Level: Intermediate Peng Jiang (pjiang@cn.ibm.com), Advisory IT Specialist, IBM China
Fang Lin (fanglin@cn.ibm.com), IT Specialist, IBM China
Neil Readshaw (readshaw@au1.ibm.com), Senior Certified IT Specialist, IBM
17 Mar 2008 Tivoli® Access Manager for Enterprise Single Sign-on (TAM E-SSO) provides a component that runs on a user's Microsoft® Windows® desktop to achieve single sign-on (SSO) with Windows, Web, JavaTM and host emulator applications. TAM E-SSO provides a range of flexible techniques to integrate with these different application types. In this article, integration with graphical, X-windows applications running on UNIX® and Linux® is demonstrated through the use of Xmanager, an X Windows server for the Microsoft Windows platform.
Introduction
In a typical organization an employee will be required to authenticate to a number of different systems to do their job. Depending on the organization, this could require between five and thirty different authentication credentials, usernames and passwords. As the number of credentials to be remembered increases, users typically employ less secure methods of remembering them, such as writing them down. Worst still, when a user forgets a password, it needs to be reset. This is expensive for the organization and reduces user productivity.
About Tivoli Access Manager for Enterprise Single Sign-on
Tivoli Access Manager for Enterprise Single Sign-on (TAM E-SSO) is a solution based on technology from Passlogix that provides single sign-on support for a wide range of application types:
- Microsoft Windows
- Client/server
- Web
- Java
- Host emulator including IBM AS/400® (5250), IBM OS/390® (3270) and UNIX (telnet)
- Custom developed software
The TAM E-SSO client software, which runs on Windows desktops, can identify and respond to authentication
challenges issued by other applications and systems. TAM E-SSO supports different kinds of user
authentication, such as:
- Username and password
- Smartcard
- Biometrics
TAM E-SSO policies and the users' credentials for other applications can be saved in an LDAP directory or SQL database. The TAM E-SSO Administration console can auto-identify and configure the login properties of applications. The administrative overhead to do this is low with TAM E-SSO. When enterprise users roam across different machines in the network or share a workstation with others, access to their SSO credentials is available from the central directory or database, but is also cached locally to provide a more highly available solution.
The TAM E-SSO software provides password management as well. Passwords can be synchronized across a number of systems. Passwords consistent with a system's password policies can be automatically generated.
The TAM E-SSO software provides password management as well. Passwords can be synchronized across a number of systems. Passwords consistent with a system's password policies can be automatically generated.
About Xmanager
Xmanager is an X11 Release
6 X server for use on Windows platforms. It makes a Windows desktop PC become an X Windows
workstation, so that X applications can run on a UNIX/Linux server but be
displayed on the user's Windows desktop. Communication between the application
running on the UNIX/Linux server and the X server occurs using a standard protocol over TCP sockets.
Single Sign-on Challenge
In some environments, client/server applications have client software that runs on a UNIX/Linux
system, rather than natively on a Windows desktop. Integrating these applications with
TAM E-SSO is possible, though perhaps not obvious. The remainder of this article will show
you how to achieve this, using:
- TAM E-SSO Version 6.0
- Xmanger Version 2.0
The X Windows client applications that will be demonstrated are:
- IBM Tivoli Monitoring
- IBM DB2® Control Center
Integrating X Windows Applications with TAM E-SSO
Approach
An X server is required so that the UNIX/Linux client applications will be displayed on a Windows system.
In this article, Xmanager is used. TAM E-SSO is then configured to recognize the X applications being
displayed on the Windows desktop and supply the credentials required to authenticate to those applications.
Pre-requisite Software
The implementation section below assumes that the following technical environment in Figure 1 has
already been prepared. Basic installation/configuration steps are not discussed for how to
construct this pre-requisite environment in this article.
Figure 1. Pre-requisite software environment
Software installed and configured on the Windows desktop system is:
- TAM E-SSO Version 6.0 Administrative Console
- TAM E-SSO Version 6.0 Client
- Xmanager 2.0
Software installed and configured on the UNIX/Linux server is:
- IBM Tivoli Monitoring (ITM) 6.0
- Tivoli Enterprise Management Server
- Tivoli Enterprise Portal (TEP) Server
- Tivoli Enterprise Portal Client
- IBM DB2 8.2 server and client
SSO to IBM Tivoli Enterprise Portal Client
For single sign-on to the TEP Client, only the username needs to be supplied.
No password is required.
First, an application template for the TEP client needs to be configured in the TAM E-SSO Administration Console. Application templates describe the behavior required of a TAM E-SSO client in response to an application's login and change password windows. Right-click on the "Applications" container in the TAM E-SSO Administration Console and choose "Add". The "Add Applications" window is displayed as shown in Figure 2.
Figure 2. Adding an application in the TAM E-SSO Administration Console
Enter a name for the new template ("itm" is shown in Figure 2 above). Choose the "Windows" application type and click "Finish". The Form Wizard appears, as in Figure 3.
Figure 3. Form Wizard
Start the X server and launch the TEP client. When the login page is displayed, return to the TAM E-SSO Form Wizard and choose "Logon".
Figure 4. Identifying the TEPC logon form
TAM E-SSO will display all windows currently being displayed on the desktop. Choose the TEP client logon window from the displayed list. When the window border of the TEP client logon form is highlight, click "Next". Then, choose the "Send keys" manner to supply the required credentials to this window. Confirm the window elements for the username field and the logon button as would be done for any other Windows target in TAM E-SSO. A new application will then be added to the TAM E-SSO Administrative Console, as shown in Figure 5.
Figure 5. Application properties
To add this newly configured application to the set available in the repository (e.g. Microsoft Active Directory), click on "Repository". Supply the AD administrator's credentials when prompted. Right click the application container ("OU=SSOConfig" in Figure 6), choose "Configure SSO Support". As shown in Figure 6, click "Add" and choose the new application configuration (named "itm" in the figure below).
Figure 6. Adding the application definition to the repository
After clicking OK, the new entry will appear in the "SSOConfig" branch of the directory. For example, if Microsoft Active Directory (AD) is used the location of the new entry in Active Directory might be "OU=SSOConfig,OU=TAMES,DC=IBM,DC=local" (Figure 7).
Figure 7. New application definition appears in the repository
Configuration is now complete from the TAM E-SSO administrator's perspective. The next steps show how a user with the TAM E-SSO client configures the TEP client application as a logon target, including the required credentials.
From the TAM E-SSO client, bring up the Logon Manager. One way to do this is to double click on the TAM E-SSO icon in the Windows system tray. Click "Add" to add a new SSO target. Choose the "itm" definition configured in the steps above. Enter logon credentials for this application, as shown in Figure 8.
Figure 8. Configure the TEP client in the TAM E-SSO client
Now that the SSO target has been configured in the TAM E-SSO logon manager, the application can be launched to verify that single sign-on can be achieved. Start a new X terminal (xterm) with the X server as shown in Figure 9.
Figure 9. Connection profile for the TEP client machine
From the xterm, start the TEP client, as shown in Figure 10.
Figure 10. Launching the TEP client
The logon window for the TEP is displayed (Figure 11). TAM E-SSO will identify this login window and auto-fill the "Logon ID" based on the credential data entered above.
Figure 11. TEP Logon
After successful authentication, the Tivoli Enterprise Portal operates in the same way as if the user authenticated manually. In Figure 12 below, notice that the username appears in title bar of the TEP window.
Figure 12. Successful logon to TEP
Configuration and verification of the TAM E-SSO integration with the Tivoli Enterprise Portal is complete.
SSO to IBM DB2 Control Center
For authentication to the DB2 Control Center, username and password are required. Start by configuring the DB2 application on the TAM E-SSO Administrative Console. The configuration process is similar to what was performed above for the TEP client. Remember that the DB2 Control Center login form needs to be displayed when adding the target.
Figure 13. Configured DB2 application in the TAM E-SSO Administrative Console
Configure the DB2 application in the TAM E-SSO client. From the Logon Manager, choose "Add". Select the DB2 Control Center application. This time, a valid username and password in DB2 will be required, as shown in Figure 14. Enter the required credentials and click OK.
Figure 14. Configuring the DB2 Control Center application in the TAM E-SSO client.
Start an xterm on the machine where the DB2 Control Center is installed. Launch the DB2 Control Center with the "db2cc" command.
Figure 15. Start the DB2 Client from the xterm
The TAM E-SSO client will identify the authentication window for the DB2 application and will retrieve the required credentials from its local credential cache. These credentials are then automatically provided to the DB2 logon window by the TAM E-SSO client as shown in Figure 16.
Figure 16. TAM E-SSO client will identify the DB2 authentication window
After TAM E-SSO logs the user into the DB2 Control Center, the DB2 Control Center works the same as if a user logged on manually (Figure 17).
Figure 17. DB2 Control Center
Extending this Solution
Provisioning SSO Credentials
The IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter (TAM E-SSO PA) provides
the ability for an administrator to automatically provision TAM E-SSO credential storage from Tivoli Identity Manager (TIM).
An administrator is able to add, modify and delete usernames and passwords for particular applications
within the provisioning system and have the changes reflected in TAM E-SSO. From the provisioning
system, all usernames and passwords inside of TAM E-SSO can also be deleted so that a user's access
to all protected applications is eliminated.
Figure 18 shows a screenshot from TAM E-SSO PA showing the SSO logon targets configured for the user "Administrator".
Figure 18. TAM E-SSO Provisioning Adapter logon targets.
Figure 19 shows how SSO logon credentials can be managed from TAM E-SSO PA. The screenshot shows how the TEP client credentials can be updated. Note that there is only a username shown.
Figure 19. Manage TEP client credentials
Figure 20 shows how the SSO logon credentials for DB2 Control Center can be managed. Notice that there are username and password fields this time, because this was the set of credential data identified when the SSO application was configured in the TAM E-SSO Administrative Console.
Figure 20. Manage DB2 Control Center credentials
Integration with other X servers
This solution approach could be applied to other applications served via X Windows servers, such as Cygwin's X server.
Conclusion
TAM E-SSO provides flexible techniques for enterprise single sign-on, including client/server applications. Although the TAM E-SSO client software only runs on a Windows platform, this article explains how TAM E-SSO can be used in conjunction with an X server on Windows to achieve SSO with graphical applications running on a UNIX/Linux system.
Resources
About the authors  | 
| | Jiang Peng is an Advisory IT Specialist in Tivoli Technical Sales team in IBM China. Jiang Peng works with customers to design security solutions with Tivoli software within mainland China. |
| 
| | Fang Lin is an IT Specialist in IBM Software Group in China, focusing on Tivoli security products. Fang Lin supports customers and business partners as they build security solutions. |
| 
| | Neil Readshaw is a Senior Certified IT Specialist in the Tivoli Advanced Technology team. Based in the IBM Australia Development Lab, Neil works with customers to define solutions using the Tivoli Security software suite, and works in an enablement role with IBM Business Partners and the IBM technical sales team in the Asia Pacific region. |
Rate this page
| 
