300 likes | 758 Views
Single Sign-On in a Single Day. Jack McAfee www.triaworks.com . Agenda. Different SSO Approaches The IBM approach Enterprise Identity Mapping (EIM) Kerberos or Identity Tokens Implementation Overview. A “Typical” Configuration. Who Benefits from SSO? End Users Higher Productivity
E N D
Single Sign-On in a Single Day Jack McAfee www.triaworks.com
Agenda • Different SSO Approaches • The IBM approach • Enterprise Identity Mapping (EIM) • Kerberos or Identity Tokens • Implementation Overview
A “Typical” Configuration • Who Benefits from SSO? • End Users Higher Productivity • Administrators Less Password Management • Programmers More Secure Applications UID: JACKM PWD: HOUSTON i1 OS/400 V5R2 i2 OS/400 V5R3 UID: JACK PWD: LONGHORN End Users x1 Windows 2003 Server UID: jmcafee PWD: LoneStar i3 OS/400 V5R3 UID: RJMCAF PWD: ALAMO p1 Linux UID: rjmcafee PWD: SpaceCenter
Synchronization SSO Approach • User ID/Password Synchronization • No end user productivity gains (not really SSO) • Implementation cost is high to synchronize UIDs/PWDs • Administration cost is high to maintain synchronization • UIDs and PWDs are limited by platform • Synchronization is not always reliable UID: JACKM PWD: TEXAS i1 OS/400 V5R2 i2 OS/400 V5R3 UID: JACKM PWD: TEXAS End Users x1 Windows 2003 Server UID: JACKM PWD: TEXAS i3 OS/400 V5R3 UID: JACKM PWD: TEXAS p1 Linux UID: JACKM PWD: TEXAS
Centralization SSO Approach • User ID/Password Centralization • End user productivity gains • Implementation cost is high to capture and replay UIDs/PWDs • Administration cost is high to maintain centralization • Management cost is high to synchronize and secure list • Synchronization is not always reliable UID: JACKM PWD: HOUSTON i1 OS/400 V5R2 i2 OS/400 V5R3 UID: JACK PWD: LONGHORN End Users x1 Windows 2003 Server UID: jmcafee PWD: LoneStar i3 OS/400 V5R3 Central Repository UID: jmcafee PWD: LoneStar UID: JACKM PWD: HOUSTON UID: JACK PWD: LONGHORN UID: RJMCAF PWD: ALAMO UID: rjmcafee PWD: SpaceCenter UID: RJMCAF PWD: ALAMO p1 Linux UID: rjmcafee PWD: SpaceCenter
The IBM Approach Single Sign-On Components • Kerberos for authentication • Uses strongly encrypted tickets and not passwords • Implemented on all major platforms • Enterprise Identity Mapping (EIM) for authorization • Maps people to their user identities on various registries • Registry might be a platform, application, or middleware • Applications enabled for Kerberos and EIM • IBM has enabled many popular services in V5R2 and i5/OS • You can also enable your applications
What is EIM? Jack McAfee Person (EIM Identifier) Associations Registries zSeries pSeries iSeries User Identities RJM46D JACKM rjmcafee IBM’s Enterprise Identity Mapping (EIM) is an infrastructure for associating a unique person with one or more user identities in various registries across the enterprise
Where is the EIM Domain kept? • On a Domain Controller in an LDAP directory • IBM Directory Server offers broad platform support: • Windows® 2000, AIX®, Solaris™, and HP-UX™ • As well as Linux distributions for Intel™, and • IBM eServer iSeries, pSeries, and zSeries platforms EIM Application Domain Controller EIM Domain Q: Who is Jack McAfee? People A: JACKM Associations VERY SECURE! Neither User Identities nor Passwords are maintained in theEIM Domain! Registries
Source For initial authentication Typically, desktop or laptop User Identity, Registry Person Target For subsequent authentication Typically, servers Person, Registry User Identity Source and Target Associations People User Identity: jmcafee User Identity: JACKM Jack McAfee Source Target
The EIM and Kerberos Approach Source EIM Identifier Target jmcafee on x1 Jack McAfee JACKM on i1 • EIM and Kerberos • End user productivity gains • Easy to implement – no synchronization • Easy to manage – no centralization • Reduces password management cost! UID: JACKM PWD: HOUSTON i1 OS/400 V5R2 EIM DomainController Source Key Distribution Center (KDC) i2 OS/400 V5R3 UID: JACK PWD: *NONE End Users x1 Windows 2003 Server Targets UID: jmcafee PWD: LoneStar i3 OS/400 V5R3 Sign-On to x1 as jmcafee and get Kerberos TGT KDC on x1 sends a Kerberos ST to i1 i1 authenticates the Kerberos ST EIM Jack McAfee is authorized on i1 as JACKM UID: RJMCAF PWD: ALAMO p1 Linux UID: rjmcafee PWD: SpaceCenter
The EIM and Kerberos Approach Services or Applications enabled by IBM • OS/400 V5R2 • iSeries Access • iSeries Navigator • Telnet (includes PC5250) • ODBC/JDBC/DRDA • LDAP • QFileSvr.400 • Post V5R2 GA • Apache Web Server (PTF Group SF99098) • IBM Websphere Host On-Demand (PTF level IP22748)
IBM Approach Benefits • End Users • Increased productivity • No longer need to write down multiple passwords • Only need to remember a single, strong password • Administrators • Less time resetting passwords • More secure enterprise (including *NONE passwords) • No need to secure or synchronize another registry • Platform authorization schemes are not changed • Incremental roll-out • Programmers • Increased productivity • User identities and passwords no longer hard coded • Utilize same EIM domain maintained by administrators
SSO in a Single Day! (Really) • SSO requires extensive planning • Everyone must be enabled at the same time Not any more... End-user client applications (i.e. iSeries Navigator and PC5250) are configured to use Kerberos for authentication • Platform authorization schemes need to be changed Not any more... Authorization continues to be determined by user identity controls • SSO configuration is a challenge • EIM IBM Directory Server integrated into OS/400; iSeries Navigator EIM Configuration wizard simplifies EIM configuration • Kerberos You are probably already using Kerberos; iSeries Navigator Network Authentication Service wizard simplifies Kerberos configuration • SSO weakens overall security • Passwords must be centrally stored and synchronized EIM does not centrally replicate user identities and passwords; Kerberos tickets are used for authentication • Single point-of-access for people with malicious intentions Today, most end users already down their passwords or use password synchronization? Also 2-factor authentication is a countermeasure • Expensive (time and or money) • Deployment Not any more... IBM has integrated EIM and Kerberos into OS/400 starting with V5R2 • Ongoing maintenance TriAWorks Identity Manager for Single Sign-On (TIM SSO) make is easy to populate EIM, create associations, and identify problems
SSO in a Single Day Implementation • Configure Kerberos • Configure EIM • Populate EIM • Create Associations • Configure Applications
SSO in a Single Day Implementation But what about web applications?
The EIM and Identity Tokens Approach Single Sign-On Components • Client – Any web browser or Java application • No change to WAS authentication model • Middleware – WebSphere Application Server (WAS) • WAS V5 or Express V5 • IBM Java Toolbox (JT400) Java Connector Architecture (JCA) • Application – Enabled to create Identity Tokens • iSeries Access for Web • WebFacing • WebSphere Development Studio Client (WDSc) Web Tools • And YOURS! • Back-end Server – V5R2 or i5/OS V5R3 iSeries • Using the Java Toolbox (JT400) • Which uses the iSeries Access host servers
The EIM and Identity Tokens Approach Enabled Single Sign-On Host Servers • Sign-on server • Central server • File server • Database server • DRDA and DDM server • Data queue server • Remote command server • Distributed program call server • Network print server
The EIM and Identity Tokens Approach Single Sign-On Configuration • Apply requisite PTF support • Deploy WebSphere JT400 JCA and define: • The EIM domain location • Provide its authentication credentials(i.e. userid and password) • Provide a WAS registry name • Enable your WAS or Java application for SSO by adding code to create Identity Tokens – jt400.jar inhttp://www-1.ibm.com/servers/eserver/iseries/toolbox/downloads.htm
The EIM and Identity Tokens Approach Single Sign-On PTFs The V5R2 Identity Token PTFs are: PTF/FIX #: SI14141 - OS/400 - Extended Base Directory Support LICENSED PROGRAM: 5722SS1 New function. Enterprise Identity Mapping (EIM) Identity Token Connection Factory. (This is to enable the WebSphere JCA component) PTF/FIX #: SI10930 - Operating System/400 LICENSED PROGRAM: 5722SS1 Identity token support added for the operating system. PTF/FIX #: SI11002 - Operating System/400 LICENSED PROGRAM: 5722SS1 This PTF supplies support for identity tokens within the host servers. PTF/FIX #: SI11003 - Operating System/400 LICENSED PROGRAM: 5722SS1 This PTF supplies support for identity tokens within the host servers. The V5R3 Identity Token PTFs are: PTF/FIX #: SI14181 - OS/400 - Extended Base Directory Support LICENSED PROGRAM: 5722SS1 New function. Enterprise Identity Mapping (EIM) Identity Token Connection Factory. (This is to enable the WebSphere JCA component)
The EIM and Identity Tokens Approach • 1. Sign-On to WebSphere application as jack • 2. WAS application creates an Identity Token • JCA connector returns an ID Token to the app • The app forwards the ID Token to a JT400 object • JT400 presents the ID Token to the back-end iSeries • 3. OS/400 accepts the Identity Token for authentication • 4. EIM jack in WebSphere is JACKM on i1 • Write X1 QAUDJRN audit record • 5. Pass Identity token to i3 • 6. EIM jack in WebSphere is RJMCAF on i3 • Write X1 QAUDJRN audit record TriAWorks Identity Manager for Single Sign-On (TIM SSO) TIM SSO imports people, makes associations, and maintains your SSO integrity UID: JACKM PWD: HOUSTON i1 OS/400 V5R2 EIM DomainController UID: JACK PWD: *NONE x1 Windows 2003 Server Targets UID: jack PWD: LoneStar i3 OS/400 V5R3 Source UID: RJMCAF PWD: ALAMO p1 Linux End Users UID: rjmcafee PWD: SpaceCenter
Identity Tokens Code Sample // Use the identity token J2C connector to obtain and return an identity token private IdentityToken getIDToken() { IdentityToken idToken = null; ConnectionFactoryImpl cf = null; Context ic = null; try { // Look-up a connection factory instance ic = new InitialContext(); // Create and configure a managed connection factory instance. Note that properties were set when managed conection factory was deployed. Lookup the factory using an indirect JNDI (alias) name, configured in the applications web.xml. Note that the value of the alias must match the JNDI name used when the connector was deployed. Note you must use an indirect lookup, WAS will not pass a Subject to the JCA if you use a direct lookup. cf = (ConnectionFactoryImpl) ic.lookup( "java:comp/env/eis/IdentityToken_Shared_Reference"); } catch (Exception e2) { out.println( "The lookup for the connection factory failed. Either, the connector is not configured, or the servlet's resource reference (JNDI name) is not set correctly in the web.xml file. The servlet expects the resource reference in web.xml to be eis/IdentityToken_Shared_Reference");
Identity Tokens Code Sample // Use the identity token to create a connection object to the OS/400 (host command server). private AS400 getOS400Connection(IdentityToken idToken) { AS400 OS400CmdConnection = null; try { // Create an AS400 object, and set the IdentityToken into it. OS400CmdConnection = new AS400(remoteSystemName); OS400CmdConnection.setIdentityToken(idToken.toBytes()); OS400CmdConnection.connectService(AS400.COMMAND); } catch (Exception e) { out.println(e.getMessage()); e.printStackTrace(out); } return (OS400CmdConnection); }
Summary The IBM approach • Enterprise Identity Mapping (EIM) for authorization • Kerberos or Identity Tokens for authentication Kerberos for Windows based applications Identity Tokens for WAS based applications
For More Information Links can be found on www.triaworks.com • Windows-based Single Signon and theEIM Framework on the IBM eServeriSeries Server Redbook • Experts’ Guide to OS/400 & i5/OS Securityby Carol Woodbury and Patrick Botz • http://www-1.ibm.com/servers/eserver/security/eim/ • http://web.mit.edu/kerberos/