Plex 2E

Has anyone implemented single sign-on for WinC applications connecting to a iSeries/System i. If so, how hard is it to do and what are the steps?

I have the sample model for Plex 6.0 called "iSeriesManagePassword" and I have looked at it a little bit. Does it contain everything I need? TIA

Dean Eshleman,
MMA, Inc.

[left] I've no idea really but these seem to be somewhat relevant IBM docs:[left]  [left] iSeries Access for Windows C/C++ APIs:[left] http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzaik/rzaikapiinterfaces.htm[left]  [left] Single Signon: ISV enablement:[left] http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzamz/rzamzisvenable.htm[left]

Thanks for the response. I also had found some redbooks detailing the API's. I was hoping someone had already wrappered the API's and could explain the steps necessary to single sign-on enable a Plex client/server app. I guess I don't know where to intercept the connection attempt to the System i.

Dean Eshleman,
MMA, Inc.

The problem is that to connect to the AS/400 dispatcher, you need an AS/400 userid AND PASSWORD. The Plex dispatcher does not accept any other credentials.

I have implemented SSO twice, and it always had to involve a table with encrypted user id's and passwords.

I would encourage CA to expand the dispatcher to use the larger IBM SSO framework

I submitted a enhancement request for the dispatcher to make it work in SSO environments. If there are other people interested in this as well, I would suggest that you do the same thing. This will give CA some indication how much interest there is in this enhancement.

Dean Eshleman,
MMA, Inc.

Hi DeanI know this is an old post. Are you still working on a SSO solution?Just for sake of the forum and for future reference to the forum, we also have  a requirement for SSO. What we did is we have a SQL server with a table holding the username and encrypted password (That is changed frequently). When our users log in to the system (With their Windows NT credentials) the system authenticates against the Active Directory, if this authentication is passed it reads the username and password from that sql database, decrypts the password and logs in to the iSeries. The user is then logged in to everything. And he uses his Windows NT credentials, no other password to remember.  This functionality is in a Security pattern that we use, developed by Gavin Beangstrom.

Hi Tienie,  Thanks for the response.   We aren't working on an SSO solution right now.   I don't know if it will become a priority or not.  I have a question about your solution.   What maintains the passwords in the SQL table?   You mention that it changes frequently.   I assume you have a batch process that assigns new passwords and then changes it on the iSeries for each user ID.   Is that correct?  Dean Eshleman,MMA, Inc.

Hi Dean  We do not have all the users created on the AS400.. We have one "system user" and everyone logs in through this user. This makes the maintenance easier, but poses a problem because we cannot log who done what on the back-end, because its the same user all the time. We are still thinking of a solution to over come this.. Thus we only have one user on the as400. And this username and password is stored in that SQL database. Currently the change of this user is manualy. But you are right, the plan is have some job that changes the password for this user so that no one will ever know that password.  Regards