Interoperability with IBM Host Systems
Interoperability with IBM Host Systems |
|
In an enterprise-wide computing environment, users are likely to access different networking environments as they go about their day-to-day routines. A user might begin the day by turning on a computer running Windows 2000 Professional, logging on to a Windows 2000–based network, and then accessing an AS/400 database application through a terminal emulator.
Each system with which the user comes into contact enforces its own security requirements and logon procedures. For example, a Windows 2000 domain account might require a six-character user name and an eight-character, mixed-case password, whereas a mainframe environment might require a seven-character user name and seven-character alphanumeric password.
Frequently, users have to remember several different combinations of user names and passwords to gain access to various resources on the network. Despite policies to the contrary, users who must maintain multiple passwords often resort to writing their passwords down and keeping them in a convenient location near their computer, compromising network security.
One of SNA Server's most powerful security features is its ability to integrate the Windows 2000 domain security environment with your host security system. The Host Security Integration feature is a combination of tools and services that automate the process of synchronizing passwords and logging on to the different systems. Using these tools can help your users uphold corporate security standards and ease the administration required to maintain user accounts on your network and your host system.
Host Security Integration uses a host security domain concept to manage user accounts on your network and your host system. Your host security domain defines the different security domains that share a common user accounts database. A simple security domain can consist of a host domain, a Windows 2000 domain, and an SNA Server subdomain, as shown in Figure 10.26.
Figure 10.26 Elements of a Typical Host Security Domain
Host Security Integration is composed of three separately installable components:
The Host Account Cache maintains an encrypted database that maps host user accounts to Windows 2000 domain user accounts. The Host Account Cache is a Windows 2000 service that is installed on Windows 2000 domain controllers. For smaller networks, SNA Server itself might be installed on a Windows 2000 domain controller and, therefore, can be used to store the Host Account Cache.
Optionally, a backup Host Account Cache can be installed on any other Windows 2000 domain controller. The backup cache maintains a local copy of the user database for recovery purposes, or to eliminate network traffic for single sign-on lookups when installed on the same computer as SNA Server.
Host Security Integration is an SNA Server installation option that contains the Host Account Synchronization Service. This service can be installed on primary, backup, or member computers running SNA Server within the SNA Server subdomain. For more information about SNA Server roles, see "Determining SNA Server Roles" earlier in this chapter.
You can also install the service on non-SNA Server-based computers. The Host Account Synchronization Service supports third-party interfaces to various host security databases, allowing you coordinate password changes between the Windows 2000 security domain and the host security domain.
The Host Account Synchronization Service is not necessary if you use the single sign-on feature with manual password updates in which the administrator or users store host account information in the Host Account Cache through the Host Account Manager application (UDConfig). For more information about using the UDConfig tool, see the SNA Server version 4.0 documentation and the Microsoft® BackOffice® Resource Kit.
The Account Synchronization component can automatically synchronize the passwords for your host accounts and Windows 2000 domain accounts. This component includes the Windows 2000 Password Synchronization Service and must be installed even if automatic password synchronization is not used because it coordinates the internal operation of other services.
The Windows 2000 Account Synchronization Service is installed on a Windows 2000 domain controller. Only one instance of the Windows 2000 Account Synchronization Service can be designated as primary; all others must be backup servers.
The ability to synchronize passwords from the Windows 2000 domain to an AS/400 security domain is built into SNA Server. Third-party products can provide enhanced synchronization services, such as two-way and automatic synchronization, to other host systems.
When you define your host security domain, a Windows 2000 group account is automatically created with the same name. User accounts are then added to the group to specify them as members of the host security domain. Once a host security domain is defined, two types of password synchronization options are available to you:
The Replicated option assumes that you would like to have the same user name or password on each security domain defined in the host security domain.
The Mapped option allows you to have different account names and passwords in each security domain. A database controlled by the Host Account Cache Service maintains the associations between the various accounts and passwords.
You can specify either of these options for the user name and either of them for the password of a user account. For example, you can choose to map the user names but replicate passwords across the different security domains. This allows you to have the same password but different user names on the different systems in the host security domain.
Once defined, host connections are assigned to the domain. SNA Server uses the assignment to look up the host mapping for a Windows 2000 user based on the session he or she is trying to open. A defined host connection can only be assigned to one security domain at a time.
After the connections are assigned to a host security domain, you can add users to the security domain by adding user accounts to the Windows 2000 group account created earlier. For each account associated with the host security domain, you can enable password synchronization options and automated logon features commonly referred to as single sign-on services. Single sign-on allows users to log on to their host account automatically if they are already logged on to their Windows 2000 domain account.
If you are planning to map user names, perform and store the initial mapping of host user names to Windows 2000 domain user names in the Host Account Cache.
