Security and SSO for IBM i AD-iCT
AD-iCT: strengthen SSO between IBM i and Active Directory Drawing on decades of experience in securing IBM i and implementing SSO on hundreds of IBM i partitions, I.GAYTE.IT has created AD-iCTthe software package that provides the essential functions for using and administering an SSO in production.
AD-iCT
The essential software package for high-performance SSO between IBM i and Active Directory
With EIM, the IBM i can have an SSO with the AD (Active Directory).
IBM's solution is excellent, but difficult to use as it stands on a production partition.
In this environment, AD-iCT provides all the key functionalities needed to manage and use Single Sign On (SSO) effectively in a production environment.
- When logging on to the IBM i, no password is requested from either the user or the AD.
- IBM i relies on the authentication performed by AD when connecting to the domain (usually when the workstation starts up)
- SSO uses the association between the authenticated AD account and an IBM i user profile stored in the EIM directory.
- In the case of a 5250 session, for example, the opening screen is not displayed, and the user is taken directly to the initial program.
- AD-iCT maintains the EIM directory
- AD-iCT offers additional services to simplify and automate AD-based tasks
Entering associations
With EIM, each AD account (the source) must be associated with a user profile (the target) so that, during SSO connection, a correspondence is established to define the profile to be used.
Entering this association using standard tools is time-consuming and tedious (some fifteen mouse clicks).
AD-iCT offers several automated association creation modes to meet the many needs of IT departments, via :
- Bulk imports (CSV or PF file)
- Graphic interfaces or 5250
- PGMs for integration into an IBM i batch chain
- REST APIs for integration into PowerShell, for example
AD-iCT software features
- Mass import via CSV or PF file
- REST API for creating profiles and associations
- Association creation via *PGM for batch integration
- Visualization of multiple score associations
- Exporting associations to PF
- Importing associations from PF
- Visualization of missing targets
- View duplicate sources/targets
- Target display *ALLOBJ
- Synchronization with the backup partition even with software replication
- Simple backup of EIM data
- Manage multiple partitions from a single interface
- Graphical interface and/or 5250 according to individual preferences
Replication to backup partition
Software replication products do not take into account EIM data, i.e. an association defined on the production partition is not replicated on the backup system.
AD-iCT automatically synchronizes the two partitions, to avoid SSO malfunctions when switching to disaster recovery mode.
The export function enables a new partition to be initialized with the associations of another, which saves significant time when creating new environments.
Complex environments
AD-iCT is designed to operate in complex environments containing :
- Multiple source domains, i.e. multiple domains used for user authentication
- Multiple targets (multiple IBM i partitions)
Associations whose source is the AD domain DOMA.LOCAL and whose target is IBMi1.LOCAL, can be automatically copied to DOMB.LOCAL and/or IBMi2.LOCAL, enabling simple migrations of user domains and IBM i partitions, at least as far as SSO is concerned.
EIM backups
EIM data (associations) are difficult to back up (you need to be in restricted mode, for example).
Without stopping production, AD-iCT exports this data to a table (PF file) that can be easily backed up and restored.
The import function reconstitutes the associations in a matter of seconds.
And you
How do you integrate a new employee?
Integrating a new employee requires creating an account (at least!) on each system.
At least one account on AD and a user profile (and association) on each IBM i partition.
With AD-iCT you can create the user profile and the EIM association:
- On the IBM i side, using a program (*PGM) to be integrated into your profile creation chain.
- Or proceed from the AD via a PowerShell program that consumes a REST API exposed by the IBM i
AD-iCT, the essential complement to IBM i SSO
Whatever your context and skills - IBM i or AD - AD-iCT's automation functions enable you to use EIM-based SSO in production.
AD-iCT's functions are already deployed on hundreds of IBM i partitions and, together with EIM, offer a powerful, efficient and resilient SSO.
Move on to the next step
Contact us to manage your SSO and maintain it in operational condition