvr400 KTPASS -MAPUSER prodsys_1_krbsvr400 -PRINC krbsvr400/[email protected] -PASS krb76fwall -mapop set
DSADD user cn=prodsys_1_krbsvr400,ou=ServiceAccounts,dc=WIN,dc=DOM,dc=COM -pwd krb76fwall -display prodsys_1_krbsvr400 -pwdneverexpires yes -desc "IBM i Kerberos services for system PRODSYS1" KTPASS -MAPUSER prodsys_1_krbsvr400 -PRINC krbsvr400/[email protected] -PASS krb76fwall -mapop set
Must be providedby Windows admin
© 2017 IBM Corporation
™
EIM system account• During the EIM setup, an EIM system account is specified
• The problem → when the LDAP server administrator password gets changed, SSO stops working
– the password stored in the EIM properties does not match the password of the admin anymore
12
Defaults to the wizard admin
account
© 2017 IBM Corporation
™
EIM system account (cont’d)• Prior to running the EIM configuration wizard create a LDAP sub-tree to hold
EIM domain data and user entry
– Following example shows an LDIF file to generate these entries
•
13
Browse : /home/barlen/eim.ldif Record : 1 of 15 by 18 Control : ....+....1....+....2....+....3....+....4....+....5. ************Beginning of data************** dn: o=eim objectclass: organization o: eim description: EIM domain data
dn: cn=eimsystem,o=eim objectclass: inetOrgPerson objectclass: ePerson cn: eimsystem sn: EIM description: EIM system user uid: eimsystem userPassword: kL75fRqk0s ************End of Data********************
root
o=eim
cn=eimsystem
ibm-eimdomainname=EIM
© 2017 IBM Corporation
™
EIM system account (cont’d)• Create the entries via command line (easy)
– Alternatively you can use the IBM Tivoli Directory Web Management Tool
•
14
ldapadd h localhost D cn=administrator w ? f /home/barlen/eim.ldif
© 2017 IBM Corporation
™
EIM system account (cont’d)• Grant the EIM system user permissions for EIM operations
•
15
© 2017 IBM Corporation
™
EIM system account (cont’d)• Use the EIM system user in the EIM configuration wizard
16
© 2017 IBM Corporation
™
Mass deployment of SSO - EIM
17
• EIM is only used on the server side → no need for client setup
• Recommended to use tools or write a program to automatically create EIM identifier and associations
– Example: Lab Services IBM PowerSC Tools for IBM i – SSO Suite for EIM
© 2017 IBM Corporation
™
Mass deployment of SSO - Kerberos
18
• Client configuration needs to be changed from user/password to Kerberos authentication
– Exception is the SMB client to access the NetServer
• Typically the configuration change is manual
© 2017 IBM Corporation
™
Mass deployment of SSO – Kerberos (cont’d)
19
• SSO configuration settings are stored in various places
– IBM i Navigator provides a central switch to turn SSO on or off for IBM i Navigator, PC5250, ODBC
• Each application can override the Navigator settings• IBM i Navigator stores the configuration setting in the Windows registry
1 = Use default user2 = Prompt every time3 = Use Windows user name4 = Use Kerberos
© 2017 IBM Corporation
™
Mass deployment of SSO – Kerberos (cont’d)
20
• IBM i Navigator registry setting can be exported to .reg file and used for automatic import via login scripts
• As an alternative to the registry approach for IBM i Navigator you can also use the IBM i Access for Windows cwbenv command
– Export a connection environment including its settings (includes all connections)cwbenv /E "My connections" ibmienv.fil
– Import a connection environmentcwbenv /I /O ibmienv.fil
● /O overrides existing connections with new settings
• IBM Access Client Solutions stores the settings in the prefs.dat file \Documents\IBM\iAccessClient\Settings\client.configuration\com.ibm...\systname\
© 2017 IBM Corporation
™
EIM domain controller availability
21
• Using a single EIM domain controller for multiple IBM i partitions introduces a single point of failure (SPOF)
P4EIM Domain Controller
Joined EIM domain
Joined EIM domain
Joined EIM domain
P3
P5
P2
SPOF
If system is downSSO stops working
on all systems
© 2017 IBM Corporation
™
EIM domain controller availability (cont’d)
22
• EIM domain data are stored in a LDAP server (IBM Directory Server)
• LDAP replication functions can be used to improve availability
• IBM i provides master-replica, master-forwarder-replica, and multi-master replication
Master/Peer 1 Master/Peer 3
Peer 2
Administrator
ldapmodify ldapmodify
© 2017 IBM Corporation
™
EIM domain controller availability (cont’d)
23
• Once the replication has been set up change the EIM properties on each system to point to itself as the EIM domain controller
• Use the same approach for HA environments between the production and DR system
LDAPServerEIM Ctrl
EIM Config:CTRL: Master1
P4
LDAPServerEIM Ctrl
EIM Config:CTRL: Master2
P5Replication using TLS
© 2017 IBM Corporation
™
Ongoing administration • Recommended to use tools or write a program to automatically create EIM
identifier and associations
• If naming conventions exist for user names, use an exit program for the QIBM_QSY_CRT_PROFILE / QIBM_QSY_DLT_PROFILE exits to create and delete EIM mappings
• NAS does not require any administration unless the service account passwords change
24
© 2017 IBM Corporation
™
Conclusion
• Implementation challenges– DNS name resolution
– Time synchronization
– Mass deployment
• Best practices setup– NetServer considerations
– Make life easy for Windows administrators
– EIM system user and LDAP server setup
– Automate workstation configuration
– High availability environment
• Ongoing administration– Enterprise Identity Mapping (EIM) administration
25
© 2017 IBM Corporation
™
Thanks
26
IBM Systems Lab Services and TrainingOur Mission and Profile
● Support the IBM Systems Agenda and accelerate the adoption of new products and solutions● Maximize performance of our clients’ existing IBM systems● Deliver technical training, conferences, and other services tailored to meet client needs● Team with IBM Service Providers to optimize the deployment of IBM solutions (GTS, GBS, SWG Lab Services and
our IBM Business Partners)Our Competitive Advantage
● Leverage relationships with the IBM development labs to build deep technical skills and exploit the expertise of our developers
● Combined expertise of Lab Services and the Training for Systems team● Skills can be deployed worldwide to assure all client needs can be met