Single Sign On Managed Services

Absolutely not. You can implement SSO for applications across nearly any combination of platforms.

 The Kerberos protocol is often a key component in single sign-on. It is used to simplify password management by authenticating a user to an interface running on a remote system. 

 SSO can significantly reduce the high cost of managing passwords across your organization. The overwhelming majority of the cost of managing employee access to computing resources is tied up in the cost of managing passwords. Most people are shocked by the magnitude of these costs. When you add up the time spent managing passwords by all end users, administrators, and help desk personnel in an organization, plus the time waiting on the phone for a solution, and the time it takes every employee to change all of their passwords four or more times a year, these costs are surprisingly high. When you understand the actual cost of managing passwords, evaluating SSO solutions becomes so much easier. 

No, that’s the beauty of this approach. EIM (enterprise information management) ensures that sessions get created under the appropriate user ID on non-Windows platforms even if the userIDs for a person are different in the Windows domain and in the non-Windows platform. 

If the Web server you are using supports Kerberos and the application is written (or can be changed) to use Web server authentication, then the answer is yes.

You have to access IFS through some sort of interface. FTP, NetServer, Telnet, ODBC, etc. all support SSO. Once the application/interface is connected and the job associated with it is running under the proper user ID, SSO has nothing to do with accessing any resources, such as IFS, QSYS.LIB, DB2, and others.

No, this service relies entirely on function you already own. You need one Key Distribution Center (KDC, also known as a Kerberos server) and you need client-side Kerberos support for each client to which you want to authenticate. Windows domain controllers are KDCs. If you log into a Windows domain from your PC then, by definition, you have KDC. Nearly all commercial operating systems provide Kerberos client support. Of course, you don't have to have a Windows domain to use SSO—it's just more work to create a KDC and the Kerberos users.

It works with IBM PC5250 clients starting with V5R1. 

Yes. The Java applications need to be implemented to use Kerberos. Use the JGSS class methods to do this.

Logons won’t work (for most systems) if EIM goes down. There are a couple of strategies for dealing with this. Each environment and set of requirements are different, so it’s hard to describe which solution works best without having the details. Sometimes companies can rely on their HA plan. They typically will host the EIM repository on the production system. If the production system ever goes down they know that the HA system becomes the production system. In this scenario, they can either use LDAP replication to keep the production and HA EIM repositories in sync or they can use their HA products to do so. You also must make sure that the Kerberos configuration and keytab file are enabled for HA. How this is done is highly dependent on whether the HA swap includes IP address and hostname takeover, only hostname takeover, or none. 

Yes.

No additional software is needed to get SSO working, though you can use a tool to automate loading and/or management of EIM.