Implementing Single Sign-On (Online Course)

We use the term single sign-on to mean the ability to access multiple computer systems within an organization after signing on only once. This course will show you how to implement a single sign-on for a network containing systems running both Windows and IBM i.

The course begins with a definition of the single sign-on problem. You will see why solutions such as using the same ID and password on all systems have failed. It then describes, in detail, the two tools used to implement single sign-on in the IBM i environment: the Kerberos protocol and Enterprise Identify Mapping (EIM).

After the concepts and operation of Kerberos and EIM have been covered, the course goes into the details of setting up Kerberos and EIM on an IBM i system. While wizards are available to help you perform these tasks, a thorough understanding of the process will help you avoid potential pitfalls.

The course ends by showing you how to enable Kerberos authentication for common PC-to-IBM i applications, including System i Navigator, System i Access, and NetServer. Common problems are also discussed.

After completing this course, you should be able to:

• Describe why using the same user ID and password on all systems in a network is not a practical solution to the single sign-on problem
• Distinguish between authentication and authorization
• Describe the key difference in the tasks performed by the Kerberos protocol and Enterprise Identity Mapping
• Define Kerberos terms, including principal name, realm, Key Distribution Center, Ticket Granting Ticket, and Service Ticket
• Order the steps used by the Kerberos protocol to authenticate a user to a network server
• Identify security risks that Kerberos eliminates
• Identify security risks that Kerberos does not eliminate
• Describe potential Kerberos problems that can result from a poorly designed DNS process
• Describe the purpose of Enterprise Identity Mapping
• Describe how the use of Kerberos and EIM eliminates the need for most passwords
• Distinguish between an EIM domain and a registry
• Describe the relationship between EIM and LDAP
• Use the Network Authentication Service (NAS) wizard to configure Kerberos on an IBM i system
• Describe the function of a keytab file
• Use System i Navigator facilities to maintain the keytab file
• Use System i Navigator to create an EIM domain and a registry
• Define EIM associations to relate a Kerberos principal name to an IBM i user profile
• Create an EIM policy association that maps all users in a registry to a specific user ID of another registry
• Set up System i Navigator to use Kerberos authentication
• Describe how System i Access and NetServer are enabled for Kerberos authentication
• Identify potential difficulties in setting up Kerberos and EIM

Manta offers a complete library of courses for programmers, operators, system administrators, and users of the IBM i operating system and its predecessors, i5/OS and OS/400. These operating systems run on POWER7, POWER6, System i, iSeries, and AS/400 hardware.

All courses run on any PC that supports Internet Explorer.