Security Patrol: V5R2, EIM, and Single Signon

IBM i (OS/400, i5/OS)
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

What Are EIM and Single Signon?

Q: I saw in the V5R2 announcement that IBM has released something called EIM Single Signon. We want something to keep all of our passwords in sync for all of our AS/400s. Does EIM Single Signon mean that a solution is coming in V5R2?

A: Yes and no. Your question refers to two different items that IBM announced on April 29. First, IBM announced Enterprise Identity Mapping, or EIM. EIM is a bold initiative on the part of IBM that fits nicely into two prominent IBM initiatives: eServer and eLiza. Best of all, it was the creation of the security folks in Rochester. IBM also announced a Single Signon application that will run on top of EIM, but please don't confuse the two. Single Signon is built on top of the EIM architecture, but they are two distinct things.

To understand EIM, you must first understand the problem that IBM is trying to solve--and one could argue that only IBM could care enough to try to solve this problem. As computing environments get more complex and as more and more servers are added to an environment, IT shops look for a way to simplify the management of users across disparate systems and applications. While managing user identities can be challenging in a shop with multiple iSeries machines, the complexity compounds when you try to manage users across a network of dissimilar hosts. Throw in the fact that users can (and often do) have different names on different systems and even different names within multiple applications on the same system, and the possibility of making order out of the chaos looks hopeless.

But those are just the system administrator's problems; system administrators are only one set of people who find multiple IDs difficult. Another constituency is the application developers who want to build applications that pull data from multiple, often disparate, systems. These developers often must resolve the differences in user IDs on all of these systems in order to make their applications function. And when they must, they often compound the problem by implementing a new user registry to control access to their application. Finally, industry studies say that a typical user has an average of 14 passwords to memorize between work, home, and various Web interfaces. Remembering all those passwords is tough. Requiring hundreds of users to manage 10+ passwords apiece makes our systems and networks inherently less secure. Enter EIM.

EIM was designed to allow system administrators to associate user registries (an EIM term) across a variety of systems (I've been told that you can count on EIM support for all the of the eServer platforms). So imagine a scenario where I am known on two iSeries machines as JOHN, known on the zSeries as JEARL and JOHNE, known on two separate pSeries machines as ADMIN1, and known on the Windows network as EARLJ. EIM enables a user registry where all of my different IDs can be associated in one place. Once those relationships are in place, the number of applications that can be built appears to be limited only by imagination. If I needed to develop an application that queries data off of three of those systems, EIM could help by telling the application what my ID is on each of those systems. Sure this solves a big problem for the developer, but to really make this application cool, wouldn't it be nice if EIM could also sign me on to those three different systems?

Enter Single Signon. Single Signon is the first application built on top of the EIM infrastructure, and it is a marked improvement over the various "password synchronization" schemes that have been available to iSeries customers to date. IBM's Single Signon solution uses the Kerberos network authentication protocol standard to authenticate a user and then grants that user a one-time use, time-limited Kerberos "ticket" that the user can present to all of the Kerberos-enabled servers in the network. If the ticket is valid for the system in question, access is granted. If the ticket is not valid for the system (or has expired), access is denied.

Kerberos offers many advantages over other ways of managing the sign-on process. Some of the more important advantages are the fact that passwords are not stored or transmitted in any clear text or de-cryptable form, user enablement (or disablement) is done at a single point, and there is no way for passwords to get out of sync because a user's passwords are not stored on every single system. Best of all, Kerberos is an industry standard that is already supported in Windows(W2K and above), most versions of UNIX, and Linux. And as IBM rolls out their OS updates through the rest of this year, look for support for EIM-enabled Single Signon on all of the servers in the eServer line.

Why is IBM doing all this, you ask? By adding EIM to the entire eServer line of systems, IBM is providing a solution to a problem that its customers feel much more acutely than customers who run strictly HP, Sun, or Windows platforms. While these vendors faced the challenge of providing single sign-on across a homogeneous set of OSes and hardware platforms, IBM must solve the problem for at least five OSes (OS/400, Z/OS, AIX, Linux, and Windows) as well as many strategic applications (Domino, Tivoli, WebSphere, etc.). For IBM, making its systems easier to use and easier to integrate with other systems just makes good business sense.

So how much will all of this set you back when it finally is available? Nothing. IBM will provide EIM and Single Signon for free on each OS and, if we're lucky, may even release an open source version for Linux. A Linux open source version of EIM would help EIM gain market acceptance and market penetration beyond the traditional iSeries borders. It would also give EIM a life of its own, beyond the control of IBM. Where EIM goes from there is anyone's guess.

So yes, this is a bold initiative by IBM, and maybe it will take off in the marketplace. But what if no one but IBM supports this new standard? Frankly, I think that EIM has great potential, and IBM has made such a substantial commitment to it that even if Sun, HP, and Microsoft never climb on board, EIM will provide a tremendous benefit to eServer environments that use it. I think the tremendous value of EIM was best described by EIM and iSeries Security Architect Pat Botz during last week's iSeries Nation conference call. During his presentation, Botz asserted that earlier solutions were inadequate because they only solved the problem for one of the three primary constituencies. EIM will succeed because it solves the user registry problem for all three.

My advice to you is to keep an eye on EIM and its developments. EIM will provide an infrastructure not only for Single Signon, but for single identity management. When you think about all of the unique identifiers that you have in your organization, you'll understand the problem that IBM is trying to solve. Watch this space because there is certainly more to come.

John Earl is chief technology officer for the PowerTech Group in Seattle, Washington. This month, John's hobby is compiling long lists of all the different names he is known as. If you have a security question, or a new name for John, you can send him an email at This email address is being protected from spambots. You need JavaScript enabled to view it. or post it online in the MCPressOnline Security Forum.