MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » February 2014

Re: EIM Domain and SSO



fixed

> When you say mainframe, do you really mean a mainframe? IBM i isn't a
> mainframe.

Whoops. There's a guy that works here that calls it a "mainframe" because he worked at a bank before where they had actual IBM mainframes. I have got in the habit of saying it too so he knows what server I am talking about. Wrong audience. I meant IBM i.

Thanks for the information. Feeling a bit better about it now. I also took a look at the IBM i NetServer and it does seem to use kerberos if you tell it to.

Thanks for the information.

On 2/20/2014 2:27 PM, Vernon Hamberg wrote:
Matt

I believe that one of the things you can include in Network
Authentication (IBM's name for Kerberos) is access to the IFS. Now you
could go into the wizard in navigator and see what you get there - as
well as the help text in there.

Maybe the best thing would be to go to Pat Botz' web site
(http://botzandassociates.com/) and see - he has a contact link there -
he's the guy who was behind a lot of the EIM support while at IBM.

When you say mainframe, do you really mean a mainframe? IBM i isn't a
mainframe.

If you're talking about connecting through QNTC, I think it can be done
with SSO - maybe - I mean, you have the Kerberos tickets on the i that
are needed in the Windows AD domain.

As to logging on when using SSO - it is recommended that you set the
password to *NONE for users that are set up for SSO - that's a way to
REALLY block access into the system more than if you don't do that.

Now you DO need a back door for certain users - admins of some stripe,
usually.

But so long as you have kept a password, you can use it to log in - try
it - turn off SSO support in PC5250, and you'll be able to use the
password, since you'll get a signon screen.

HTH
Vern

On 2/20/2014 11:00 AM, Matt Lavinder wrote:
Does EIM do anything for IFS access? That is the biggest reason we are
exploring this. We need the mainframe to access windows shares using
QNTC and we thought EIM would allow Windows to link IBM user profiles to
domain users. We may even need to map some system users to an
appropriate domain user. I am not sure if any of that is possible, so I
thought I had better verify before I waste a lot of time.

Also, I thought I had read that you could not log into profiles (on the
IBM i) that have SSO enabled. Is that true? The tutorials do not seem
to indicate that is the case. I am getting the impression it is
optional.


On 2/19/2014 5:02 PM, Vernon Hamberg wrote:
Good points - now for other positive spins!!

Apache web server supports Kerberos, and so does jt400 - just in case
you want to start playing in those worlds.

Vern

On 2/19/2014 3:33 PM, Matt Olson wrote:
The other big App IBM i shops run into that don't support Kerberos is
RDP (rational developer for power). Still have no idea why they
haven't jumped on the bandwagon.



-----Original Message-----
From: Matt Olson [mailto:Matt.Olson@xxxxxxxx]
Sent: Wednesday, February 19, 2014 3:33 PM
To: Midrange Systems Technical Discussion
Subject: RE: EIM Domain and SSO

Matt,

EIM works pretty good, as long as all the applications in your
environment support EIM. Some applications don't (like content
manager). But for those things that do (5250) it works great.

Be sure to have the following PTF's so you don't have to scratch your
head why your windows 2008 (or above) domain controllers that are
handing out Kerberos tickets is failing. It wasn't long ago that the
IBM i only supported DES Kerberos where as Microsoft moved to AES
years ago as the default Kerberos encryption routine, and thus causes
problems with Kerberos authentication, causing windows server
operators to "dumb down" the encryption to the old DES standard rather
then embrace the new, more secure Kerberos encryption standards.

Fix Release Description
--------- --------- ----------------------------
SI42919 V7R1 Adds AES & RC4 encryption support (krb)
SI42957 V6R1 " "
SI43034 V5R4 " "

SI43918 V7R1 Updates KRB5 header file in QSYSINC
SI43919 V6R1 " "
SI43920 V5R4 " "

Matt


-----Original Message-----
From: Matt Lavinder [mailto:mlavinder@xxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, February 19, 2014 3:05 PM
To: midrange-l@xxxxxxxxxxxx
Subject: EIM Domain and SSO

We have been investigating single-sign-on I am looking at following
the document here (http://is.gd/6xxMCv) for creating a SSO test
environment.
I get a bit nervous about making changes as we do not have a test
system. Will the act of creating a new EIM domain have any impact on
existing users or objects?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.









Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact