| At line 1 added 95 lines |
| %%(display:none) |
| {{{ |
| WikiUp |
| }}} |
| /% |
| [{TableOfContents }]\\ |
| In this appendix we provide information needed for backup and recovery of the single signon\\ |
| components.\\ |
| !! Microsoft Active Directory\\ |
| Our scenario uses Kerberos authentication in the Microsoft Active Directory of your Windows\\ |
| 2000 server. Backup and recovery of the Active Directory is therefore essential. For details\\ |
| refer to the Microsoft Technet whitepaper Active Directory Disaster Recovery at:\\ |
| [http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx]\\ |
| This document also covers the Domain Controller replication, which prevents the Kerberos\\ |
| Network Authentication Service to be the single point of failure in the network. If you want to\\ |
| make your network more reliable and available you should consider setting up Domain\\ |
| Controller replication.\\ |
| !! Objects on your iSeries system\\ |
| Details about the iSeries objects used to store the information for Network Authentication\\ |
| Service and EIM are given here.\\ |
| For details about how to backup and recover iSeries objects, refer to Backup and Recovery,\\ |
| SC41-5304.\\ |
| !! The iSeries Network Authentication Service objects\\ |
| All objects used by the Network Authentication Service on the iSeries server are located in\\ |
| the Integrated File System (IFS) directory:\\ |
| /QIBM/UserData/OS400/NetworkAuthentication\\ |
| We recommend that you backup all objects and sub-directories of this directory on the same\\ |
| schedule that you back up your iSeries security data.\\ |
| !! The EIM domain on the iSeries LDAP directory server\\ |
| The EIM domain is implemented in an LDAP directory. If you use the directory server\\ |
| integrated in OS/400, it stores information in the following locations:\\ |
| * The database library (QUSRDIRDB by default), which contains the directory servers\\ |
| contents. The name of the library can be found in iSeries navigator Network -> Servers ->\\ |
| TCP/IP -> Directory Server -> Properties.\\ |
| * The QDIRSRV2 library, which is used to store publishing information (not used by EIM).\\ |
| * The QUSRSYS library, which stores various items in objects beginning with QGLD\\ |
| (specify QUSRSYS/QGLD* to save them).\\ |
| * If you configure the directory server to log directory changes, a database library called\\ |
| QUSRDIRCL that the change log uses.\\ |
| Important: Correct object authorities of the Network Authentication Service objects and\\ |
| EIM objects are essential for your system and network security. To maintain them after the\\ |
| restore, it is not sufficient simply to restore the objects. You need to Restore User Profiles\\ |
| (RSTUSRPRF) prior to restoring the objects and to Restore Authorities (RSTAUT) after\\ |
| restoring the objects. For details refer to Backup and Recovery, SC41-5304.\\ |
| Appendix A. Backup and recovery 227\\ |
| We recommend that you backup the libraries and objects listed above on the same schedule\\ |
| that you back up your iSeries security data. It may be necessary to save-while-active since\\ |
| the option to end the LDAP server may not available to you.\\ |
| The configuration data is stored in the following directory:\\ |
| /QIBM/UserData/OS400/Dirsrv/\\ |
| You should also save the files in that directory whenever you change the LDAP configuration\\ |
| or apply PTFs.\\ |
| Another approach, from an availability perspective, is to use LDAP replication. Through V5R2,\\ |
| the OS/400 directory server has the capability to replicate data between a master server and\\ |
| one or more read-only replica servers. You can find more on replication in the IBM Redbooks\\ |
| on LDAP:\\ |
| * Implementation and Practical Use of LDAP on the iSeries Server, SG24-6193\\ |
| * Understanding LDAP, SG24-4986\\ |
| * LDAP Implementation Cookbook, SG24-5110\\ |
| !! The iSeries EIM configuration\\ |
| Except for the data in the EIM domain in the LDAP directory, EIM uses configuration\\ |
| information you enter when you run the EIM configuration wizard. This configuration data\\ |
| contains the URL of the LDAP server and the name of the parent DN (if any).\\ |
| The EIM configuration data is saved automatically with your security data using the Save\\ |
| Security Data (SAVSECDTA) command.\\ |
| You restore it simply by restoring the QSYS user profile object.\\ |
| !! Sample CL program to save your data\\ |
| Example A-1 is a sample CL program that will save your data that relates to Network\\ |
| Authentication Service, LDAP, and EIM.\\ |
| %%quote |
| /******************************************************************************/ |
| /* SAVSSOOBJ - Save SSO objects (and more) */ |
| /* Parm: Device to which the objects are saved, */ |
| /* i.e. DEV parameter for various SAV... commands */ |
| /* */ |
| /* Saves the following: */ |
| /* - OS/400 security data including EIM configuration in the QSYS *USRPRF */ |
| /* - LDAP configuration and Network Authentication Service objects from IFS */ |
| /* - LDAP objects from QUSRSYS (their name start with QGLD) */ |
| /* - All default LDAP libraries. */ |
| /* You may need too change the following in the SAVLIB command: */ |
| /* * Change the name of the LDAP database library, if you changed */ |
| /* the default name in DIrectory Server Properties */ |
| /* * Remove the name of the QUSRDIRCL library if you have not set up */ |
| /* the logging of changes. */ |
| /* * Remove the name of the QDIRSRV2 library if you are not using */ |
| /* directory publishing */ |
| /******************************************************************************/ |
| /% |
| ---- |
| PGM PARM(&DEV)\\ |
| DCL VAR(&DEV) TYPE(*CHAR) LEN(10) /* PARM: Device for save commands */\\ |
| /* Establish error handling */\\ |
| \\ |
| \\ |
