We use the term single sign-on to mean the ability to access multiple computer systems within an organization after signing on only once. This course will show you how to implement a single sign-on for a network containing systems running both Windows and IBM i.
The course begins with a definition of the single sign-on problem. You will see why solutions such as using the same ID and password on all systems have failed. It then describes, in detail, the two tools used to implement single sign-on in the IBM i environment: the Kerberos protocol and Enterprise Identify Mapping (EIM).
After the concepts and operation of Kerberos and EIM have been covered, the course goes into the details of setting up Kerberos and EIM on an IBM i system. While wizards are available to help you perform these tasks, a thorough understanding of the process will help you avoid potential pitfalls.
The course ends by showing you how to enable Kerberos authentication for common PC-to-IBM i applications, including System i Navigator, System i Access, and NetServer. Common problems are also discussed.
Approximate Study Time: 3 hours
After completing this course, you should be able to:
- Describe why using the same user ID and password on all systems in a network is not a practical solution to the single sign-on problem
- Distinguish between authentication and authorization
- Describe the key difference in the tasks performed by the Kerberos protocol and Enterprise Identity Mapping
- Define Kerberos terms, including principal name, realm, Key Distribution Center, Ticket Granting Ticket, and Service Ticket
- Order the steps used by the Kerberos protocol to authenticate a user to a network server
- Identify security risks that Kerberos eliminates
- Identify security risks that Kerberos does not eliminate
- Describe potential Kerberos problems that can result from a poorly designed DNS process
- Describe the purpose of Enterprise Identity Mapping
- Describe how the use of Kerberos and EIM eliminates the need for most passwords
- Distinguish between an EIM domain and a registry
- Describe the relationship between EIM and LDAP
- Use the Network Authentication Service (NAS) wizard to configure Kerberos on an IBM i system
- Describe the function of a keytab file
- Use System i Navigator facilities to maintain the keytab file
- Use System i Navigator to create an EIM domain and a registry
- Define EIM associations to relate a Kerberos principal name to an IBM i user profile
- Create an EIM policy association that maps all users in a registry to a specific user ID of another registry
- Set up System i Navigator to use Kerberos authentication
- Describe how System i Access and NetServer are enabled for Kerberos authentication
- Identify potential difficulties in setting up Kerberos and EIM
The Quest for a Single Sign-0n
Enterprise Identity Mapping Concepts
Adding an IBM i System to a Windows Network
Activating EIM on the IBM i System
Using Kerberos-Enabled Applications
The course is intended for system administrators who will implement the Kerberos protocol and Enterprise Identity Mapping (EIM) on an IBM i system.
This course assumes that you are familiar with the concepts and basic operations of IBM i systems. This prerequisite can be satisfied by successfully completing the Manta series Introduction to the IBM i Environment.
The course also assumes you have a basic understanding of TCP/IP concepts and facilities. This prerequisite can be satisfied by successfully completing the TCP/IP in the IBM i Environment series.
You may also have obtained these skills by taking other courses or through relevant work experience.