Single Sign-on Implementation Best Practices -...

© 2017 IBM Corporation

™


Single Sign-on Implementation Best PracticesThomas BarlenSenior Managing [email protected]


™

Agenda

• Implementation challenges

• Best practices setup

• Ongoing administration

2


™

Single Sign-On with IBM i

3

Windows DomainController

SSL

EIM Domain Controller

Registry: User: TypeWIN.DOM.COM Thomas.Barlen Kerberos

ServerA BARLENT i5/OSServerB TBARLEN RACFIntraNet barlen AIXSysA BARLEN1 i5/OS

Key Distribution Center(KDC)

AS TGS

Identifier: [email protected]

Target IDType

Can I have a ticket for

service SYSA?Sure, here is the ticket for

user Thomas.Barlen.

Here is my ticket. My name is

Thomas.Barlen. Please let me in.

Dear EIM controller, do you

know w

ho Thomas.Barlen from

WIN.DO

M.CO

M is on SYSA?

Yes, it isBARLEN1

Hey. Welcome BARLEN1

Thomas

SysATGT request is not shown

2

1

3

6

4

Sour

ce ID

Type

Target ID

Type

TargetIDType

TargetIDType

5


™

Kerberos and EIM-enabled applications● Host servers (used by IBM i Access for Windows)● Telnet server used by PC5250 from IBM i Access, WebSphere Host On-Demand V8,

5250 emulator in IBM i Access for Linux V1.8, IBM Access Client Solutions,● IBM Personal Communications 5.9 ● IBM i Telnet client (V7R2)● QFileSrv.400● Distributed Relational Database Architecture (DRDA), Open Database Connectivity

(ODBC), Java Database Connectivity (JDBC)● HTTP Server for IBM i (powered by Apache)● Management Central● Lightweight Directory Access Protocol (LDAP) Server (Kerberos authentication only, no

EIM involved)● Windows Integration● FTP Client and Server (V7R2)● NetServer● IBM WebSphere Application Server ● Network File System (NFS)

Telnet server used by PC5250 from IBM i Access, WebSphere Host On-Demand V8, 5250 emulator in IBM i Access for Linux V1.8, IBM Access Client Solutions,IBM Personal Communications 5.9

IBM i Telnet client (V7R2)

QFileSrv.400

Distributed Relational Database Architecture (DRDA), Open Database Connectivity (ODBC), Java Database Connectivity (JDBC)

HTTP Server for IBM i (powered by Apache)

Management Central

Lightweight Directory Access Protocol (LDAP) Server (Kerberos authentication only, no EIM involved)

Windows Integration

FTP Client and Server (V7R2)

NetServer

IBM WebSphere Application Server

Network File System (NFS)

Telnet server used by PC5250 from IBM i Access, WebSphere Host On-Demand V8, 5250 emulator in IBM i Access for Linux V1.8, IBM Access Client Solutions,IBM Personal Communications 5.9

IBM i Telnet client (V7R2)

QFileSrv.400

Distributed Relational Database Architecture (DRDA), Open Database Connectivity (ODBC), Java Database Connectivity (JDBC)

HTTP Server for IBM i (powered by Apache)

Management Central

Lightweight Directory Access Protocol (LDAP) Server (Kerberos authentication only, no EIM involved)

Windows Integration

FTP Client and Server (V7R2)

NetServer

IBM WebSphere Application Server

Network File System (NFS)

4


™

1. Challenge: Domain Name Services • Before setting up Kerberos, all IP addresses of services in a network should

be resolved to the same host name

• IBM i DNS entry – can have multiple A records / aliases per IP address– must have only one pointer (PTR) record per IP address

• Fully qualified host name of IBM i partition needs to be added as first name in IBM i local hosts table

5

DNS lookup when requesting a service ticket

Forward lookup: host name to IP addr

Reverse lookup: IP addr to host name

Example: DNS query: Prodsys1 DNS response: 172.16.5.1

Example: DNS query: 172.16.5.1 DNS response: prodsys1.domain.local


™

2. Challenge: Time• Kerberos is time sensitive

• By default, system times of all participating hosts must be within 5 minutes difference

• Correct time zone must be configured• Use network time protocol client to synchronize time

6

Corporate Time Server

SNTPClient

SNTPClient

SNTPClient


™

3. Challenge: Mass deployment• Enabling SSO on the client side mostly requires configuration changes

• Configurations reside in different places

• Manual reconfiguration unfeasible for 100s or 1000s of clients • Need to identify client products including their versions and figure out where

the relevant configuration parameters are stored

7

Windows 8IBM i Navigator

PC5250 emulation

Windows 8IBM i Access Client

Solution5250 Java emulator

Ubuntu LinuxIBM i Access Client

Solution5250 Java emulator

Windows

RegistryConfig Files

Registry and Config Files


™

Implementation• Use the configuration wizards for Network Authentication Service (NAS) and

Enterprise Identity Mapping (EIM) to perform the basic setup

– Everything described in the IBM i knowledge baseSecurity → Single sign-on

• However……

– wizards are made to simplify the configuration

– some of the wizard generated configurations are not considered a good practice

8


™

Implementation: NetServer considerations• All IBM i related client applications need to be configured to use Kerberos

authentication rather than user/password

• EXCEPT ------> The Microsoft SMB client

9

SMB client behavior when mapping a drive from IBM i NetServer

Stolen from Thomas BarlenInitiate mapping

Windows always requestsKrb ticket from KDC (AD)

Authenticate with user/pwdTkt fromAD?

NoAuthenticate with Krb Tkt

Yes

Kerberosconfigured forNetServer ?

EIM mappingfound ?

Yes

Authenticationfailed

NoNo

Authenticate with Krb Tkt

Ticketvalid ?

Yes

Usr/Pwdvalid ?

Authenticationsuccessful

No

YesYes

NoTypical problem


™

Implementation: NetServer considerations (cont’d)• During the implementation and test phase it is recommended to

– Register only a service principal name (SPN) that is not being used for mapping a drive by the workstations

– Test your mapping function with the NetServer\\10.1.1.70\QIBM

– Once all testing is complete and ALL EIM mappings have been defined, register the remaining SPNs in AD

10

cifs/[email protected]/[email protected]/[email protected]/[email protected]

cifs/[email protected]/[email protected]/[email protected]

smb://10.1.1.70/QIBM


™

Making life easy for Windows administrators• Windows administrators tend to be reluctant changing THEIR Windows AD

• Simplify as much as possible the configuration of the required service accounts for the IBM i Kerberos service principals

• Take the IBM i configuration wizard Windows batch file

• Modify it so that the Windows admin just needs to run it

11

DSADD user cn=prodsys_1_krbsvr400,cn=users,dc=WIN,dc=DOM,dc=COM -pwd krb76fwall -display prodsys_1_krbsvr400 KTPASS -MAPUSER prodsys_1_krbsvr400 -PRINC krbsvr400/[email protected] -PASS krb76fwall -mapop set

DSADD user cn=prodsys_1_krbsvr400,ou=ServiceAccounts,dc=WIN,dc=DOM,dc=COM -pwd krb76fwall -display prodsys_1_krbsvr400 -pwdneverexpires yes -desc "IBM i Kerberos services for system PRODSYS1" KTPASS -MAPUSER prodsys_1_krbsvr400 -PRINC krbsvr400/[email protected] -PASS krb76fwall -mapop set

Must be providedby Windows admin


™

EIM system account• During the EIM setup, an EIM system account is specified

• The problem → when the LDAP server administrator password gets changed, SSO stops working

– the password stored in the EIM properties does not match the password of the admin anymore

12

Defaults to the wizard admin

account


™

EIM system account (cont’d)• Prior to running the EIM configuration wizard create a LDAP sub-tree to hold

EIM domain data and user entry

– Following example shows an LDIF file to generate these entries

•

13

Browse : /home/barlen/eim.ldif Record : 1 of 15 by 18 Control : ....+....1....+....2....+....3....+....4....+....5. ************Beginning of data************** dn: o=eim objectclass: organization o: eim description: EIM domain data

dn: cn=eimsystem,o=eim objectclass: inetOrgPerson objectclass: ePerson cn: eimsystem sn: EIM description: EIM system user uid: eimsystem userPassword: kL75fRqk0s ************End of Data********************

root

o=eim

cn=eimsystem

ibm-eimdomainname=EIM


™

EIM system account (cont’d)• Create the entries via command line (easy)

– Alternatively you can use the IBM Tivoli Directory Web Management Tool

•

14

ldapadd h localhost D cn=administrator w ? f /home/barlen/eim.ldif


™

EIM system account (cont’d)• Grant the EIM system user permissions for EIM operations

•

15


™

EIM system account (cont’d)• Use the EIM system user in the EIM configuration wizard

16


™

Mass deployment of SSO - EIM

17

• EIM is only used on the server side → no need for client setup

• Recommended to use tools or write a program to automatically create EIM identifier and associations

– Example: Lab Services IBM PowerSC Tools for IBM i – SSO Suite for EIM


™

Mass deployment of SSO - Kerberos

18

• Client configuration needs to be changed from user/password to Kerberos authentication

– Exception is the SMB client to access the NetServer

• Typically the configuration change is manual


™

Mass deployment of SSO – Kerberos (cont’d)

19

• SSO configuration settings are stored in various places

– IBM i Navigator provides a central switch to turn SSO on or off for IBM i Navigator, PC5250, ODBC

• Each application can override the Navigator settings• IBM i Navigator stores the configuration setting in the Windows registry

1 = Use default user2 = Prompt every time3 = Use Windows user name4 = Use Kerberos


™

Mass deployment of SSO – Kerberos (cont’d)

20

• IBM i Navigator registry setting can be exported to .reg file and used for automatic import via login scripts

• As an alternative to the registry approach for IBM i Navigator you can also use the IBM i Access for Windows cwbenv command

– Export a connection environment including its settings (includes all connections)cwbenv /E "My connections" ibmienv.fil

– Import a connection environmentcwbenv /I /O ibmienv.fil

● /O overrides existing connections with new settings

• IBM Access Client Solutions stores the settings in the prefs.dat file \Documents\IBM\iAccessClient\Settings\client.configuration\com.ibm...\systname\


™

EIM domain controller availability

21

• Using a single EIM domain controller for multiple IBM i partitions introduces a single point of failure (SPOF)

P4EIM Domain Controller

Joined EIM domain

Joined EIM domain

Joined EIM domain

P3

P5

P2

SPOF

If system is downSSO stops working

on all systems


™

EIM domain controller availability (cont’d)

22

• EIM domain data are stored in a LDAP server (IBM Directory Server)

• LDAP replication functions can be used to improve availability

• IBM i provides master-replica, master-forwarder-replica, and multi-master replication

Master/Peer 1 Master/Peer 3

Peer 2

Administrator

ldapmodify ldapmodify


™

EIM domain controller availability (cont’d)

23

• Once the replication has been set up change the EIM properties on each system to point to itself as the EIM domain controller

• Use the same approach for HA environments between the production and DR system

LDAPServerEIM Ctrl

EIM Config:CTRL: Master1

P4

LDAPServerEIM Ctrl

EIM Config:CTRL: Master2

P5Replication using TLS


™

Ongoing administration • Recommended to use tools or write a program to automatically create EIM

identifier and associations

• If naming conventions exist for user names, use an exit program for the QIBM_QSY_CRT_PROFILE / QIBM_QSY_DLT_PROFILE exits to create and delete EIM mappings

• NAS does not require any administration unless the service account passwords change

24


™

Conclusion

• Implementation challenges– DNS name resolution

– Time synchronization

– Mass deployment

• Best practices setup– NetServer considerations

– Make life easy for Windows administrators

– EIM system user and LDAP server setup

– Automate workstation configuration

– High availability environment

• Ongoing administration– Enterprise Identity Mapping (EIM) administration

25


™

Thanks

26

IBM Systems Lab Services and TrainingOur Mission and Profile

● Support the IBM Systems Agenda and accelerate the adoption of new products and solutions● Maximize performance of our clients’ existing IBM systems● Deliver technical training, conferences, and other services tailored to meet client needs● Team with IBM Service Providers to optimize the deployment of IBM solutions (GTS, GBS, SWG Lab Services and

our IBM Business Partners)Our Competitive Advantage

● Leverage relationships with the IBM development labs to build deep technical skills and exploit the expertise of our developers

● Combined expertise of Lab Services and the Training for Systems team● Skills can be deployed worldwide to assure all client needs can be met

Single Sign-on Implementation Best Practices -...

Documents

Transcript of Single Sign-on Implementation Best Practices -...