332 Securing DB2 and Implementing MLS on z/OS
Figure C-2 The EIM conceptual implementation
EIM components
The basic components of EIM are:
The EIM domain controller: The domain controller is an IBM Tivoli Directory
Server or IBM z/OS Integrated Security Services LDAP Server that contains
one or more EIM domains. These can be:
The OS/400 V5R2 LDAP server on iSeries™
The z/OS V1R4 LDAP server on zSeries
The IBM Directory Services on all platforms, including AIX 5L on
pSeries®, Windows 2000 on xSeries®, and Linux
The information in the domain controller is created and maintained by an
administrative utility:
OS/400 V5R2 iSeries Navigator
z/OS V1R4 with SPE OW57137 and later
AIX 5L V5R3
EIM Domain Controller
Registry: User: Type
DomServer John Smith Kerberos
ServerA JSMITH OS/400
ServerB JOHN RACF
IntraNet JohnS AIX 5L
SysA JS50852 OS/400
Key Distribution
Center
(KDC)
AS
TGS
Identifier: John N. Smith
S
o
u
r
c
e
C
a
n
I
h
a
v
e
a
t
i
c
k
e
t
f
o
r
S
y
s
A
?
S
u
r
e
.
H
e
r
e'
s
m
y
t
i
c
k
et
.
C
an
y
ou
l
e
t
m
e
i
n?
H
e
y
,
w
h
o
i
s
t
h
i
s
J
o
h
n
S
m
i
t
h
?
I
k
n
o
w
,
t
h
a
t
'
s
J
S
5
0
8
5
2
Welcome JS50852
1
2
3
4
5
6
T
a
r
g
e
t
T
a
r
g
e
t
T
a
r
g
e
t
Ta r ge t
John
SysA
Requesting TGT steps not shown
EIM client
EIM client
EIM client
EIM client
DomServer
Appendix C. Enterprise Identity Mapping 333
EIM domain: The domain contains the mappings for an enterprise. It is
located by the URL for the LDAP server. The name of the domain must be
descriptive of the enterprise. An example of an EIM domain’s URL is:
ldap://some.host/ibm-eimDomainName=My Business,c=fr
The EIM client: This is the code that implements the EIM lookup APIs and the
administrative APIs used for creating, modifying, displaying, and removing
information from an EIM domain.
The EIM client uses the EIM API that is provided with the eServer’s operating
systems or that are downloadable from the Internet. As of the writing of this
book, the EIM client APIs are available beginning in C/C++ or Java with these
minimum systems levels:
OS/400 V5R2
z/OS V1R4 with SPE OW57137
AIX 5L R5V2
Microsoft Windows 2000, with the IBM Directory V4.1 client
Linux SLES8 on PPC64, Red Hat 7.3 on i386™, or SLES7 on zSeries;
with the IBM Directory V4.1 client or OpenLDAP v2.0.23 client
EIM applications no longer require APF authorization as of z/OS V1R7 or
later.
Note that the Windows and Linux clients must be downloaded from:
http://www.ibm.com/servers/eserver/security/eim/availability.html
The EIM identifier: This is the name that represents the unique name of an
individual or entity within the enterprise. It can be a name or number or some
combination of the two that represents a person or entity in your company.
The EIM identifier is the anchor point for all mappings.
The EIM registry: This is the logical representation of a user registry that
exists on one of the systems in the network. Examples of user registries are
RACF (or equivalent), LDAP (which contains bind IDs and passwords), and
Lotus Notes®. An EIM registry only contains user IDs and EIM information
needed for mappings with EIM identifiers. It does not contain any of the other
information, such as passwords or user attributes, that normally exist in a user
registry.
The EIM associations: These are the relationships between a user ID and an
EIM identifier. There are three kinds of associations:
Source association: The registry user ID can be used as a source, that is,
a starting point, for a lookup operation. Note that it is assumed here that
the source identity has been properly authenticated by the application.
Target association: The registry user ID can be returned as the target
value for a lookup operation. It is expected that this user ID is intended to
be used for access control by the application.

Get Securing DB2 and Implementing MLS on z/OS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.