Use the iSeries Navigator to configure Enterprise Identity Mapping
(EIM) for use with the identity token connection factory.
Before you begin
For these steps, assume that your EIM controller, which is your
Lightweight Directory Access Protocol (LDAP) directory server, is your local
directory server and that it resides on the iSeries server that is being configured
for EIM. For detailed information about EIM, see Enterprise Identity Mapping.
You need the LDAP server
administrator distinguished name (DN) and password to perform this task.
Tip: A server can participate only in one EIM domain at a time. If your
server is already joined to an EIM domain and the domain is added to domain
management, use that domain, and skip to
Create
a source user registry definition in EIM.
Procedure
- The identity token connection factory requires you to configure
an EIM domain.
Create a domain in EIM:
Note: Depending on the
setup of the machine, these steps might appear in a slightly different order.
This assumes that LDAP is already configured and the network authentication
service has not been configured.
- Make sure that the LDAP server started. You can verify
the LDAP server administrator distinguished name (DN) and password. However,
be aware that the LDAP server is stopped by the wizard later on.
- In iSeries Navigator, expand server_name > Network
> Enterprise Identity Mapping, where server_name is the name of
your iSeries server.
- Click Enterprise Identity Mapping.
- Right-click Configuration and select Configure to
start the EIM Configuration wizard.
Note: This option is labeled Reconfigure if
EIM has been previously configured on the system.
- On the Welcome page of the wizard, select Create and join
a new domain.
- Click Next.
- On the Specify EIM Domain Location page, select On the local
Directory server and then click Next.
- If the network authentication service has not been configured
on the system to set up a single sign-on environment, the Configure Network
Authentication Service page is displayed. Network Authentication Service is
not required for the EIM identity token connection factory. Select No and
then click Next.
- On the Specify User for Connection page, specify the distinguished
name and password for the LDAP administrator to ensure that the wizard has
enough authority to administer the EIM domain and the objects in it. Click Next.
Note: If you have not configured the local directory server before you
use the EIM Configuration wizard, the Configure Directory Server page displays
instead. Use this page to specify the distinguished name and password for
the LDAP administrator and continue with the next step in this procedure.
The LDAP distinguished name (DN) identifies the LDAP administrator for the
directory server. The EIM Configuration wizard creates this LDAP administrator
DN and uses it to configure the directory server as the domain controller
for the new domain that you are creating.
- On the Specify Domain page, provide the name of the EIM domain,
and click Next.
- On the Specify Parent DN for Domain page, select Yes to
specify a parent DN for the domain that you are creating, or specify No to
have EIM data stored in a directory location with a suffix whose name is derived
from the EIM domain name. Click Next.
- A message is displayed that indicates that you must stop the
LDAP server. Click Yes to continue.
- On the Registry Information page, select Local OS/400 and
then click Next.
- On the Specify EIM System User page, select Distinguished
name and password as the user type, provide the DN and password for the
directory server administrator, and optionally, verify the DN and password.
Click Next.
- In the Summary panel, review the configuration information that
you have provided. If all information is correct, click Finish.
- Add the domain to domain management:
- In the iSeries Navigator, expand system_name> Network
> Enterprise Identity Mapping > Domain Management.
- Right-click Domain Management and then select Add
Domain.
- In the Add Domain dialog, specify the domain you created earlier
and click OK.
- Create a source user registry definition in EIM.
The identity token connection factory requires a source user registry
definition entry in EIM. The source user registry definition represents the
registry that WebSphere Application Server uses for authentication. This registry
can be a local OS registry or an LDAP registry.
- In iSeries Navigator, expand system_name > Network
> Enterprise Identity Mapping > Domain Management > domain_name>
User Registries.
- If you are prompted for the LDAP server password, provide the
password and click OK.
- Right-click User Registries and select Add Registry > System to
start the configuration wizard that adds the registry to your domain.
Provide the registry name and type. If your application server is
hosted on an iSeries server and configured to use the local OS user registry,
select OS/400 as the EIM user registry type. If your application server
is configured to use the LDAP user registry, enter LDAP - short name as
the EIM registry type.
Note: Prior to i5/OS V5R4, instead
of LDAP - short name use 1.3.18.02.33.14-caseIgnore. The
value 1.3.18.02.33.14-caseIgnore is the ObjectIdentifier-normalization
form of the user registry type and principals are identified by the LDAP short
name attribute. The wizard does not handle the descriptive name for this registry
type.
- Click OK.
- Create user identifier in EIM
The identity token
connection factory requires a user identifier entry, which is equivalent to
an EIM identifier; in EIM, the user identifier entry represents the user of
the application.
- In iSeries Navigator, expand system > Network > Enterprise
Identity Mapping > Domain Management > domain > Identifiers.
- Right-click Identifiers, and select New Identifier.
- Enter an identifier name, such as your full name, and click OK.
- Create a target association in EIM for the user identifier.
A target association represents the user profile on the target iSeries
server for the identifier created earlier.
- In iSeries Navigator, expand system > Network > Enterprise
Identity Mapping > Domain Management > domain > Identifiers.
- Double-click the Application Identifier for the user
created previously.
- Click the Associations tab.
- Click Add.
- Provide the i5/OS user profile for the EIM identifier in the
User field and click OK.
- Click OK to save the association.
- Create a source association in EIM for the user identifier.
A source association is used to authenticate to WebSphere Application
Server.
- In iSeries Navigator, expand system > Network > Enterprise
Identity Mapping > Domain Management > domain > Identifiers.
- Double-click the Application Identifier for the user
created previously.
- Click the Associations tab.
- Click Add.
- Click Browse and select the WebSphere Application Server
user registry.
- Specify your WebSphere Application Server user ID, such as my_id.
- Select Source.
- Click OK to add the new association.
- Click OK to save the association.
- Optional: Test the connection to the EIM domain controller.
Use the idsldapsearch command to test the connection to the
EIM domain controller. For example, if the LDAP server is located on the my_server host,
the EIM domain name is My_EIM_Domain, and the source user registry
is WAS Registry, the steps to test the connection are as follows:
- Log on to the iSeries server that hosts your WebSphere Application
Server profile.
- From a CL command line, specify QSH and press Enter.
- Specify the following command and press Enter:
idsldapsearch -h my_server -p 389 -D cn=administrator
-w secret -b "ibm-eimDomainName=My_EIM_Domain"
"ibm-eimRegistryName=WAS_Registry"
where:
- my_server is the name of the host server of the LDAP server.
- 389 is the port that is used by the LDAP server.
- cn=administrator is the LDAP DN of the LDAP administrator.
- secret is the LDAP administrator password.
- ibm-eimDomainName=My_EIM_Domain is the LDAP DN of the EIM domain
name entry.
The previous lines display as multiple lines for illustrative
purposes only. Specify the command as one continuous line.
In this example,
no EIM domain parent name exists. If an EIM domain parent name did exist,
such as dc=myserver,dc=ibm,dc=com, the LDAP DN is ibm-eimDomainName=My_EIM_Domain,dc=myserver,dc=ibm,dc=com.
Results
The expected output looks similar to the following example:
ibm-eimRegistryName=WAS Registry,cn=Registries,ibm-eimdomainname=My_EIM_Domain
objectclass=top
objectclass=ibm-eimRegistry
objectclass=ibm-eimSystemRegistry
ibm-eimRegistryName=WAS_Registry
ibm-eimRegistryType=1.3.18.0.2.33.9-caseIgnore
description=Example Registry for WebSphere Application Server