Configure EIM

Below is a quick reference to configuring EIM for use with the identity token connection factory using iSeries Navigator. The quick reference assumes that the EIM controller (LDAP directory server) is the local directory server, residing on the same iSeries system that is being configured for EIM. See Enterprise Identity Mapping (EIM) for more information about configuring EIM.

Note: You need the LDAP server's administrative distinguished name and password to perform this task.

  1. Create a Domain in EIM
    The Identity Token connection factory requires an EIM domain to be configured. 

    Note: A system can only participate in one EIM domain at a time. If your system is already "joined" to an EIM domain and the domain has been added to Domain Management, use that domain and skip to step "Create a Source User Registry Definition in EIM".

    1. Ensure that the LDAP server has started. This will allow you to later verify the LDAP server's administrative distinguished name and password. However, be aware that the LDAP server will be stopped by the wizard later on.
    2. From iSeries Navigator's left navigation panel, navigate using system > Network > Enterprise Identity Mapping where system is the name of your iSeries system
    3. Click Enterprise Identity Mapping
    4. Click Configure system for EIM under the Enterprise Identity Mapping tasks panel
    5. Select Create and join a new domain
    6. Click Next
    7. A message appears concerning the need to stop the LDAP server. Click Yes to continue.
    8. Select No when asked if you would like to configure Network Authentication Service. Network Authentication Service is not required for the EIM Identity Token Connection Factory.
    9. Click Next
    10. Provide the name of the EIM domain and click Next
    11. Optionally specify a parent distinguished name for the EIM domain and click Next
    12. Provide the distinguished name and password for the directory server administrator and optionally verify the distinguished name and password.
    13. Click Next
    14. Select Local OS/400 and click Next
    15. Click Next to default the directory server administrator's distinguished name and password for use by the operating system for performing EIM functions.
    16. Click Finish

  2. Add the Domain to Domain Management
    1. From iSeries Navigator's left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management
    2. Right click on Domain Management and select the add domain option to start the configuration wizard that will add the domain you created in step 1 to domain management.
    3. Click OK

  3. Create a Source User Registry Definition in EIM
    The Identity Token connection factory requires a source User registry definition entry in EIM that represents the registry that WAS is using for authentication, either a local OS registry or an LDAP registry.
    1. From iSeries Navigator's left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management > domain -> User Registries. If you are prompted for the LDAP server's password, provide the password and click OK.
    2. Right click and select Add Registry to start the configuration wizard that will add the registry to your domain then provide the registry name and type. If your application server is hosted on an iSeries system and configured to use the LocalOS registry, select OS/400 as the EIM registry type. If your application server is configured to use the LDAP registry, enter 1.3.18.02.33.14-caseIgnore as the EIM registry type.

      Note: The value 1.3.18.02.33.14-caseIgnore is the ObjectIdentifier-normalization form of the registry type whose principals are identified by the LDAP short name attribute. The wizard does not yet handle the descriptive name for this registry type. Support for a descriptive name will be provided in follow-on iSeries Navigator releases.

    3. Click OK

  4. Create an User Identifier in EIM
    The Identity Token connection factory requires a user Identifier entry (this is equivalent to an EIM identifier) in EIM that represents the user of the application.
    1. From iSeries Navigator's left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management > domain -> Identifiers
    2. Right click and select New Identifier...
    3. Enter an Identifier name, such as the user's full name, and click OK

  5. Create Associations in EIM for the User Identifier
    To support mapping from one user ID to another, we need associations in EIM.
    1. We need a target association to represent the user profile on the target OS/400 system for the identifier created earlier.

      1. From iSeries Navigator's left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management > domain -> Identifiers
      2. Double click on the Application Identifier for the user created above. 
      3. Click on the Associations tab. 
      4. Click the Add button
      5. Provide the OS/400 user profile for the EIM identifier in the User field and click OK.
    2. We need a source association for the userid that the user represented by this EIM identifier uses to authenticate (log in) to WebSphere.

      1. From iSeries Navigator's left navigation panel, select your system > Network > Enterprise Identity Mapping >
      2. Domain Management > domain -> Identifiers
      3. Double click on the Application Identifier created above.
      4. Click on the Associations tab.
      5. Click Browse and select the WAS registry.
      6. Enter the WebSphere userid, such as: myuid
      7. Select Source
      8. Click OK to add the new association
    3. Click OK to save the associations

  6. Optionally Test the Connection to the EIM Domain Controller
    Use the ldapsearch command to test the connection to the EIM domain controller. This will also provide a sanity check for your EIM configuration. For example, if the LDAP server is located on host myserver, the EIM domain name is My EIM Domain, and the source registry is WAS Registry:
    1. Logon to the iSeries system that hosts your WebSphere profile.
    2. From an OS/400 command line type QSH and press Enter.
    3. Type the following command and press enter: 
      ldapsearch -h myserver -p 389 -D cn=administrator -w secret 
-b "ibm-eimDomainName=My EIM Domain" 
"ibm-eimRegistryName=WAS Registry"

    Note: The above lines have been wrapped to fit the display. Type them in one continuous line when entering the command.

    Where:

    myserver

    is the name of the host system of the LDAP server

    389

    is the port used by the LDAP server

    cn=administrator

    is the LDAP distinguished name of the LDAP administrator

    secret

    is the LDAP administrator's password

    ibm-eimDomainName=My EIM Domain

    is the LDAP distinguished name of the EIM domain name entry

    Note: In this case there is no EIM domain parent name. Had there been an EIM domain parent name such as dc=myserver,dc=ibm,dc=com the LDAP distinguished name would be ibm-eimDomainName=My EIM Domain,dc=myserver,dc=ibm,dc=com.

The expected output should look similar to the following: 

   ibm-eimRegistryName=WAS Registry,cn=Registries,ibm-eimdomainname=My EIM Domain    objectclass=top    objectclass=ibm-eimRegistry    objectclass=ibm-eimSystemRegistry    ibm-eimRegistryName=WAS Registry    ibm-eimRegistryType=1.3.18.0.2.33.9-caseIgnore    description=Example Registry for WAS