Scenario: Propagating network authentication service and EIM across multiple systems

This scenario demonstrates how to use the Synchronize Functions wizard in System i® Navigator to propagate a single sign-on configuration across multiple systems in a mixed IBM® i release environment. Administrators can save time by configuring single sign-on once and propagating that configuration to all of their systems, instead of configuring each system individually.

Situation

You are a network administrator for a large auto parts manufacturer. You manage five systems with System i Navigator. One system operates as the central system, which stores data and manages the endpoint systems. You have read about the benefits of single sign-on and you want to configure a single sign-on environment for your enterprise. You have just completed the process of setting up a test environment on one system and you want to extend your single sign-on environment throughout the enterprise. You have four other servers to configure and you want to find a way to configure them as efficiently as possible.

You know that System i Navigator provides the Synchronize Functions wizard that allows you to copy the single sign-on configuration from one system and apply it to other IBM i systems. This eliminates the need to configure each system separately.

This scenario has the following advantages:
  • Simplifies the task of configuring network authentication service and EIM on multiple systems to create a single sign-on environment.
  • Saves you time and effort as you use a single wizard to copy and apply one manual configuration to a number of other servers.

Objectives

As the network administrator for MyCo, Inc., you want to create a single sign-on environment for your enterprise in which all your servers will participate and you want to configure your servers as quickly and easily as possible.

The objectives of this scenario are as follows:
  • System A has existing network authentication service and EIM configurations from when it was set up to create a test environment. Consequently, System A must be used as the model system for propagating these configurations to the end point systems of System B and System C.
  • All of the systems will be configured to join the same EIM domain and must use the same Kerberos server and the same domain controller.
    Note: Refer to Domains to learn how two types of domains, an EIM domain and a Windows domain, both fit into the single sign-on environment.

Details

The following figure illustrates the network environment for this scenario. System D, shown in graphic, will not be used.

Propagate single sign-on across multiple systems diagram

The figure illustrates the following points relevant to this scenario.

Windows server

  • Acts as the Kerberos server, also known as the key distribution center (KDC), for the network.
  • All users are registered with the Kerberos server on the Windows server.

System MC1 - Central system

  • Runs on IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers
    • IBM i Access for Windows
  • Stores, schedules, and runs synchronize functions for each of the endpoint systems.
  • Is configured for network authentication service and EIM.

System A - Model system

Note: The model system should be configured similarly to the system identified as System A in the Scenario: Creating a single sign-on test environment scenario. Refer to this scenario to ensure that all of the single sign-on configuration tasks on the model system are completed and verified.
  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers
    • IBM i Access for Windows
  • Is configured for network authentication service and EIM.
  • Is the model system from which the network authentication service and EIM configurations are propagated to the target systems.

System B

  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers
    • IBM i Access for Windows
  • Is one of the target systems for the propagation of network authentication service and EIM configurations.

System C

  • Runs IBM i 5.4, or later, with the following options and licensed programs installed:
    • IBM i Host Servers
    • IBM i Access for Windows
  • Is one of the target systems for the propagation of network authentication service and EIM configurations.

Administrator's PC

  • Runs IBM i Access for Windows
  • Runs System i Navigator 5.4, or later, with the following subcomponents:
    Note: Only required for PC used to administer network authentication service.
    • Network
    • Security

Prerequisites and assumptions

Successful implementation of this scenario requires that the following assumptions and prerequisites are met:

System MC1 - Central system prerequisites

  1. All system requirements, including software and operating system installation, have been verified.
    To verify that these licensed programs have been installed, complete the following:
    1. In System i Navigator, expand your system > Configuration and Service > Software > Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup is complete.
  3. TCP/IP and basic system security are configured and tested.
  4. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these servers.
    Note: When you propagate network configuration service configuration among servers, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your Local Area Network (LAN). See Scenario: Secure all connections to your Management Central server with SSL for details.

System A - Model system prerequisites

Note: This scenario assumes that System A is properly configured for single sign-on. Refer to the Scenario: Creating a single sign-on test environment scenario to ensure that all of the single sign-on configuration tasks on the model system are completed and verified.
  1. All system requirements, including software and operating system installation, have been verified.
    To verify that these licensed programs have been installed, complete the following:
    1. In System i Navigator, expand your system > Configuration and Service > Software > Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup is complete.
  3. TCP/IP and basic system security are configured and tested.
  4. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these servers.
    Note: When you propagate network configuration service configuration among servers, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your Local Area Network (LAN). See Scenario: Secure all connections to your Management Central server with SSL for details.

System B and System C - Endpoint systems prerequisites

  1. All system requirements, including software and operating system installation, have been verified.
    To verify that these licensed programs have been installed, complete the following:
    1. In System i Navigator, expand your system > Configuration and Service > Software > Installed Products.
    2. Ensure that all the necessary licensed programs are installed.
  2. All necessary hardware planning and setup is complete.
  3. TCP/IP and basic system security are configured and tested.
  4. Secure Sockets Layer (SSL) has been configured to protect the transmission of data between these servers.
    Note: When you propagate network configuration service configuration among servers, sensitive information like passwords are sent across the network. You should use SSL to protect this information, especially if it is being sent outside your Local Area Network (LAN). See Scenario: Secure all connections to your Management Central server with SSL for details.

Windows server prerequisites

  1. All necessary hardware planning and setup have been completed.
  2. TCP/IP has been configured and tested on the server.
  3. Windows domain has been configured and tested.
  4. All users within your network have been added to the Kerberos server.

Configuration steps

To propagate the network authentication service and EIM configurations from the model system, System A to the endpoint systems, System B and System C, you must complete the following tasks:
Note: You need to understand the concepts related to single sign-on, which include network authentication service and Enterprise Identity Mapping (EIM) concepts, before you implement this scenario. See the following information to learn about the terms and concepts related to single sign-on: