Single Sign On (SSO) Overview

Single Sign On (SSO) Overviewfor IBM i—Robert D. AndrewsSenior Managing Security ConsultantTeam Lead, IBM i Security and Authentication Lab [email protected] +1.507.253.4205

IBM i Security / © 2021 IBM Corporation

IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Statement of Good Security Practices

2


Certifications

3

Single Sign On Overview

Simplified Setup Steps

Considerations and Curveballs

Asking about Assistance

Table of contents / Agenda

IBM i Security / © 2021 IBM Corporation 4

Overview


With a growing number of diverse systems, it is difficult for users to maintain different, secure passwords in all environments without succumbing to bad, insecure password habits

By implementing single sign on, the goal is reduce the number of systems that contain passwords in their user registries

– In essence, a better term would be “Single Password Repository”

The primary system verifies identity and then securely grants permission to other services in the environment

– Single password and user management repository

– This overall system and its methods are known as Kerberos Authentication and was mainly designed at MIT starting in the 1980’s

Single Sign On


Not all system services support single sign on

Therefore, as part of the planning phase, it may be determined that single sign on will not cover all the needs and is not a viable solution but in fact would only complicate the setup

On IBM i:

– IBM i Host Servers

– Telnet server *

– Apache HTTP Server

– Open Database Connectivity (ODBC)

– Java™ Database Connectivity (JDBC)

– Distributed Relational Database Architecture™ (DRDA®) *

– QFileSrv.400

– NetServer

– NFS

– FTP server *

* Requires client that supports Kerberos

Who Can Use Single Sign On


User logs in the PC using their Windows Domain credentials which are verified with Active Directory, serving as the Authentication Service (AS) on the Key Distribution Center (KDC)

Active Directory verifies the user’s rights and status and then sends them a digitally signed master ticket known as a Ticket Granting Ticket (TGT)

User on PC requests a service such as Telnet on IBM i by sending the TGT and request to the Ticket Granting Service (TGS), usually also on the KDC

The TGS returns to PC a digitally signed Service Ticket (ST) for that particular service

The PC connects to the service and sends the ST which decodes to show the user’s Windows identity

– IBM i goes one step further to map the Windows User Identity to an IBM i User Profile via EIM

General Single Sign On Flow


Part 1 & 2 TGT Request and Receive

Active Directory

Authentication

Service

• Mary Jones logs into her PC workstation in the morning.

• This triggers a request to the AD domain controller KDC for a Ticket Granting Ticket.

• The KDC sends back a TGT encrypted with Mary’s password.

KDC lives here – DOMAIN.COM

1. Can I have a

TGT?

2. Yes, here’s the TGT ticket. Fun Fact:

The TGT is encrypted using Mary’s

Windows password. The PC then

makes sure it can decrypt it verifying

the user entered the correct password

without ever sending the password

over the network!


Part 3 & 4 Service Ticket Request and Receive


Active Directory

Ticket Granting

Service

• Mary opens the PC5250 client to log on to SYSTEM_A

•PC5250 client is configured for Kerberos so her PC sends a request for a service ticket

3. Here’s my TGT, can I

have a service ticket for

SYSTEM_A’s telnet

service?

4. SYSTEM_A’s telnet is

a registered service

principal – here’s your

service ticket packetFun Fact:

The Service Principal for

SYSTEM_A’s telnet service is an

Active Directory User Account. This

user account’s password serves as

the shared secret between the TGS

and Service and is used to digitally

sign the service ticket!

10

Part 5 Unpack the subsession key


Encrypted with Mary’s

windows password Encrypted with keytab password / shared secret

My name on the

Windows domain

DOMAIN.COM is

Mary_Jones

Service ticket

Returned

packet

11

Telnet client

Part 6 & 7 Service Ticket and Processing


SYSTEM_A

•Telnet client gives the telnet server on SYSTEM_A the service ticket

•Telnet server accepts, but needs to know what user profile Mary is on IBM i

Here’s the service ticket.

OK, I got the

subsession key by

decrypting it with the

keytab password

What user profile are you? It says

you’re Mary_Jones on Windows.

12

Part 8 & 9 EIM Lookup


EIM Domain Controller –

LDAP Lookup

SYSTEM_A

89

• EIM lookup happens on the EIM Domain Controller

• The domain controller is given that user Mary_Jones on registry DOMAIN.COM is

looking for a user profile name on registry SYSTEM_A.DOMAIN.COM

•It returns the user profile name MJONES on IBM i

Telnet client

EIM lookup, who’s

Mary_Jones on Windows?

She’s MJONES

on IBM i

13

Part 10 Connected!


SYSTEM_A

Telnet client

MJONES job started, no sign on screen!

14

Simplified Setup Steps



Need to have a central user repository to serve as the Key Distribution Center (KDC)

– For most enterprises, this is an existing Windows Active Directory domain controller

Require at least one forward DNS (A or CNAME) entry for the primary IP address of the system

– May have multiple forward DNS entries and may have multiple IP addresses

– See Considerations sections for additional complexities each of these introduce

Require one and only one reverse DNS (PTR) entry for the primary IP address of the system

– Require one and only one reverse DNS entry for each additional IP addresses chosen to be used

IBM Navigator for i is installed on the system (http://system:2001)

The QRMTSIGN system value must be set to *VERIFY, not *FRCSIGNON

Have available or set the IBM i’s LDAP server administrator (cn=Administrator) user’s password

Prerequisites

16


Run the Network Authentication Services (NAS) wizard in IBM Navigator for i to provide:

– Active Directory Realm name and server IP address

– Which services to Kerberos enable

• Telnet

• LDAP

• HTTP Server

• NetServer

• NFS

– Shared secret password for digital signatures

• Needs to follow the rules of the Active Directory user account password requirements with regards to length and complexity

Will generate a script file to be run on the Active Directory domain controller

Set NAS to use TCP instead of UDP

Network Authentication Services Setup

17


On the Active Directory domain controller, run the file generated by the wizard

– Creates matching user accounts and registers the various service principals

Modify each user account created to:

– Non expiring password (if possible – these are machine to machine limited accounts)

– Remove DES encryption – too weak to be trusted

– Turn on AES 256 encryption – new standard

– Trust each account for Kerberos Delegation

Active Directory Setup

18


Run the Enterprise Identity Mapping (EIM) wizard in IBM Navigator for i to provide:

– Location of the LDAP server – by default use a local LDAP server

– LDAP administrator credentials – cn=administrator and it’s password

– User repository names for Active Directory and IBM i – should be pre-filled in

Create one or more EIM Identifiers with at least one source association and at least one target association

– Needed for each user that will use a Kerberos enabled connection

– Only have one target entry per IBM i User Registry name

– IBM Lab Services has tools available to bulk load existing user populations

• And keep up with automatically by tying to create and delete user profile commands

Enterprise Identity Mapping Setup

19


On each client PC, for each service to be Kerberos enabled, it must be selected

If using IBM i Access Client Solutions or IBM Personal Communications, each connection will need to be updated including checking the bypass sign on option

– Need to set in the ODBC Settings for ODBC

For others, like mapped drives, unmap and remap without providing additional credentials

– Note: NetServer must be configured to accept Network (Kerberos) authentication before it will work

Client PC Setup

20




For a single IBM i and single Active Directory, the setup is very simple

However, most corporate environments are not simple

In addition, we have the need for redundancy in case of system outages


22


Most Active Directory environments do not have a single domain controller

– This could be a major single source failure if it went down

Multiple Active Directory servers should be clustered behind a single DNS entry

– AD.mycomp.com points to several physical servers in round robin fashion

OR The IBM i allows for up to four DNS names to be tried in order allowing for outages

Some companies split their Active Directory into multiple realms (ie. Corp vs. Manufacturing or West Coast vs. East Coast)

– Can use cross realm trust and authentication is there are needs to cross AD realm boundaries

Active Directory Issues

23


If you use logical replication (Mimix, iTera, etc), there needs to be consideration for hot swap failover and how that is done – DNS IP Swap, Disk pools, etc.

– May need to add more Keytab entries to allow for multiple connection names

If you use physical replication (PowerHA, Flash Copy), there needs to be consideration for hot swap failover and how that is done – DNS IP Swap, Disk pools, User profiles, etc.

– May need to use Lab Service Admin Domain tools to keep profiles consistence across a cluster

If sharing EIM, should separate and replicate to ensure consistency and availability

IBM i Issues

24


As users are added and removed from your environment, the creation and deletion processes need to be created or modified

– Since Active Directory is our main repository, they need to be created here

• And removed upon termination as this is the gateway to all other services

– A user profile must also exist on IBM i, hopefully with password *NONE

• This user should always be manually created to ensure proper settings and authorizations based on the user’s role

• This user profile needs to be removed upon termination of employment (not disabled!)

– A EIM Identity needs to be created with at least one source association for the Active Directory and one target association for the IBM i

• Removing the identity will automatically remove the associations or they may be removed first

– When removing an employee, disable Active Directory first, then remove EIM associations, EIM Identity, IBM i User Profile then remove the Active Directory account

IBM Lab Services offers tools to automate the EIM Identifiers and Associations processes

On Going EIM Maintenance

25

Configuration Pieces


DNS Service:A: MYIBMI.MYCORP.COM -> 1.2.3.4PTR: 1.2.3.4 -> myibmi.mycorp.com

AD Users:User - SPN: krbsvr400/[email protected] - SPN: krbsvr400/[email protected]

DNS Server: MYDC.MYCORP.COM

Telnet Session:Host: MYIBMI.MYCORP.COMAuthentication: KerberosBypass Sign on: Yes

Configuration Pieces, cont.


CFGTCP: Host Name: MYIBMIDomain Name: MYCORP.COMDNS Server: MYDC.MYCORP.COMHost Table: MYIBMI -> 1.2.3.4MYIBMI.MYCORP.COM -> 1.2.3.4

KRB5.CONF File: KDC = MYDC.MYCORP.COM:88

KeyTab File: krbsvr400/[email protected]/[email protected]

EIM: Server: Host: MYIBMI.MYCORP.COMLocal User Registry: MYIBMI.MYCORP.COM

User Registries: MYREALM.COMMYIBMI.MYCORP.COM

Identifiers: Identifier: First LastSource: first.last for MYREALM.COMTarget: filast for MYIBMI.MYCORP.COM

27


PC -> AD (AS on KDC): Can PC get a TGT for [email protected]? Answer: TGT sent to PC

PC -> DNS: Who is MYIBMI (getaddrinfo)? Answer: 1.2.3.4

PC -> DNS: Who is 1.2.3.4 (getnameinfo)? Answer: myibmi.mycorp.com

PC -> AD (TGS on KDC): Can PC get a ST for service krbsvr400/[email protected] for user [email protected] given TGT? Answer: Digitally signed ST sent to PC

PC -> IBM i: Start Telnet based on ST

IBM i -> NAS: Who is the PC user? Get key for krbsvr400/[email protected] from key tab file and decode ST. Answer: [email protected] (NAS is an internal lookup)

IBM i -> EIM: Who is the IBM i user? Get IBM i user for [email protected] from EIM stored in LDAP. Answer: filast (EIM is usually an internal lookup)

IBM i answer: Start session for IBM i profile filast

Detailed Steps

28


PC -> AD (AS on KDC): Can PC get a TGT for [email protected]? Answer: TGT sent to PC

PC -> DNS: Who is MYIBMI (getaddrinfo)? Answer: 1.2.3.4

PC -> DNS: Who is 1.2.3.4 (getnameinfo)? Answer: myibmi.mycorp.com

PC -> AD (TGS on KDC): Can PC get a ST for service krbsvr400/[email protected] for user [email protected] given TGT? Answer: Digitally signed ST sent to PC

PC -> IBM i: Start Telnet based on ST

IBM i -> NAS: Who is the PC user? Get key for krbsvr400/[email protected] from key tab file and decode ST. Answer: [email protected] (NAS is an internal lookup)

IBM i -> EIM: Who is the IBM i user? Get IBM i user for [email protected] from EIM stored in LDAP. Answer: filast (EIM is usually an internal lookup)

IBM i answer: Start session for IBM i profile filast

Detailed Steps

29

Asking about Assistance


Security Services for IBM i include:

• Security Assessment

• Single Sign On Implementation

• Security Remediation

• Encryption Assistance

• Security Mentoring

IBM Systems Lab Services:

• Simplify management and measurement of security & compliance

• Reduce the cost of security & compliance

• Improve detection and reporting of security exposures

• Improve auditing/monitoring to satisfy reporting requirements

• Guide your business toward a more secure operational model

IBM Systems Lab Services IBM i Security Team



Tool Benefits

Compliance Automation and Reporting Tool (CART)

Demonstrate adherence to pre- and customer-defined security polices, system component inventory. Centralize security management and reporting via Db2 Web Query.

Privileged Elevation Tool (Fire Call) Ensures compliance with guidelines on privileged users.

Syslog Reporting Manager (SRM) Simplifies sending of audit log messages to SIEMs.

Network Interface Firewall (Exit Point Tool)

Restrict access to various system services by user and connection source.

Advanced Authentication Multifactor Authentication to secure sensitive access.

Single Sign On (SSO) Suite Tools to assist in the complete lifecycle of a Kerberos user.

Have a need? More tools and info online at ibm.biz/IBMiSecurity

Security and Compliance Tools for IBM i

32

http://ibm.biz/IBMiSecurity

Find all the answers at

https://ibm.biz/IBMiSecurity

IBM Security / © 2021 IBM Corporation

Questions?

Robert D. AndrewsSenior Managing Security Consultant

IBM Lab Services

[email protected]

2800 37th Street NWRochester, MN 55901

© Copyright IBM Corporation 2021. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

Follow us on:

ibm.biz/IBMiSecurity

Thank you

http://ibm.biz/IBMiSecurity

Date post:	26-Jan-2022
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times

Single Sign On (SSO) Overview

Documents