Use the iSeries Navigator to configure
Enterprise Identity Mapping (EIM) for use with the identity token
connection factory.
Before you begin
For these steps, assume that your EIM controller, which
is your Lightweight Directory Access Protocol (LDAP) directory server,
is your local directory server and that it resides on the iSeries server
that is being configured for EIM. For detailed information about EIM,
see Enterprise Identity Mapping.
You
need the LDAP server administrator distinguished name (DN) and password
to perform this task.
Tip: A server can participate
only in one EIM domain at a time. If your server is already joined
to an EIM domain and the domain is added to domain management, use
that domain, and skip to
Create
a source user registry definition in EIM.
Procedure
- The identity token connection factory requires you to configure
an EIM domain.
Create a domain in EIM:
Note: Depending
on the setup of the machine, these steps might appear in a slightly
different order. This assumes that LDAP is already configured and
the network authentication service has not been configured.
- Make sure that the LDAP server started.
You
can verify the LDAP server administrator distinguished name (DN) and
password. However, be aware that the LDAP server is stopped by the
wizard later on.
- In iSeries Navigator, expand server_name >
Network > Enterprise Identity Mapping, where server_name is
the name of your iSeries server.
- Click Enterprise Identity Mapping.
- Right-click Configuration and select Configure to
start the EIM Configuration wizard.
Note: This option
is labeled Reconfigure if EIM has been previously configured
on the system.
- On the Welcome page of the wizard, select Create
and join a new domain.
- Click Next.
- On the Specify EIM Domain Location page, select On
the local Directory server and then click Next.
- If the network authentication service has not been configured
on the system to set up a single sign-on environment, the Configure
Network Authentication Service page is displayed. Network Authentication
Service is not required for the EIM identity token connection factory.
Select No and then click Next.
- On the Specify User for Connection page, specify the
distinguished name and password for the LDAP administrator to ensure
that the wizard has enough authority to administer the EIM domain
and the objects in it. Click Next.
Note: If you
have not configured the local directory server before you use the
EIM Configuration wizard, the Configure Directory Server page displays
instead. Use this page to specify the distinguished name and password
for the LDAP administrator and continue with the next step in this
procedure. The LDAP distinguished name (DN) identifies the LDAP administrator
for the directory server. The EIM Configuration wizard creates this
LDAP administrator DN and uses it to configure the directory server
as the domain controller for the new domain that you are creating.
- On the Specify Domain page, provide the name of the
EIM domain, and click Next.
- On the Specify Parent DN for Domain page, select Yes to
specify a parent DN for the domain that you are creating, or specify No to
have EIM data stored in a directory location with a suffix whose name
is derived from the EIM domain name. Click Next.
- A message is displayed that indicates that you must
stop the LDAP server. Click Yes to continue.
- On the Registry Information page, select Local OS/400 and
then click Next.
- On the Specify EIM System User page, select Distinguished
name and password as the user type, provide the DN and password
for the directory server administrator, and optionally, verify the
DN and password. Click Next.
- In the Summary panel, review the configuration information
that you have provided. If all information is correct, click Finish.
- Add the domain to domain management:
- In the iSeries Navigator, expand system_name>
Network > Enterprise Identity Mapping > Domain Management.
- Right-click Domain Management and then select Add
Domain.
- In the Add Domain dialog, specify the domain you created
earlier and click OK.
- Create a source user registry definition in EIM.
The identity token connection factory requires a source user
registry definition entry in EIM. The source user registry definition
represents the registry that WebSphere® Application Server
uses for authentication. This registry can be a local OS registry
or an LDAP registry.
- In iSeries Navigator, expand system_name >
Network > Enterprise Identity Mapping > Domain Management > domain_name>
User Registries.
- If you are prompted for the LDAP server password, provide
the password and click OK.
- Right-click User Registries and select Add
Registry > System to start the configuration wizard that
adds the registry to your domain.
Provide the registry
name and type. If your application server is hosted on an iSeries server
and configured to use the local OS user registry, select OS/400 as
the EIM user registry type. If your application server is configured
to use the LDAP user registry, enter LDAP - short name as
the EIM registry type.
Note: Prior to IBM i
V5R4, instead of LDAP - short name use 1.3.18.02.33.14-caseIgnore.
The value 1.3.18.02.33.14-caseIgnore is the ObjectIdentifier-normalization
form of the user registry type and principals are identified by the
LDAP short name attribute. The wizard does not handle the descriptive
name for this registry type.
- Click OK.
- Create user identifier in EIM
The identity
token connection factory requires a user identifier entry, which is
equivalent to an EIM identifier; in EIM, the user identifier entry
represents the user of the application.
- In iSeries Navigator, expand system >
Network > Enterprise Identity Mapping > Domain Management > domain >
Identifiers.
- Right-click Identifiers, and select New Identifier.
- Enter an identifier name, such as your full name, and
click OK.
- Create a target association in EIM for the user identifier.
A target association represents the user profile on the target iSeries server
for the identifier created earlier.
- In iSeries Navigator, expand system >
Network > Enterprise Identity Mapping > Domain Management > domain >
Identifiers.
- Double-click the Application Identifier for the
user created previously.
- Click the Associations tab.
- Click Add.
- Provide the IBM i user profile for the EIM identifier
in the User field and click OK.
- Click OK to save the association.
- Create a source association in EIM for the user identifier.
A source association is used to authenticate to WebSphere Application Server.
- In iSeries Navigator, expand system >
Network > Enterprise Identity Mapping > Domain Management > domain >
Identifiers.
- Double-click the Application Identifier for the
user created previously.
- Click the Associations tab.
- Click Add.
- Click Browse and select the WebSphere Application
Server user registry.
- Specify your WebSphere Application Server
user ID, such as my_id.
- Select Source.
- Click OK to add the new association.
- Click OK to save the association.
- Optional: Test the connection to the EIM domain
controller.
Use the idsldapsearch command to
test the connection to the EIM domain controller. For example, if
the LDAP server is located on the my_server host, the EIM
domain name is My_EIM_Domain, and the source user registry
is WAS Registry, the steps to test the connection are as
follows:
- Log on to the iSeries server that hosts your WebSphere Application Server profile.
- From a CL command line, specify QSH and press
Enter.
- Specify the following command and press Enter:
idsldapsearch -h my_server -p 389 -D cn=administrator
-w secret -b "ibm-eimDomainName=My_EIM_Domain"
"ibm-eimRegistryName=WAS_Registry"
where:
- my_server is the name of the host server of the LDAP server.
- 389 is the port that is used by the LDAP server.
- cn=administrator is the LDAP DN of the LDAP administrator.
- secret is the LDAP administrator password.
- ibm-eimDomainName=My_EIM_Domain is the LDAP DN of the
EIM domain name entry.
The previous lines display as multiple
lines for illustrative purposes only. Specify the command as one continuous
line.
In this example, no EIM domain parent name exists. If
an EIM domain parent name did exist, such as dc=myserver,dc=ibm,dc=com,
the LDAP DN is ibm-eimDomainName=My_EIM_Domain,dc=myserver,dc=ibm,dc=com.
Results
The expected output looks similar to the following example:
ibm-eimRegistryName=WAS Registry,cn=Registries,ibm-eimdomainname=My_EIM_Domain
objectclass=top
objectclass=ibm-eimRegistry
objectclass=ibm-eimSystemRegistry
ibm-eimRegistryName=WAS_Registry
ibm-eimRegistryType=1.3.18.0.2.33.9-caseIgnore
description=Example Registry for WebSphere Application Server