EIM Overview

watermelonroachdaleInternet and Web Development

Jul 30, 2012 (5 years and 1 month ago)

416 views

Single Sign
-
On in a Single Day


Jack McAfee

www.triaworks.com

Page
2

Agenda


Different SSO Approaches


The IBM approach


Enterprise Identity Mapping (EIM)


Kerberos or Identity Tokens


Implementation Overview

Page
3

A “Typical” Configuration

Who Benefits from SSO?


1.
End Users


Higher Productivity

2.
Administrators


Less Password Management

3.
Programmers


More Secure Applications

End

Users

i1

OS/400 V5R2

i2

OS/400 V5R3

i3

OS/400 V5R3

p1

Linux

x1

Windows 2003

Server

UID: rjmcafee

PWD: SpaceCenter

UID: RJMCAF

PWD: ALAMO

UID: JACK

PWD: LONGHORN

UID: JACKM

PWD: HOUSTON

UID: jmcafee

PWD: LoneStar

Page
4

Synchronization SSO Approach

End

Users

i1

OS/400 V5R2

i2

OS/400 V5R3

i3

OS/400 V5R3

p1

Linux

User ID/Password Synchronization



No end user productivity gains
(not really SSO)


Implementation cost is high to synchronize UIDs/PWDs


Administration cost is high to maintain synchronization


UIDs and PWDs are limited by platform


Synchronization is not always reliable

UID: JACKM

PWD: TEXAS

UID: JACKM

PWD: TEXAS

UID: JACKM

PWD: TEXAS

UID: JACKM

PWD: TEXAS

UID: JACKM

PWD: TEXAS

x1

Windows 2003

Server

Page
5

Centralization SSO Approach

End

Users

i1

OS/400 V5R2

i2

OS/400 V5R3

i3

OS/400 V5R3

p1

Linux

User ID/Password Centralization



End user productivity gains


Implementation cost is high to capture and replay UIDs/PWDs


Administration cost is high to maintain centralization


Management cost is high to synchronize and secure list


Synchronization is not always reliable

UID: rjmcafee

PWD: SpaceCenter

UID: RJMCAF

PWD: ALAMO

UID: JACK

PWD: LONGHORN

UID: JACKM

PWD: HOUSTON

x1

Windows 2003

Server

UID: jmcafee

PWD: LoneStar

UID: jmcafee

PWD: LoneStar

UID: JACKM

PWD: HOUSTON

UID: JACK

PWD: LONGHORN

UID: RJMCAF

PWD: ALAMO

UID: rjmcafee

PWD: SpaceCenter

Central Repository

Page
6

The IBM Approach

Single Sign
-
On Components



Kerberos

for
authentication


Uses strongly encrypted tickets and not passwords


Implemented on all major platforms



Enterprise Identity Mapping (EIM)

for
authorization


Maps people to their user identities on various registries


Registry might be a platform, application, or middleware



Applications

enabled for Kerberos and EIM


IBM has enabled many popular services in V5R2 and i5/OS


You can also enable your applications

Page
7

What is EIM?

IBM’s Enterprise Identity Mapping (EIM) is an
infrastructure for associating a unique person
with one or more user identities in various
registries across the enterprise

pSeries

zSeries

iSeries

Jack

McAfee

rjmcafee

RJM46D

JACKM

Person


(EIM Identifier)

Registries

User Identities

Associations

Page
8

Where is the EIM Domain kept?


On a Domain Controller in an LDAP directory


IBM Directory Server offers broad platform support:


Windows® 2000, AIX®, Solaris

, and HP
-
UX



As well as Linux distributions for Intel

, and


IBM eServer
iSeries
, pSeries, and zSeries platforms

People

Associations

Registries

Domain Controller

EIM Domain

EIM Application

VERY SECURE!

Neither
User Identities

nor
Passwords

are
maintained in the

EIM Domain!

Page
9

Source and Target Associations


Source


For initial authentication


Typically, desktop or laptop


User Identity, Registry


健牳n


Target


For subsequent authentication


Typically, servers


Person, Registry


啳敲e䥤I湴楴y

Person

User
Identity

Registry

Association
Type

Jack
McAfee

jmcafee

Gatekeeper

Source

People

Jack McAfee

Person

User
Identity

Registry

Association
Type

Jack

McAfee

JACKM

Production

Target

User Identity:

jmcafee

User Identity:

JACKM

Page
10

The EIM and Kerberos Approach

End

Users

x1

Windows 2003

Server

i1

OS/400 V5R2


EIM Domain

Controller

i2

OS/400 V5R3

i3

OS/400 V5R3

p1

Linux

EIM and Kerberos


End user productivity gains


Easy to implement


no synchronization


Easy to manage


no centralization


Reduces password management cost!

UID: jmcafee

PWD: LoneStar

UID: rjmcafee

PWD: SpaceCenter

UID: RJMCAF

PWD: ALAMO

UID: JACK

PWD: *NONE

UID: JACKM

PWD: HOUSTON

Source

Targets

Key Distribution Center (KDC)

Sign
-
On to x1 as jmcafee and get Kerberos TGT

KDC on x1 sends a Kerberos ST to i1

i1 authenticates the Kerberos ST

EIM


Jack McAfee is authorized on i1 as JACKM

jmcafee on x1


Jack McAfee


JACKM on i1

Source

Target

EIM Identifier

Page
11

The EIM and Kerberos Approach

Services or Applications enabled by IBM



OS/400 V5R2


iSeries Access


iSeries Navigator


Telnet (includes PC5250)


ODBC/JDBC/DRDA


LDAP


QFileSvr.400



Post V5R2 GA


Apache Web Server (PTF Group SF99098)


IBM Websphere Host On
-
Demand (PTF level IP22748)


Page
12

SSO Approach Comparison

Cost to...

IBM Approach

Synchronization

Centralization

Acquire

(+) Infrastructure
integrated into
OS/400, i5/OS by
IBM, and Windows
by Microsoft

(
-
) Infrastructure
provided by ISVs

(
-
) Infrastructure
provided by ISVs

Implement

(+) No Agents to deploy

(+) EIM and Kerberos
APIs are open
source

(
-
) Agents likely
deployed

(
-
) Must synchronize
UIDs/PWDs

(
-
) Potential changes to
security schemes

(
-
) Agents deployed

(
-
) Must synchronize and
secure centralized list
of UIDs/PWDs

(
-
) PWDs eventually
made available in
clear
-
text

Maintain

(+) Infrastructure
supported by IBM

(+) No centralized list of
UIDs/PWDs to
secure or
synchronize

(
-
) Must maintain
synchronization

(
-
) UIDs/PWDs limited by
“weakest” platform

(
-
) Synchronization not
always reliable

(
-
) Scripts must be
maintained to capture
UIDs/PWDs

(
-
) Synchronization not
always reliable

Page
13

SSO Approach Comparison

Benefits...

IBM Approach

Synchronization

Centralization

End Users

(+) Fewer UIDs/PWDs

(+) Fewer Sign
-
Ons

(+) Fewer UIDs/PWDs

(
-
) Same number of
Sign
-
Ons

(+) Fewer UIDs/PWDs

(+) Fewer Sign
-
Ons

Administrators

(+) Fewer PWD reset
issues

(+) Fewer PWDs to
manage!

(+) Improved security

(Kerberos tickets,

*NONE passwords)

(+) Fewer PWD reset
issues

(
-
) Synchronization
issues

(+) Fewer PWD reset
issues

(
-
) Capture and
Synchronization
issues

(
-
) UIDs/PWDs reside
in two locations

Programmers

(+) Leverage the same
EIM domain
managed by
Administrators

(
-
) Limited benefit to
Programmers

(
-
) Some benefit to
Programmers


if
they can access
centralized
UID/PWD repository

Page
14

IBM Approach Benefits


End Users


Increased productivity


No longer need to write down multiple passwords


Only need to remember a single, strong password



Administrators


Less time resetting passwords


More secure enterprise (including *NONE passwords)


No need to secure or synchronize another registry


Platform authorization schemes are not changed


Incremental roll
-
out



Programmers


Increased productivity


User identities and passwords no longer hard coded


Utilize same EIM domain maintained by administrators


Page
15

SSO in a Single Day! (Really)


SSO requires extensive planning


Everyone must be enabled at the same time

Not any more... End
-
user client applications (i.e.
iSeries Navigator
and
PC5250
) are configured to use Kerberos for authentication



Platform authorization schemes need to be changed

Not any more... Authorization continues to be determined by user identity controls



SSO configuration is a challenge


EIM

IBM Directory Server integrated into OS/400; iSeries Navigator EIM Configuration wizard simplifies EIM configuration



Kerberos

You are probably already using Kerberos; iSeries Navigator Network Authentication Service wizard simplifies Kerberos configur
ati
on



SSO weakens overall security


Passwords must be centrally stored and synchronized

EIM does not centrally replicate user identities and passwords; Kerberos tickets are used for authentication



Single point
-
of
-
access for people with malicious intentions

Today, most end users already down their passwords or use password synchronization? Also 2
-
factor authentication is a counterme
asure



Expensive (time and or money)


Deployment

Not any more... IBM has integrated EIM and Kerberos into OS/400 starting with V5R2



Ongoing maintenance

TriAWorks Identity Manager for Single Sign
-
On (TIM SSO) make is easy to populate EIM, create associations, and identify problems

Page
16

SSO in a Single Day Implementation

1.
Configure Kerberos

2.
Configure EIM

3.
Populate EIM

4.
Create Associations

5.
Configure Applications

Page
17

SSO in a Single Day Implementation

But what about web applications?

Page
18

The EIM and Identity Tokens Approach

Single Sign
-
On Components



Client



Any web browser or Java application


No change to WAS authentication model



Middleware



WebSphere Application Server (WAS)


WAS V5 or Express V5


IBM Java Toolbox (JT400) Java Connector Architecture (JCA)



Application



Enabled to create Identity Tokens


iSeries Access for Web


WebFacing


WebSphere Development Studio Client (WDSc) Web Tools


And
YOURS!



Back
-
end Server



V5R2 or i5/OS V5R3 iSeries


Using the Java Toolbox (JT400)


Which uses the iSeries Access host servers

Page
19

The EIM and Identity Tokens Approach

Enabled Single Sign
-
On Host Servers



Sign
-
on server


Central server


File server


Database server


DRDA and DDM server


Data queue server


Remote command server


Distributed program call server


Network print server

Page
20

The EIM and Identity Tokens Approach

Single Sign
-
On Configuration


1.
Apply requisite PTF support


2.
Deploy WebSphere JT400 JCA and define:

a)
The EIM domain location

b)
Provide its authentication credentials

(i.e. userid and password)

c)
Provide a WAS registry name


3.
Enable your WAS or Java application for SSO by adding
code to create Identity Tokens


jt400.jar in

http://www
-
1.ibm.com/servers/eserver/iseries/toolbox/downloads.htm

Page
21

The EIM and Identity Tokens Approach

Single Sign
-
On PTFs


The V5R2 Identity Token PTFs are:


PTF/FIX #:
SI14141

-

OS/400
-

Extended Base Directory Support

LICENSED PROGRAM: 5722SS1

New function. Enterprise Identity Mapping (EIM) Identity Token Connection Factory.

(This is to enable the WebSphere JCA component)


PTF/FIX #:
SI10930

-

Operating System/400 LICENSED PROGRAM: 5722SS1

Identity token support added for the operating system.


PTF/FIX #:
SI11002

-

Operating System/400 LICENSED PROGRAM: 5722SS1

This PTF supplies support for identity tokens within the host servers.


PTF/FIX #:
SI11003

-

Operating System/400 LICENSED PROGRAM: 5722SS1

This PTF supplies support for identity tokens within the host servers.


The V5R3 Identity Token PTFs are:


PTF/FIX #:
SI14181

-

OS/400
-

Extended Base Directory Support

LICENSED PROGRAM: 5722SS1

New function. Enterprise Identity Mapping (EIM) Identity Token Connection Factory.

(This is to enable the WebSphere JCA component)

Page
22

The EIM and Identity Tokens Approach

End

Users

i1

OS/400 V5R2


EIM Domain

Controller

i3

OS/400 V5R3

p1

Linux

UID: rjmcafee

PWD: SpaceCenter

UID: RJMCAF

PWD: ALAMO

UID: JACK

PWD: *NONE

UID: JACKM

PWD: HOUSTON

Targets

x1

Windows 2003

Server

UID: jack

PWD: LoneStar

Source

TriAWorks Identity Manager

for Single Sign
-
On

(TIM SSO)

TIM SSO imports people,
makes associations, and
maintains your SSO integrity

1. Sign
-
On to WebSphere application as jack

2. WAS application creates an Identity Token

JCA connector returns an ID Token to the app

The app forwards the ID Token to a JT400 object

JT400 presents the ID Token to the back
-
end iSeries

3. OS/400 accepts the Identity Token for authentication

4. EIM


jack in WebSphere is JACKM on i1

Write X1 QAUDJRN audit record

5. Pass Identity token to i3

6. EIM


jack in WebSphere is RJMCAF on i3

Write X1 QAUDJRN audit record

Page
23

Identity Tokens Code Sample

// Use the identity token J2C connector to obtain and return an identity token


private

IdentityToken getIDToken() {



IdentityToken idToken = null;



ConnectionFactoryImpl cf = null;



Context ic = null;




try

{




// Look
-
up a connection factory instance




ic =
new

InitialContext();





// Create and configure a managed connection factory instance. Note
that properties were set when managed conection factory was deployed. Lookup
the factory using an indirect JNDI (alias) name, configured in the
applications web.xml. Note that the value of the alias must match the JNDI
name used when the connector was deployed. Note you must use an indirect
lookup, WAS will not pass a Subject to the JCA if you use a direct lookup.





cf =




(ConnectionFactoryImpl) ic.lookup(








"java:comp/env/eis/IdentityToken_Shared_Reference");



}
catch

(Exception e2) {




out.println( "The lookup for the connection factory failed. Either,
the connector is not configured, or the servlet's resource reference (JNDI
name) is not set correctly in the web.xml file. The servlet expects the
resource reference in web.xml to be eis/IdentityToken_Shared_Reference");

Page
24

Identity Tokens Code Sample

// Use the identity token to create a connection object to the OS/400 (host
command server).


private

AS400 getOS400Connection(IdentityToken idToken) {



AS400 OS400CmdConnection = null;



try

{




// Create an AS400 object, and set the IdentityToken into it.




OS400CmdConnection =
new

AS400(remoteSystemName);




OS400CmdConnection.setIdentityToken(idToken.toBytes());




OS400CmdConnection.connectService(AS400.COMMAND);



}
catch

(Exception e) {




out.println(e.getMessage());




e.printStackTrace(out);



}



return

(OS400CmdConnection);


}

Page
25

Summary

The IBM approach


Enterprise Identity Mapping (EIM) for
authorization


Kerberos or Identity Tokens for
authentication


Kerberos for Windows based applications

Identity Tokens for WAS based applications

Page
26

For More Information

Links can be found on
www.triaworks.com



Windows
-
based Single Signon and the

EIM Framework on the IBM eServer

iSeries Server
Redbook




Experts’ Guide to OS/400 & i5/OS Security

by Carol Woodbury and Patrick Botz




http://www
-
1.ibm.com/servers/eserver/security/eim/




http://web.mit.edu/kerberos/