single sign on (sso) overview
TRANSCRIPT
Single Sign On (SSO) Overviewfor IBM i—Robert D. AndrewsSenior Managing Security ConsultantTeam Lead, IBM i Security and Authentication Lab [email protected] +1.507.253.4205
IBM i Security / © 2021 IBM Corporation
IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Statement of Good Security Practices
2
IBM i Security / © 2021 IBM Corporation
Certifications
3
Single Sign On Overview
Simplified Setup Steps
Considerations and Curveballs
Asking about Assistance
Table of contents / Agenda
IBM i Security / © 2021 IBM Corporation 4
Overview
IBM i Security / © 2021 IBM Corporation 5
With a growing number of diverse systems, it is difficult for users to maintain different, secure passwords in all environments without succumbing to bad, insecure password habits
By implementing single sign on, the goal is reduce the number of systems that contain passwords in their user registries
– In essence, a better term would be “Single Password Repository”
The primary system verifies identity and then securely grants permission to other services in the environment
– Single password and user management repository
– This overall system and its methods are known as Kerberos Authentication and was mainly designed at MIT starting in the 1980’s
Single Sign On
IBM i Security / © 2021 IBM Corporation 6
Not all system services support single sign on
Therefore, as part of the planning phase, it may be determined that single sign on will not cover all the needs and is not a viable solution but in fact would only complicate the setup
On IBM i:
– IBM i Host Servers
– Telnet server *
– Apache HTTP Server
– Open Database Connectivity (ODBC)
– Java™ Database Connectivity (JDBC)
– Distributed Relational Database Architecture™ (DRDA®) *
– QFileSrv.400
– NetServer
– NFS
– FTP server *
* Requires client that supports Kerberos
Who Can Use Single Sign On
IBM i Security / © 2021 IBM Corporation 7
User logs in the PC using their Windows Domain credentials which are verified with Active Directory, serving as the Authentication Service (AS) on the Key Distribution Center (KDC)
Active Directory verifies the user’s rights and status and then sends them a digitally signed master ticket known as a Ticket Granting Ticket (TGT)
User on PC requests a service such as Telnet on IBM i by sending the TGT and request to the Ticket Granting Service (TGS), usually also on the KDC
The TGS returns to PC a digitally signed Service Ticket (ST) for that particular service
The PC connects to the service and sends the ST which decodes to show the user’s Windows identity
– IBM i goes one step further to map the Windows User Identity to an IBM i User Profile via EIM
General Single Sign On Flow
IBM i Security / © 2021 IBM Corporation 8
Part 1 & 2 TGT Request and Receive
Active Directory
Authentication
Service
• Mary Jones logs into her PC workstation in the morning.
• This triggers a request to the AD domain controller KDC for a Ticket Granting Ticket.
• The KDC sends back a TGT encrypted with Mary’s password.
KDC lives here – DOMAIN.COM
1. Can I have a
TGT?
2. Yes, here’s the TGT ticket. Fun Fact:
The TGT is encrypted using Mary’s
Windows password. The PC then
makes sure it can decrypt it verifying
the user entered the correct password
without ever sending the password
over the network!
IBM i Security / © 2021 IBM Corporation 9
Part 3 & 4 Service Ticket Request and Receive
IBM i Security / © 2021 IBM Corporation
Active Directory
Ticket Granting
Service
• Mary opens the PC5250 client to log on to SYSTEM_A
•PC5250 client is configured for Kerberos so her PC sends a request for a service ticket
3. Here’s my TGT, can I
have a service ticket for
SYSTEM_A’s telnet
service?
4. SYSTEM_A’s telnet is
a registered service
principal – here’s your
service ticket packetFun Fact:
The Service Principal for
SYSTEM_A’s telnet service is an
Active Directory User Account. This
user account’s password serves as
the shared secret between the TGS
and Service and is used to digitally
sign the service ticket!
10
Part 5 Unpack the subsession key
IBM i Security / © 2021 IBM Corporation
Encrypted with Mary’s
windows password Encrypted with keytab password / shared secret
My name on the
Windows domain
DOMAIN.COM is
Mary_Jones
Service ticket
Returned
packet
11
Telnet client
Part 6 & 7 Service Ticket and Processing
IBM i Security / © 2021 IBM Corporation
SYSTEM_A
•Telnet client gives the telnet server on SYSTEM_A the service ticket
•Telnet server accepts, but needs to know what user profile Mary is on IBM i
Here’s the service ticket.
OK, I got the
subsession key by
decrypting it with the
keytab password
What user profile are you? It says
you’re Mary_Jones on Windows.
12
Part 8 & 9 EIM Lookup
IBM i Security / © 2021 IBM Corporation
EIM Domain Controller –
LDAP Lookup
SYSTEM_A
89
• EIM lookup happens on the EIM Domain Controller
• The domain controller is given that user Mary_Jones on registry DOMAIN.COM is
looking for a user profile name on registry SYSTEM_A.DOMAIN.COM
•It returns the user profile name MJONES on IBM i
Telnet client
EIM lookup, who’s
Mary_Jones on Windows?
She’s MJONES
on IBM i
13
Part 10 Connected!
IBM i Security / © 2021 IBM Corporation
SYSTEM_A
Telnet client
MJONES job started, no sign on screen!
14
Simplified Setup Steps
IBM i Security / © 2021 IBM Corporation 15
IBM i Security / © 2021 IBM Corporation
Need to have a central user repository to serve as the Key Distribution Center (KDC)
– For most enterprises, this is an existing Windows Active Directory domain controller
Require at least one forward DNS (A or CNAME) entry for the primary IP address of the system
– May have multiple forward DNS entries and may have multiple IP addresses
– See Considerations sections for additional complexities each of these introduce
Require one and only one reverse DNS (PTR) entry for the primary IP address of the system
– Require one and only one reverse DNS entry for each additional IP addresses chosen to be used
IBM Navigator for i is installed on the system (http://system:2001)
The QRMTSIGN system value must be set to *VERIFY, not *FRCSIGNON
Have available or set the IBM i’s LDAP server administrator (cn=Administrator) user’s password
Prerequisites
16
IBM i Security / © 2021 IBM Corporation
Run the Network Authentication Services (NAS) wizard in IBM Navigator for i to provide:
– Active Directory Realm name and server IP address
– Which services to Kerberos enable
• Telnet
• LDAP
• HTTP Server
• NetServer
• NFS
– Shared secret password for digital signatures
• Needs to follow the rules of the Active Directory user account password requirements with regards to length and complexity
Will generate a script file to be run on the Active Directory domain controller
Set NAS to use TCP instead of UDP
Network Authentication Services Setup
17
IBM i Security / © 2021 IBM Corporation
On the Active Directory domain controller, run the file generated by the wizard
– Creates matching user accounts and registers the various service principals
Modify each user account created to:
– Non expiring password (if possible – these are machine to machine limited accounts)
– Remove DES encryption – too weak to be trusted
– Turn on AES 256 encryption – new standard
– Trust each account for Kerberos Delegation
Active Directory Setup
18
IBM i Security / © 2021 IBM Corporation
Run the Enterprise Identity Mapping (EIM) wizard in IBM Navigator for i to provide:
– Location of the LDAP server – by default use a local LDAP server
– LDAP administrator credentials – cn=administrator and it’s password
– User repository names for Active Directory and IBM i – should be pre-filled in
Create one or more EIM Identifiers with at least one source association and at least one target association
– Needed for each user that will use a Kerberos enabled connection
– Only have one target entry per IBM i User Registry name
– IBM Lab Services has tools available to bulk load existing user populations
• And keep up with automatically by tying to create and delete user profile commands
Enterprise Identity Mapping Setup
19
IBM i Security / © 2021 IBM Corporation
On each client PC, for each service to be Kerberos enabled, it must be selected
If using IBM i Access Client Solutions or IBM Personal Communications, each connection will need to be updated including checking the bypass sign on option
– Need to set in the ODBC Settings for ODBC
For others, like mapped drives, unmap and remap without providing additional credentials
– Note: NetServer must be configured to accept Network (Kerberos) authentication before it will work
Client PC Setup
20
Considerations and Curveballs
IBM i Security / © 2021 IBM Corporation 21
IBM i Security / © 2021 IBM Corporation
For a single IBM i and single Active Directory, the setup is very simple
However, most corporate environments are not simple
In addition, we have the need for redundancy in case of system outages
Considerations and Curveballs
22
IBM i Security / © 2021 IBM Corporation
Most Active Directory environments do not have a single domain controller
– This could be a major single source failure if it went down
Multiple Active Directory servers should be clustered behind a single DNS entry
– AD.mycomp.com points to several physical servers in round robin fashion
OR The IBM i allows for up to four DNS names to be tried in order allowing for outages
Some companies split their Active Directory into multiple realms (ie. Corp vs. Manufacturing or West Coast vs. East Coast)
– Can use cross realm trust and authentication is there are needs to cross AD realm boundaries
Active Directory Issues
23
IBM i Security / © 2021 IBM Corporation
If you use logical replication (Mimix, iTera, etc), there needs to be consideration for hot swap failover and how that is done – DNS IP Swap, Disk pools, etc.
– May need to add more Keytab entries to allow for multiple connection names
If you use physical replication (PowerHA, Flash Copy), there needs to be consideration for hot swap failover and how that is done – DNS IP Swap, Disk pools, User profiles, etc.
– May need to use Lab Service Admin Domain tools to keep profiles consistence across a cluster
If sharing EIM, should separate and replicate to ensure consistency and availability
IBM i Issues
24
IBM i Security / © 2021 IBM Corporation
As users are added and removed from your environment, the creation and deletion processes need to be created or modified
– Since Active Directory is our main repository, they need to be created here
• And removed upon termination as this is the gateway to all other services
– A user profile must also exist on IBM i, hopefully with password *NONE
• This user should always be manually created to ensure proper settings and authorizations based on the user’s role
• This user profile needs to be removed upon termination of employment (not disabled!)
– A EIM Identity needs to be created with at least one source association for the Active Directory and one target association for the IBM i
• Removing the identity will automatically remove the associations or they may be removed first
– When removing an employee, disable Active Directory first, then remove EIM associations, EIM Identity, IBM i User Profile then remove the Active Directory account
IBM Lab Services offers tools to automate the EIM Identifiers and Associations processes
On Going EIM Maintenance
25
Configuration Pieces
IBM i Security / © 2021 IBM Corporation 26
DNS Service:A: MYIBMI.MYCORP.COM -> 1.2.3.4PTR: 1.2.3.4 -> myibmi.mycorp.com
AD Users:User - SPN: krbsvr400/[email protected] - SPN: krbsvr400/[email protected]
DNS Server: MYDC.MYCORP.COM
Telnet Session:Host: MYIBMI.MYCORP.COMAuthentication: KerberosBypass Sign on: Yes
Configuration Pieces, cont.
IBM i Security / © 2021 IBM Corporation
CFGTCP: Host Name: MYIBMIDomain Name: MYCORP.COMDNS Server: MYDC.MYCORP.COMHost Table: MYIBMI -> 1.2.3.4MYIBMI.MYCORP.COM -> 1.2.3.4
KRB5.CONF File: KDC = MYDC.MYCORP.COM:88
KeyTab File: krbsvr400/[email protected]/[email protected]
EIM: Server: Host: MYIBMI.MYCORP.COMLocal User Registry: MYIBMI.MYCORP.COM
User Registries: MYREALM.COMMYIBMI.MYCORP.COM
Identifiers: Identifier: First LastSource: first.last for MYREALM.COMTarget: filast for MYIBMI.MYCORP.COM
27
IBM i Security / © 2021 IBM Corporation
PC -> AD (AS on KDC): Can PC get a TGT for [email protected]? Answer: TGT sent to PC
PC -> DNS: Who is MYIBMI (getaddrinfo)? Answer: 1.2.3.4
PC -> DNS: Who is 1.2.3.4 (getnameinfo)? Answer: myibmi.mycorp.com
PC -> AD (TGS on KDC): Can PC get a ST for service krbsvr400/[email protected] for user [email protected] given TGT? Answer: Digitally signed ST sent to PC
PC -> IBM i: Start Telnet based on ST
IBM i -> NAS: Who is the PC user? Get key for krbsvr400/[email protected] from key tab file and decode ST. Answer: [email protected] (NAS is an internal lookup)
IBM i -> EIM: Who is the IBM i user? Get IBM i user for [email protected] from EIM stored in LDAP. Answer: filast (EIM is usually an internal lookup)
IBM i answer: Start session for IBM i profile filast
Detailed Steps
28
IBM i Security / © 2021 IBM Corporation
PC -> AD (AS on KDC): Can PC get a TGT for [email protected]? Answer: TGT sent to PC
PC -> DNS: Who is MYIBMI (getaddrinfo)? Answer: 1.2.3.4
PC -> DNS: Who is 1.2.3.4 (getnameinfo)? Answer: myibmi.mycorp.com
PC -> AD (TGS on KDC): Can PC get a ST for service krbsvr400/[email protected] for user [email protected] given TGT? Answer: Digitally signed ST sent to PC
PC -> IBM i: Start Telnet based on ST
IBM i -> NAS: Who is the PC user? Get key for krbsvr400/[email protected] from key tab file and decode ST. Answer: [email protected] (NAS is an internal lookup)
IBM i -> EIM: Who is the IBM i user? Get IBM i user for [email protected] from EIM stored in LDAP. Answer: filast (EIM is usually an internal lookup)
IBM i answer: Start session for IBM i profile filast
Detailed Steps
29
Asking about Assistance
IBM i Security / © 2021 IBM Corporation 30
Security Services for IBM i include:
• Security Assessment
• Single Sign On Implementation
• Security Remediation
• Encryption Assistance
• Security Mentoring
IBM Systems Lab Services:
• Simplify management and measurement of security & compliance
• Reduce the cost of security & compliance
• Improve detection and reporting of security exposures
• Improve auditing/monitoring to satisfy reporting requirements
• Guide your business toward a more secure operational model
IBM Systems Lab Services IBM i Security Team
IBM i Security / © 2021 IBM Corporation 31
IBM i Security / © 2021 IBM Corporation
Tool Benefits
Compliance Automation and Reporting Tool (CART)
Demonstrate adherence to pre- and customer-defined security polices, system component inventory. Centralize security management and reporting via Db2 Web Query.
Privileged Elevation Tool (Fire Call) Ensures compliance with guidelines on privileged users.
Syslog Reporting Manager (SRM) Simplifies sending of audit log messages to SIEMs.
Network Interface Firewall (Exit Point Tool)
Restrict access to various system services by user and connection source.
Advanced Authentication Multifactor Authentication to secure sensitive access.
Single Sign On (SSO) Suite Tools to assist in the complete lifecycle of a Kerberos user.
Have a need? More tools and info online at ibm.biz/IBMiSecurity
Security and Compliance Tools for IBM i
32
Find all the answers at
https://ibm.biz/IBMiSecurity
IBM Security / © 2021 IBM Corporation
Questions?
Robert D. AndrewsSenior Managing Security Consultant
IBM Lab Services
2800 37th Street NWRochester, MN 55901
© Copyright IBM Corporation 2021. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
Follow us on:
ibm.biz/IBMiSecurity
Thank you