On October 7th IBM Systems Magazine hosted my webcast, How to Achieve SSO in a Day: Eliminate passwords and be an IT hero. I was very happy to see the large number of people who registered, attended, and stayed online until the end!
The webcast went a little long and I didn’t get a chance to address all of the questions. This post contains the written questions and my answers to them. If you’re interested in watching the webcast you can watch it here.
SSO Webcast Q&A
Q: In the past I had successfully configured EIM and SSO for i5OS. However I hit a snag in HA scenario. We do have active HA in place where we switch to HA box every weekend. I could not get much information about how to replicate SSO setup in HA environment.
A: I have help several customers set up EIM and Kerberos for different HA environments (e.g. MIMIX, iTera, Save/Restore). There are at least a couple of different options regardless of the HA strategy and methodology you employ. It would be best to discuss the specifics of your environment over the phone.
I have one customer that has a total of 10 partitions on a single platform. The EIM repository is hosted in a separate partition. If a partition goes down, it fails over to a partition on a separate system. We replicate the EIM repository to a partition on the HA system. If the whole production machine fails, or if the EIM partition fails, the HA machine immediately takes over.
Also note that EIM being down will only affect those people attempting to create a new connection. Once a connection is established (i.e. once authentication and identity mapping is completed), EIM is not needed by that connection.
______________________________________________________________
Q: What happens to log ons if EIM is off-line?
A: Log ons won’t work (for most systems) if EIM goes down.
There are a couple of strategies for dealing with this. Each environment and set of requirements are different, so it’s hard to describe which solution works best without having the details. Sometimes companies can rely on their HA plan. They typically will host the EIM repository on the production system. If the production system ever goes down they know that the HA system becomes the production system. In this scenario, they can either use LDAP replication to keep the production and HA EIM repositories in sync or they can use their HA products to do so.
You also have to make sure that the Kerberos configuration and keytab file are enabled for HA. How this is done is highly dependent on whether the HA swap includes IP address and hostname takeover, only hostname takeover, or none.
______________________________________________________________
Q: Does the Windows user ID and IBM i user ID have to be same in order for SSO to work?
A: NO! That’s sort of the beauty of this approach. EIM handles ensuring that sessions get created under the appropriate userID on non-Windows platforms even if the userIDs for a person on different in the Windows domain and in the non-Windows platform.
______________________________________________________________
Q: I’m curious about the impact to applications using MS ADFS?
A: There isn’t any impact. You can choose which platforms/applications/environments for which you want to use “SSO” (i.e. Kerberos), and you can choose which make more sense to use ADFS. For example, it’s easier to use SSO with an AIX for IBM i system, but probably makes more sense to use ADFS for Office 365. Doing so has absolutely no impact on the other approach. ADFS usually makes more sense for cloud-based resources that don’t reside in your internal network/Windows domain.
______________________________________________________________
Q: You mentioned a utility to assist in setting up users. Is that something that is available to us? If yes, is it free or is this a commercial product?
A: I get a copy from IBM Lab Services for each customer. There is fairly small one-time charge, but it’s not a product. There is no maintenance or anything. It’s just built into the cost of SSO Stat! You have to be a Lab Services partner to use them or buy any “utilities” they have. I am a partner and can get a copy for you (no markup).
______________________________________________________________
Q: Most of IBM Web Applications for internal users (IBMers) uses the BluePages, it is a LDAP based on Tivoli Directory Services, and as far as I know it is the main user repository into IBM? Will we be migrating to AD?
A: I am not an IBMer anymore so I have no idea. Having said that, I know that IBM doesn’t run a Windows Domain. But IBM could easily build an enterprise-level Kerberos network based on AIX systems hosting the “KDCs” (i.e. Kerberos servers). Kerberos can use LDAP as a backing store for its user registry. I don’t know enough about Blue Pages to tell you if there would have to be any schema enhancements for Blue Pages. But assuming that the Blue Pages schema can used as is or extended, it wouldn’t be a huge technical problem. Once that was done, then you would have to have people configure their workstations to “join” the Kerberos realm. Logging in for them would look and feel the same as if they were logging into a Windows domain.
______________________________________________________________
Q: In addition how can we achieve SSO for IBM internal applications?
A: That depends on each internal application and how they implement authentication today. The same is true for third-party applications. Sometimes workarounds are possible – even when the application doesn’t directly support Kerberos authentication. There are some applications that cannot be made to work in an SSO environment. In these situations I always suggest the following: remove the passwords from the remote systems for everyone who doesn’t need to use an application that can’t be made to work with SSO. Implement a cheap password synchronization solution to help manage passwords for only those users whose passwords cannot be removed.
_____________________________________________________________
Q: Is there a fallback option in case the third party verifier is compromised in Kerberos?
A: Hummm. Not quite sure what you mean. Do you mean to prevent anyone from authenticating to the network? Or do you mean to prevent authenticated users from accessing a server? In either case, you first have to learn that the domain controller (AKA Kerberos KDC) has been compromised. At that point, you can just turn it off the domain controller(s). This will allow people to access their local workstations, but not any domain related resources on other systems or to attach connect to any non-Windows servers via SSO. This approach effectively prevents anyone from authenticating to the network. The solution is the same whether you are using SSO to connect to non-Windows platforms, applications, or environments.
If, for some reason, it’s OK with you that people can access anything in the Windows domain even though you know the domain controller has been compromised (from a security point of view this makes no sense), then you can do that in a couple of ways. One way is to use a property of EIM which indicates that no identity mapping should be done with the IDs in a particular registry. For every non-Windows registry you could set this property on until the compromised had been addressed.
Finally, if you meant is there a way to allow people to securely access non-Windows-platforms/applications/environments not using SSO. The answer is no. If the Windows domain controller has been compromised there is no way to offer secure access to non-Windows platforms even if you’re not using SSO! If your domain controller has been compromised, you have to assume that every workstation has been compromised with key loggers, etc. So falling back to userID password authentication safely is not possible anyway.
______________________________________________________________
Q: Will SSO work with web applications – such as Lastpass?
A: With Lastpass? Probably not. That depends on Lastpass. However, since Lastpass is password vault application and this particular approach is an attempt to eliminate passwords that may not be the best example.
Let me reword your question: Will SSO work with web applications that are hosted internally? In all likelihood the answer is yes. It’s just a matter of configuring the Web Server to accept Kerberos as an authentication option for the URLs for which you want to enable SSO.
Third-party hosted websites almost certainly will not support Kerberos. There are a number of reasons for this, but the main technical reason is because of the “trusted third-party” authentication. Any server or platform must essentially reside in your internal network and trust your Windows Domain/AD implementation. This just simply isn’t feasible for most external Web sites.
In these situations, you might be able to use MS ADFS (Federation Services). It’s pretty complicated, heavy weight, and costs extra. It’s not so much SSO as you’ll still be prompted to access federated services; however, you always enter the same userID and password which is authenticated locally rather than by the remote service. Then they do something equivalent to what EIM does and make user you access the external site under the userID you used to register there.
Not all web sites participate in ADFS.
______________________________________________________________
Q: Does SSO works with OLD PC5250 client V5R3 or V5R4 ?
A: Kerberos and EIM rolled out in V5R1. As long as the PC5250 client is equivalent to that available with V5R1 it should work. There are a couple of non-IBM 5250 emulators that also support Kerberos. The JWalk related emulator is one of them.
______________________________________________________________
Q: Is SSO Stat suite of IAM (identity access management) toolset?
A: If I understand the question correctly, the answer is no. SSO stat! is a service that uses technology you already own. SSO stat! provides implementation and ongoing technical support. However, you can use EIM as the basis of an IAM solution. We have a utility, for example, that will delete the EIM Identifier associated with an IBMi user profile that has just been deleted. We have another utility that will create an IBM user profile for a new windows userID that has been created. An XML configuration file helps you control the values of the user profile attributes. It’s controlled by adding a windows userID to a specified group.
Don’t get me wrong these are not full employee life-cycle IAM solutions. They are just affordable ways to get some of the IAM function without having to “bet the farm” on expensive third-party products and hiring a new person to support that product.
______________________________________________________________
Q: We have WebSphere running on iSeries. Can SSO be achieved between Java Web applications running on System I and DB2/400. Our stored procedures are secured by user/group.
A: Yes. This is a common scenario. And it can be achieved either between the browser and the WAS and/or between WAS and DB2. It depends on your requirements and how much change you want to do to existing WAS app implementations.
______________________________________________________________
Q: Have 2 iSeries, 1 HA backup, role swap possible with SSO?
A: Yes.
______________________________________________________________
Q: How do you handle the situation where a user does not have a Windows User ID but does need an IBM i User ID?
A: Need a few more details. However, the very nature of SSO implies someone accessing multiple systems. If someone is only accessing your IBMi, then I would manage them the same as usual—give them a user profile name and password. I’m not sure this is your situation. I would need more details about what else this user accesses, do they access from the internal network or through a VPN, etc.
______________________________________________________________
Q: Maybe 2 EIM dup on both iSeries? or is there another way?
A: I think this is an HA related statement or question. The answer is yes. The only issue to resolve is do you manage the replication by using LDAP replication or by using HA software. The thing you want to avoid like the ebola virus, is managing two instances of EIM individually.
______________________________________________________________
Q: Any big organization will have multiple AD controller so does all of these AD controller has to be in sync for SSO to work?
A: If you are talking about a single Windows domain with redundant DC/AD controllers, then yes, they have to automatically replicate with each other. If they don’t, you’ll eventually have problems within the Windows domain regardless of whether you’re trying to use Windows domain authentication to access non-Windows systems. You’ll have the same sorts of issues with non-Windows platforms that you would have with Windows workstations/servers within the domain.
Now, it is possible that you are referring to a more complicated Windows domain setup. You can manage multiple domains in a “forest.” This allows services in one domain to “trust” tickets issued by the other domain. In Kerberos is this known as cross-realm trust. Within a single domain you’ll need to keep your DC/AD controllers synchronized, but there is no need to synchronize them (at least from the user registry point of view) with DC/AD controllers in the other domain.
_____________________________________________________________
Q: Can we see the SSO working in your environment?
A: It’s hard to do anything like that during a webcast. In general SSO is not very sexy to demo. It just appears that you access the service without being prompted. For Telnet, for example, you just see your initial screen, menu, shell script without being asked to authenticate; yet, if you look at who you are logged in as, you will see that it is the userID that represents you in that particular environment.
______________________________________________________________
Q: Is it possible to roll out AS400 SSO from Citrix portal?
A: I’m not sure I understand the question. SSO works with Citrix portals. From an application configuration point of view, configuring the application to use Kerberos authentication can be “rolled out” through standard Windows Domain Controller function or any other mechanism that you might use to manage workstations.
______________________________________________________________
Q: How does this interface to IFS objects?
A: You have to access IFS through some sort of interface. FTP, NetServer, Telent, ODBC, etc. all support SSO. Once the application/interface is connected and the job associated with it is running under the proper userID, SSO has nothing to do with accessing any resources be they IFS, QSYS.LIB, DB2, etc…
______________________________________________________________
Q: What are the differences with the SSO directly suggested by IBM?
A: I think the question is: which interfaces on IBM i support SSO? A less ambiguous way to word the question is which interfaces on IBM support Kerberos authentication? Certainly all of the major interfaces including, the Telnet and FTP (client and server), ODBC, NetServer, the other file servers, and more. I’ve never run into a situation where a system interface that needed to support Kerberos didn’t. The issues tend to be with IBM applications.
______________________________________________________________
Q: Does it work with Lotus Domino web server?
A: Yes.
______________________________________________________________
Q: Can SSO be implemented in an AS/400 and Windows environment?
A: Yes. That’s essentially what the whole webcast was about
______________________________________________________________