Single Sign-On in a Single Day Jack McAfee

Single Sign-On in a Single Day

Jack McAfeewww.triaworks.com

Page 2

Agenda

• Different SSO Approaches

• The IBM approach

– Enterprise Identity Mapping (EIM)

– Kerberos or Identity Tokens

• Implementation Overview

Page 3

A “Typical” Configuration

Who Benefits from SSO?1. End Users Higher Productivity2. Administrators Less Password Management3. Programmers More Secure Applications

EndUsers

i1OS/400 V5R2

i2OS/400 V5R3

i3OS/400 V5R3

p1Linux

x1Windows 2003

Server

UID: rjmcafeePWD: SpaceCenter

UID: RJMCAFPWD: ALAMO

UID: JACKPWD: LONGHORN

UID: JACKMPWD: HOUSTON

UID: jmcafeePWD: LoneStar

Page 4

Synchronization SSO Approach

EndUsers

i1OS/400 V5R2

i2OS/400 V5R3

i3OS/400 V5R3

p1Linux

User ID/Password Synchronization• No end user productivity gains (not really SSO)• Implementation cost is high to synchronize UIDs/PWDs• Administration cost is high to maintain synchronization• UIDs and PWDs are limited by platform• Synchronization is not always reliable

UID: JACKMPWD: TEXAS





x1Windows 2003

Server

Page 5

Centralization SSO Approach

EndUsers

i1OS/400 V5R2

i2OS/400 V5R3

i3OS/400 V5R3

p1Linux

User ID/Password Centralization• End user productivity gains• Implementation cost is high to capture and replay

UIDs/PWDs• Administration cost is high to maintain centralization• Management cost is high to synchronize and secure list• Synchronization is not always reliable



UID: JACKPWD: LONGHORN


x1Windows 2003

Server


UID: jmcafee PWD: LoneStarUID: JACKM PWD: HOUSTONUID: JACK PWD: LONGHORNUID: RJMCAF PWD: ALAMOUID: rjmcafee PWD: SpaceCenter

Central Repository

Page 6

The IBM Approach

Single Sign-On Components

• Kerberos for authentication– Uses strongly encrypted tickets and not passwords– Implemented on all major platforms

• Enterprise Identity Mapping (EIM) for authorization– Maps people to their user identities on various registries– Registry might be a platform, application, or middleware

• Applications enabled for Kerberos and EIM– IBM has enabled many popular services in V5R2 and i5/OS– You can also enable your applications

Page 7

What is EIM?

IBM’s Enterprise Identity Mapping (EIM) is an

infrastructure for associating a unique person

with one or more user identities in various

registries across the enterprise

pSeries zSeries iSeries

JackMcAfee

rjmcafee RJM46D JACKM

Person (EIM Identifier)

Registries

User Identities

Associa

tion

s

Page 8

Where is the EIM Domain kept?

• On a Domain Controller in an LDAP directory• IBM Directory Server offers broad platform support:

– Windows® 2000, AIX®, Solaris™, and HP-UX™– As well as Linux distributions for Intel™, and– IBM eServer iSeries, pSeries, and zSeries platforms

People

Associations

Registries

Q: Who is Jack McAfee?A: JACKM

Domain Controller

EIM Domain

EIM Application

VERY SECURE!Neither User Identities nor Passwords are maintained in theEIM Domain!

Page 9

Source and Target Associations

• Source– For initial authentication– Typically, desktop or laptop– User Identity, Registry Person

• Target– For subsequent authentication– Typically, servers– Person, Registry User Identity

Person User Identity

Registry Association Type

Jack McAfee jmcafee Gatekeeper Source

People

Jack McAfee

Person User Identity

Registry Association Type

JackMcAfee

JACKM Production Target

User Identity:jmcafee

Sour

ce

User Identity:JACKM

Target

Page 10

The EIM and Kerberos Approach

EndUsers

x1Windows 2003

Server

i1OS/400 V5R2

EIM DomainController

i2OS/400 V5R3

i3OS/400 V5R3

p1Linux

EIM and Kerberos• End user productivity gains• Easy to implement – no synchronization• Easy to manage – no centralization• Reduces password management cost!




UID: JACKPWD: *NONE


Source

Targets

Key Distribution Center (KDC)

Sign-On to x1 as jmcafee and get Kerberos TGTKDC on x1 sends a Kerberos ST to i1i1 authenticates the Kerberos STEIM Jack McAfee is authorized on i1 as JACKM

jmcafee on x1 Jack McAfee JACKM on i1

Source TargetEIM Identifier

Page 11

The EIM and Kerberos Approach

Services or Applications enabled by IBM

• OS/400 V5R2– iSeries Access– iSeries Navigator– Telnet (includes PC5250)– ODBC/JDBC/DRDA– LDAP– QFileSvr.400

• Post V5R2 GA– Apache Web Server (PTF Group SF99098)– IBM Websphere Host On-Demand (PTF level IP22748)

Page 12

SSO Approach Comparison

Cost to... IBM Approach Synchronization Centralization

Acquire

(+) Infrastructure integrated into OS/400, i5/OS by IBM, and Windows by Microsoft

(-) Infrastructure provided by ISVs

(-) Infrastructure provided by ISVs

Implement

(+) No Agents to deploy(+) EIM and Kerberos

APIs are open source

(-) Agents likely deployed

(-) Must synchronize UIDs/PWDs

(-) Potential changes to security schemes

(-) Agents deployed(-) Must synchronize and

secure centralized list of UIDs/PWDs

(-) PWDs eventually made available in clear-text

Maintain

(+) Infrastructure supported by IBM

(+) No centralized list of UIDs/PWDs to secure or synchronize

(-) Must maintain synchronization

(-) UIDs/PWDs limited by “weakest” platform

(-) Synchronization not always reliable

(-) Scripts must be maintained to capture UIDs/PWDs

(-) Synchronization not always reliable

Page 13

SSO Approach Comparison

Benefits... IBM Approach Synchronization Centralization

End Users

(+) Fewer UIDs/PWDs(+) Fewer Sign-Ons

(+) Fewer UIDs/PWDs(-) Same number of

Sign-Ons

(+) Fewer UIDs/PWDs(+) Fewer Sign-Ons

Administrators

(+) Fewer PWD reset issues

(+) Fewer PWDs to manage!

(+) Improved security(Kerberos tickets,*NONE passwords)


(-) Synchronization issues


(-) Capture and Synchronization issues

(-) UIDs/PWDs reside in two locations

Programmers

(+) Leverage the same EIM domain managed by Administrators

(-) Limited benefit to Programmers

(-) Some benefit to Programmers – if they can access centralized UID/PWD repository

Page 14

IBM Approach Benefits

• End Users– Increased productivity– No longer need to write down multiple passwords– Only need to remember a single, strong password

• Administrators– Less time resetting passwords– More secure enterprise (including *NONE passwords)– No need to secure or synchronize another registry– Platform authorization schemes are not changed– Incremental roll-out

• Programmers– Increased productivity– User identities and passwords no longer hard coded– Utilize same EIM domain maintained by administrators

Page 15

SSO in a Single Day! (Really)

• SSO requires extensive planning– Everyone must be enabled at the same time

Not any more... End-user client applications (i.e. iSeries Navigator and PC5250) are configured to use Kerberos for authentication

– Platform authorization schemes need to be changedNot any more... Authorization continues to be determined by user identity controls

• SSO configuration is a challenge– EIM

IBM Directory Server integrated into OS/400; iSeries Navigator EIM Configuration wizard simplifies EIM configuration

– KerberosYou are probably already using Kerberos; iSeries Navigator Network Authentication Service wizard simplifies Kerberos configuration

• SSO weakens overall security– Passwords must be centrally stored and synchronized

EIM does not centrally replicate user identities and passwords; Kerberos tickets are used for authentication

– Single point-of-access for people with malicious intentionsToday, most end users already down their passwords or use password synchronization? Also 2-factor authentication is a countermeasure

• Expensive (time and or money)– Deployment

Not any more... IBM has integrated EIM and Kerberos into OS/400 starting with V5R2

– Ongoing maintenanceTriAWorks Identity Manager for Single Sign-On (TIM SSO) make is easy to populate EIM, create associations, and identify problems

Page 16

SSO in a Single Day Implementation

1. Configure KerberosConfigure Kerberos

2. Configure EIMConfigure EIM

3. Populate EIMPopulate EIM

4. Create AssociationsCreate Associations

5. Configure ApplicationsConfigure Applications

Page 17

SSO in a Single Day Implementation

But what about web applications?But what about web applications?

Page 18

The EIM and Identity Tokens Approach

Single Sign-On Components

• Client – Any web browser or Java application– No change to WAS authentication model

• Middleware – WebSphere Application Server (WAS)– WAS V5 or Express V5– IBM Java Toolbox (JT400) Java Connector Architecture (JCA)

• Application – Enabled to create Identity Tokens– iSeries Access for Web– WebFacing– WebSphere Development Studio Client (WDSc) Web Tools– And YOURS!

• Back-end Server – V5R2 or i5/OS V5R3 iSeries– Using the Java Toolbox (JT400)– Which uses the iSeries Access host servers

Page 19


Enabled Single Sign-On Host Servers

• Sign-on server

• Central server

• File server

• Database server

• DRDA and DDM server

• Data queue server

• Remote command server

• Distributed program call server

• Network print server

Page 20


Single Sign-On Configuration

1. Apply requisite PTF support

2. Deploy WebSphere JT400 JCA and define:a) The EIM domain locationb) Provide its authentication credentials

(i.e. userid and password)c) Provide a WAS registry name

3. Enable your WAS or Java application for SSO by adding code to create Identity Tokens – jt400.jar inhttp://www-1.ibm.com/servers/eserver/iseries/toolbox/downloads.htm

Page 21


Single Sign-On PTFs

The V5R2 Identity Token PTFs are:

PTF/FIX #: SI14141 - OS/400 - Extended Base Directory SupportLICENSED PROGRAM: 5722SS1New function. Enterprise Identity Mapping (EIM) Identity Token Connection Factory.(This is to enable the WebSphere JCA component)

PTF/FIX #: SI10930 - Operating System/400 LICENSED PROGRAM: 5722SS1Identity token support added for the operating system.

PTF/FIX #: SI11002 - Operating System/400 LICENSED PROGRAM: 5722SS1This PTF supplies support for identity tokens within the host servers.

PTF/FIX #: SI11003 - Operating System/400 LICENSED PROGRAM: 5722SS1This PTF supplies support for identity tokens within the host servers.

The V5R3 Identity Token PTFs are:

PTF/FIX #: SI14181 - OS/400 - Extended Base Directory SupportLICENSED PROGRAM: 5722SS1New function. Enterprise Identity Mapping (EIM) Identity Token Connection Factory.(This is to enable the WebSphere JCA component)

Page 22


EndUsers

i1OS/400 V5R2

EIM DomainController

i3OS/400 V5R3

p1LinuxUID: rjmcafee

PWD: SpaceCenter


UID: JACKPWD: *NONE


Targetsx1

Windows 2003Server

UID: jackPWD: LoneStar

Source

TriAWorks Identity Managerfor Single Sign-On

(TIM SSO)

TIM SSO imports people, makes associations, and maintains your SSO integrity

1. Sign-On to WebSphere application as jack2. WAS application creates an Identity Token

JCA connector returns an ID Token to the appThe app forwards the ID Token to a JT400 objectJT400 presents the ID Token to the back-end iSeries

3. OS/400 accepts the Identity Token for authentication4. EIM jack in WebSphere is JACKM on i1

Write X1 QAUDJRN audit record5. Pass Identity token to i36. EIM jack in WebSphere is RJMCAF on i3

Write X1 QAUDJRN audit record

Page 23

Identity Tokens Code Sample

// Use the identity token J2C connector to obtain and return an identity tokenprivate IdentityToken getIDToken() {

IdentityToken idToken = null;ConnectionFactoryImpl cf = null;Context ic = null;

try { // Look-up a connection factory instance ic = new InitialContext();

// Create and configure a managed connection factory instance. Note that properties were set when managed conection factory was deployed. Lookup the factory using an indirect JNDI (alias) name, configured in the applications web.xml. Note that the value of the alias must match the JNDI name used when the connector was deployed. Note you must use an indirect lookup, WAS will not pass a Subject to the JCA if you use a direct lookup.

cf = (ConnectionFactoryImpl) ic.lookup(

"java:comp/env/eis/IdentityToken_Shared_Reference");

} catch (Exception e2) { out.println( "The lookup for the connection factory failed.

Either, the connector is not configured, or the servlet's resource reference (JNDI name) is not set correctly in the web.xml file. The servlet expects the resource reference in web.xml to be eis/IdentityToken_Shared_Reference");

Page 24

Identity Tokens Code Sample

// Use the identity token to create a connection object to the OS/400 (host command server).private AS400 getOS400Connection(IdentityToken idToken) {

AS400 OS400CmdConnection = null;try {

// Create an AS400 object, and set the IdentityToken into it.

OS400CmdConnection = new AS400(remoteSystemName);OS400CmdConnection.setIdentityToken(idToken.toBytes());OS400CmdConnection.connectService(AS400.COMMAND);

} catch (Exception e) {out.println(e.getMessage());e.printStackTrace(out);

}return (OS400CmdConnection);

}

Page 25

Summary

The IBM approach

– Enterprise Identity Mapping (EIM) for

authorization

– Kerberos or Identity Tokens for

authentication

Kerberos for Windows based applications

Identity Tokens for WAS based applications

Page 26

For More Information

Links can be found on www.triaworks.com

• Windows-based Single Signon and theEIM Framework on the IBM eServeriSeries Server Redbook

• Experts’ Guide to OS/400 & i5/OS Securityby Carol Woodbury and Patrick Botz

• http://www-1.ibm.com/servers/eserver/security/eim/

• http://web.mit.edu/kerberos/

Documents

Single Sign-On in a Single Day Jack McAfee