×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
elehti@xxxxxxxxxxxxxxxxxx
Sent: Thursday, May 15, 2008 11:23 AM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: Single Sign On
Glenn Thompson,
Your questions regarding Single Sign-On and Enterprise Identity Mapping,
and the comments from others here on midrange really caught my
attention.
I asked IBM tech support and got this response.
Ericl
<IBM tech support comments begin>
Hi Eric,
I will try to answer the questions that I find in the PMR text, and
add a little bit more to try to fill in some blanks.
At R530, the i5 is capable of participating as a server in a Kerberos
environment.
_______________________________
What's the scoop on EIM and SSO?
The redbook SG24-6875 provides information about configuring the i5 to
participate in a Kerberos realm. It also provides detail on how to
configure it.
____________________________
Is this something we purchase from IBM?
Support for the i5 to work in a Kerberos realm is built into the base
operating system 5722SS1. It is not a separate product. However, it
does require 5722AC3, which is a separate product (typically no-charge).
If you are going to use Client Access or Navigator with Kerberos
authentication, then you may need 5722CE3 for the client side encryption
functionality.
________________________________
Do I already have everything I need?
If there is a functioning KDC (typically Active Directory server) on
your network, and you have PCs using SSL Client Access connections to
the i5, then I expect that you have all the licensed products that you
need. We do recommend the latest cumulative pack and PTF groups for
your release.
_________________________________
Is this an 'all or nothing' situation?
No. You can configure 2 icons on the same PC. Configure one for
authentication using Kerberos, the other for userid/password. They can
both work at the same time. To force the users to use Kerberos
authentication, common practice is to take away their password on the
i5, by changing the password for their i5 profile to *None.
______________________________
Will this improve our life?
The i5 does not have a native 'Password Synchronization' server.
SSO/EIM provides an authentication method that uses tickets. Once a
user is configured to authenticate with tickets, their profile on the i5
can be changed to Password = *None. Then you do not have to manage
their password anymore, unless you have a disaster recovery situation.
(Like if the KDC is down.)
There is an initial amount of work to get SSO/EIM configured and
working. After that, the management overhead is less because you do not
have to manage passwords for the users. Depending on your business
situation, this may improve your life, in the long term view.
Once this is configured, your users would not need to enter the
userid/password the second time when they connect to the i5. This might
improve their lives in a small way.
Configuring the i5 to participate in the Kerberos realm is very
sensitive to DNS resolution of the 'A' and 'PTR' records for the i5 and
the KDC. Keep that in mind when filling out the SSO/EIM planning
worksheet in section 7.1 of the redbook SG24-6975.
The EIM information must be stored in an LDAP server that resides on
an i5. (Due to some proprietary information involved.) Just letting
you know. The i5 does have a Directory Services (LDAP) server.
Part of the initial configuration work is to populate the EIM domain
controller. Typically each user will need an Identifier, and 2
associations, one for their name in the Kerberos realm, and one for
their profile on the i5.
There are APIs that can be used to create, change, and remove EIM
Identifiers.
</IBM tech support comments>
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.