At line 1 added 90 lines |
[{TableOfContents }]\\ |
In this appendix we provide information needed for backup and recovery of the single signon |
components. |
!! Microsoft Active Directory\\ |
Our scenario uses Kerberos authentication in the Microsoft Active Directory of your Windows |
2000 server. Backup and recovery of the Active Directory is therefore essential. For details |
refer to the Microsoft Technet whitepaper Active Directory Disaster Recovery at: |
[http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx]\\ |
This document also covers the Domain Controller replication, which prevents the Kerberos |
Network Authentication Service to be the single point of failure in the network. If you want to |
make your network more reliable and available you should consider setting up Domain |
Controller replication. |
!! Objects on your iSeries system\\ |
Details about the iSeries objects used to store the information for Network Authentication |
Service and EIM are given here. |
For details about how to backup and recover iSeries objects, refer to Backup and Recovery, |
SC41-5304. |
!! The iSeries Network Authentication Service objects\\ |
All objects used by the Network Authentication Service on the iSeries server are located in |
the Integrated File System (IFS) directory: |
/QIBM/UserData/OS400/NetworkAuthentication |
We recommend that you backup all objects and sub-directories of this directory on the same |
schedule that you back up your iSeries security data. |
!! The EIM domain on the iSeries LDAP directory server\\ |
The EIM domain is implemented in an LDAP directory. If you use the directory server |
integrated in OS/400, it stores information in the following locations: |
* The database library (QUSRDIRDB by default), which contains the directory servers |
contents. The name of the library can be found in iSeries navigator Network -> Servers -> |
TCP/IP -> Directory Server -> Properties. |
* The QDIRSRV2 library, which is used to store publishing information (not used by EIM).\\ |
* The QUSRSYS library, which stores various items in objects beginning with QGLD\\ |
(specify QUSRSYS/QGLD* to save them). |
* If you configure the directory server to log directory changes, a database library called |
QUSRDIRCL that the change log uses. |
Important: Correct object authorities of the Network Authentication Service objects and |
EIM objects are essential for your system and network security. To maintain them after the |
restore, it is not sufficient simply to restore the objects. You need to Restore User Profiles |
(RSTUSRPRF) prior to restoring the objects and to Restore Authorities (RSTAUT) after |
restoring the objects. For details refer to Backup and Recovery, SC41-5304. |
Appendix A. Backup and recovery 227 |
We recommend that you backup the libraries and objects listed above on the same schedule |
that you back up your iSeries security data. It may be necessary to save-while-active since |
the option to end the LDAP server may not available to you. |
The configuration data is stored in the following directory: |
/QIBM/UserData/OS400/Dirsrv/ |
You should also save the files in that directory whenever you change the LDAP configuration |
or apply PTFs. |
Another approach, from an availability perspective, is to use LDAP replication. Through V5R2, |
the OS/400 directory server has the capability to replicate data between a master server and |
one or more read-only replica servers. You can find more on replication in the IBM Redbooks |
on LDAP: |
* Implementation and Practical Use of LDAP on the iSeries Server, SG24-6193\\ |
* Understanding LDAP, SG24-4986\\ |
* LDAP Implementation Cookbook, SG24-5110\\ |
!! The iSeries EIM configuration\\ |
Except for the data in the EIM domain in the LDAP directory, EIM uses configuration |
information you enter when you run the EIM configuration wizard. This configuration data |
contains the URL of the LDAP server and the name of the parent DN (if any). |
The EIM configuration data is saved automatically with your security data using the Save |
Security Data (SAVSECDTA) command. |
You restore it simply by restoring the QSYS user profile object. |
!! Sample CL program to save your data\\ |
Example A-1 is a sample CL program that will save your data that relates to Network |
Authentication Service, LDAP, and EIM. |
%%quote |
|/******************************************************************************/ |
|/* SAVSSOOBJ - Save SSO objects (and more) */ |
|/* Parm: Device to which the objects are saved, */ |
|/* i.e. DEV parameter for various SAV... commands */ |
|/* */ |
|/* Saves the following: */ |
|/* - OS/400 security data including EIM configuration in the QSYS *USRPRF */ |
|/* - LDAP configuration and Network Authentication Service objects from IFS */ |
|/* - LDAP objects from QUSRSYS (their name start with QGLD) */ |
|/* - All default LDAP libraries. */ |
|/* You may need too change the following in the SAVLIB command: */ |
|/* * Change the name of the LDAP database library, if you changed */ |
|/* the default name in DIrectory Server Properties */ |
|/* * Remove the name of the QUSRDIRCL library if you have not set up */ |
|/* the logging of changes. */ |
|/* * Remove the name of the QDIRSRV2 library if you are not using */ |
|/* directory publishing */ |
|/******************************************************************************/ |
/% |
---- |
PGM PARM(&DEV) |
DCL VAR(&DEV) TYPE(*CHAR) LEN(10) /* PARM: Device for save commands */ |
/* Establish error handling */ |
|
|