|
midrange.com
Great questions.
First, it is important to note that the announcement regarding EIM was
really about two things:
1) the EIM infrastructure that will be rolled out across all eServer
platforms and which we intend to be readily available on non-eServer
platforms also. The infrastructure is all about letting ISVs and customers
exploit the infrastructure necessary to cheaply, and quickly build single
sign-on environments.
2) the iSeries exploitation of the infrastructure and EIM in V5R2 to create
a single sign-on environment. This is all about enabling operating system
interfaces to exploit single sign-on without any programming or agent code
required by ISVs or operators.
There are so many technical details that I don't have time to get into them
here. But I wanted to at least provide a flavor for what we're doing and
why IBM is so excited about this stuff. Pehaps the coolest thing of all is
that even though this is an eServer wide (and our intent is to make it an
industry wide infrastructure), iSeries is the first system to provide the
infrastructure and to exploit it! The rest of the eServer platforms will
provide EIM in their next releases -- all of which are planned for sometime
yet this year. This also includes Linux and xSeries machines.
Today, I'm not aware of any vendors that support single sign-on via EIM and
Kerberos for their applications. We are talking with many ISVs that are
very interested in either exploiting EIM or building EIM related products.
I hope we will have quotes/press releases in the near future from some of
them.
The great news is that there is lots enabled right at the OS layer.
In V5R2, iSeries Navigator and host servers, ODBC/JDBC/DRDA, PC5250+Telnet
Servers, Netserver, and QFileSrv400 are enabled for single sign-on via
Kerberos and EIM.
This means:
A user can log into a kerberos enabled system (e.g. Win2K) and never have
to enter a user ID and password again. Further, a user ID and password
never flows from the system. When the user clicks on a system in iSeries
Navigator, they are signed on to that system automatically under the
appropriate OS/400 user profile. There is no synchronizing of user names or
passwords; in fact, the OS/400 user profile can be configured with PASSWORD
*NONE, if the adminstrator chooses.
SQL can be submitted via iSeries Navigator (or any standalone ODBC or JDBC
based application that uses Kerberos for authentication) to access data
from iSeries and even connect to other eServer platforms and access data
from those machines. Again all of this is done with no user IDs or
passwords flowing or being coded in the SQL statement. And yet, the
appropriate security is enforced at each system using the appropriate user
identity and native security semantics. All of this works with no agent
code on any of the platforms.
PC5250 allows bypass signon without using user IDs and passwords.
Using a Netserver configured to use kerberos, users can map OS/400 file
systems to their drives without providing a user ID/password. Again the
appropriate security is enforced for that user.
QFileSrv400 is also enabled. You can connect to a single iSeries system
with Ops Nav. Access a QFileSrv400 mount point which actually points to a
second iSeries. You can have three different user IDs (windows log in,
iSeries1 profile, and iSeries2 profile) and without ever being prompted for
a user id and password, you can access the mount point (assume you are
authorized to the mount point on iSeries1) and access the data in iSeries2
(assuming you are authorized to access the data in iSeries2), without ever
having to re-enter a userid and password.
These are the operating system level interfaces that exploit Kerberos and
EIM in V5R2.
This is all I have time for now, but I'll keep listening and respond when I
can.
Patrick Botz
Senior Software Engineer
eServer Security Architect
(507) 253-0917, T/L 553-0917
email: botz@us.ibm.com
jmoreno@militaryca
rs.com To:
Midrange-L@midrange.com
Sent by: cc:
midrange-l-admin@m Subject: iSeries Security
Enterprise Identity Mapping. Vendor Y/N ?
idrange.com
05/01/2002 09:07
AM
Please respond to
midrange-l
Hello all,
To your knowledge ... where can I find an iSeries security vendor that
supports the "Industriy's first eLiza Enterprise Identity Mapping that
enables true single signon"
Or better yet.
Given the OS/400 V5R2 is there any need for an iSeries security vendor ?
Your advice and comments will be greatly appreciated.
Regards
Jorge
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
