Connecting to AS/400

Once IdentityForge has been configured for EmpowerID, you can add an AS/400 Identity Forge Connector domain to the EmpowerID Identity Warehouse as a managed Account Store. This topic demonstrates how to do so.

Prerequisites:

Before connecting EmpowerID to AS/400, you must configure Identity Forge for EmpowerID. See Configuring Identity Forge for EmpowerID for the details.

To connect to AS/400

  1. From the EmpowerID Management Console, click the EmpowerID icon, and select Configuration Manager from the menu.
  2. In Configuration Manager, expand the User Directories node in the navigation tree, and then click Account Stores
  3. Click the Add New button above the grid.
  4. In the Add New Security Boundary window that opens, select the IBM AS/400 Security Boundary type from the drop-down list and then click OK.
  5. This opens the AS400 Directory window.

  6. In the AS400 Directory window, do the following:
    1. Enter the name of the server on which the directory is installed and include the port number if it is other than 389 in to the Ldap Server field.
    2. Enter the partition suffix in the Partition Suffix field.
    3. Enter the proxy information into the fields of the Proxy Information panel. The user account must have read access to the partition that holds the objects in the directory. The user account entered here is saved as the default proxy account (connection credential) used when managing these objects. You can change this at any time.

    4. At this point, the AS400 Directory window should look similar to the following image.

    5. Click the the Choose button below the Proxy Information panel to open the Choose Servers window. This window provides the interface for selecting the server(s) where the EmpowerID AS/400 Agent(s) reside..
    6. In the Choose Servers window that appears, toggle the Server button from a red sphere to a green check box for each server running the EmpowerID AS/400 Agent. You must pick a server running the Agent that is in the same Forest and can communicate with the AS/400 Directory over LDAP port TCP 389. Please note that the agent must be started on a server before the server will show in the Choose Servers window.
    7. Click OK to close the Choose Servers window.
    8. This returns you to the AS400 Directory window, which should look similar to the following image.
    9. Click OK to close the AS400 Directory window.
  7. In the Security Boundary Ldap Details screen that appears, change the Display Name from the server and port to something more friendly, such as AS/400. You should see the new display name appear on the screen.
  8. Click the Account Stores tab to the left of the screen.
  9. From the grid to the right of the tab, double-click the AS/400 Security Boundary or right-click it and select Edit from the context menu.
  10. This opens the Account Store Ldap Details screen. This screen is used to configure the settings that EmpowerID uses to manage the domain. A description of the settings available from this screen follows.

    • General Pane

      Use this pane to set general information for the Account Store.

      • Account Store Name - This is the name of the Account Store in question. This field is populated from the value supplied during the initial forest discovery process.
      • To change this field, Click the Edit button to the right of the line, enter the new name into the Account Store Friendly Name window that opens and then click OK to close the window.

      • Resource System Name - This is the name of the resource system that displays to users.
      • To change this field, click the Edit button to the right of the line, enter the new name in the Resource System Friendly Name window that opens and then click OK to close the window.

      • LDAP Agent - This is the name of the server hosting the EmpowerID Agent. The EmpowerID Agent is the service that maintains all communication between any LDAP server (such as AS/400) and EmpowerID.
      • To change this field, click the Edit button to the right of the line and in the Choose Servers window that appears, toggle the button beside the server you wish to use from a red sphere to a green check box. Please note that the agent must be running on the server before it will appear in the Choose Servers window.

      • Connection Account - This is the proxy account entered when scanning the forest. This account is used for inventorying, provisioning, making password resets, and enforcing permissions, so the information entered here must be an account with the appropriate administrative privileges.
      • To change this field, click the Edit button to the right of the line, enter the account information into the Proxy Connection Account window that opens, and then click OK to close the window.

      • LDAP Directory Server - This is the name of the server hosting the AS/400 directory and the port which EmpowerID monitors for changes. The values here were entered when you connected to the AS/400 directory.
      • To set this field, click the Edit button to the right of the line, select a domain controller in the Change Domain Controller window that opens, and then click OK to close the window.

      • Resource System Type - This is the resource system type for the Account Store.
      • To set this field, click the Edit button to the right of the line, select a resource system type in the Change Resource System Type window that opens, and then OK to close the window.

      • Default User Creation Path - This is the creation location that is selected in a workflow process. If a change is needed here due to your environment, please contact Professional Services to make the change.
      • Default Group Creation Path - This is the creation location that is selected in a workflow process. If a change is needed here due to your environment, please contact Professional Services to make the change.
      • Maximum Accounts Per Person - Specifies the maximum number of user accounts from this domain that a person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
      • To set a numeric value, Click the Edit button to the right of the line, enter a number in the Change Max Accounts Per Person window that opens, and then click OK.

      • Business Role Priority - This is an optional policy setting that can be used by provisioning workflows to determine which Account Store has priority when determining the roles and locations that should be assigned to a person. Account Stores with a higher value take precedence.
      • To set an order, click the Edit button to the right of the line, enter a number in the Change Business Role Priority window that opens and then click OK.

      • Icon - This is the image icon that represents this account store in user interfaces.
      • To set the icon, click the Icon Selector button to the right of the line, select an icon from the drop-down list and click OK.

      • Partition Suffix - Allows the Account Store Partition Suffix to be specified.
      • To set the Partition Suffix, Click the Edit button to the right of the line, enter the appropriate information in the Account Store Partition Suffix window that opens and then click OK.

      • Enable Pass-Through Authentication - This allows domain authentication to be used for logging in to EmpowerID. Unless Simple Search is enabled, the domain\username format needs to be used.
      • To enable this function, click the Enable Pass-Through Authentication button to the left of the line and toggle it so that the green check is visible.

      • Enable Simple Username Search for Pass-Through Authentication - Simple search works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its metadirectory and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all Accounts Stores where simple username search is enabled to find the correct user name and password combination. Note: Simple search can cause long delays during the login process in environments with a large number of domains.
      • To enable this function, click the Enable Simple Username Search button to the left of the line and toggle it so that the green check is visible.

      • Allow Password Sync - Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.
      • To enable this function, click the Allow Password Sync button to the left of the line and toggle it so that the green check is visible.

      • Allow RET Provisioning - If enabled, EmpowerID applies any Resource Entitlements policies to each person provisioned from an inventoried AWS account if those people are placed in a Business Role and Location that is targeted by a Resource Entitlement Policy.
      • To enable this function, click the Allow RET Provisioning button to the left of the line and toggle it so that the green check is visible.

      • Allow RET De-Provisioning - Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
      • To enable this function, click the Allow RET De-Provisioning button to the left of the line and toggle it so that the green check is visible.

      • Enable Attribute Flow - Allows or disallows attribute changes to flow between EmpowerID and the account store.
    • Inventory Pane

      Use this pane to enable or disable and set the inventory schedule for the domain. A description of the pane follows below.

      • Inventory Schedule - This is the time span that occurs before EmpowerID performs a complete inventory of the resource system. The default value is 10 minutes.
      • To set this value, click the Edit button to the right of the Inventory Schedule line, enter a value into the Set Schedule Inventory window that opens, and then click OK.

      • Enable Inventory - This allows EmpowerID to perform a complete inventory of the resource system.
      • To enable inventory, toggle the Enable Inventory button to the left of the line so that the green check is visible.

      • Inventory Provision Request Workflow - This is the request workflow that is initiated when new accounts are discovered via the inventory feature. If you set this workflow, the Allow Automatic Person Provision and Allow Automatic Join Provision flags described below are ignored.
      • This setting is not enabled by default and should be used only where customization of the process is required.

        To set the workflow, click the Edit button to the right of the line, select a workflow from the Change Request Workflow window that opens, and then click OK. You can clear the selection by clicking on the red sphere to the right of the Edit button.

      • Allow Automatic Person Provision on Inventory - This allows EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
      • When provisioning people, you have the following optional settings that can be made:

        • Business Role for New Inventory Provision - This allows you to select a Business Role for people discovered during the inventory process. The default setting assigns newly discovered people to the Temporary Business Role.
        • To pick a Business Role other than the default, click the Edit button to the right of the line, select a Business Role from the Business Role Selector window that opens and then click OK. You can clear the selection by clicking on the red sphere to the right of the Edit button.

        • Location for New Inventory Provision - This allows you to a select the location that is to be the primary location for the people discovered during the inventory process. The default setting uses the AS/400 OU of the user object as the primary location. It is recommended that you leave this set to the default setting.
        • To pick a location other than the default, click the Edit button to the right of the line, select a location from the Business Role and Location Selector window that opens, and then click OK. You can clear the selection by clicking on the red sphere to the right of the Edit button.

          Selection of a specific location overrides the default logic that assigns the AS/400 OU of the user object as the primary location for the new person.
      • Allow Automatic Person Join on Inventory - This allows EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure. This is useful for environments where users might have multiple accounts located in disparate systems. This option is used in conjunction with the Maximum Accounts Per Person setting in the General Pane of this screen to limit the number of accounts that can be assigned to one person.
      • To enable automatic joining, click the button to the left of the line and toggle it so that the green check is visible.

        All Join rules are commented out from their SQL stored procedures by default. To use a Join rule, you must uncomment the rule in the appropriate SQL stored procedure. If the Join rule is not used, EmpowerID classifies the accounts as Orphaned Accounts.
      • RBAC-Assign Initial Group Membership On First Inventory - This converts each user account in an AS/400 group to a Resource Role Assignment for the person who owns the user account.
      • Enabling this function is not recommended in most cases as it removes the ability to manage groups in the directory. A consequence of this is that if a user account is removed from a directory group, EmpowerID puts the account back in the group.
      • Re-Inventory - Enabling this option sets the usn to 0 and re-inventories all changes.
    • Group Membership Reconciliation Pane

      Use this pane to enable or disable and schedule group membership reconciliation for the domain. This process ensures that the domain local groups used to grant native AS/400 permissions, such as read or write access for the group member attribute, are created in EmpowerID and granted the proper native permissions.

      Among the available Resource Enforcement Types are the following:

      • No Action - No rights enforcement action occurs.
      • Projection with No Enforcement - Changes to rights within EmpowerID occur only within EmpowerID; they are not passed on to the native environment.
      • Projection with Enforcement - Changes to rights within EmpowerID occur within EmpowerID and are enforced within the native environment.
      • Projection with Strict Enforcement - EmpowerID overrides any changes made in the native environment. All changes made must occur within EmpowerID to be accepted. Strict Enforcement only applies to Groups.

      To set Rights Enforcement for Resource Role Groups, do the following:

      1. Click the Resource Enforcement Type edit icon to the right of the Resource Enforcement Type line.
      2. In the Change Resource Enforcement Type window that appears, select the resource enforcement type from the drop-down list, and then click OK to close the window.
      3. Click the Membership Schedule button to the right of the Membership Schedule line, enter the desired schedule in to the Set Schedule Interval window that appears and then click OK to close the window.
      4. Click the Enable this Functionality button so that the green check is visible.
      5. Clicking the Run Now button immediately runs the Resource Role Group Membership Reconciliation process and adjusts the next run time to the Enforcement Schedule setting. You should not run the process until you have completed all configuration steps.
Once you have completed the configuration of your Account Store, you should:
  1. Configure the attribute flow rules for the account store (by default all attributes except the mail attribute are set for bidirectional flow).
  2. Map your external locations to corresponding EmpowerID Locations.
  3. Turn on inventory.