NT-Mainframe Single Sign-On

SNA Server 4.0 includes a host security integration feature. This feature integrates Windows NT domain security and mainframe security and provides a single sign-on (SSO) function to let NT users or applications access a mainframe after they are logged on to the NT domain without having to manually sign on. The host security integration consists of four parts: host account cache service, NT account synchronization service, host account manager, and host security domain. Let's look at how you use these components to set up an SSO system.

First, you need to install the host account cache service on the Primary Domain Controller (PDC) of the NT domain in which your SNA servers reside. This service creates and maintains an encrypted SSO user database that maps NT and mainframe user accounts. You install the NT account synchronization service on the PDCs of the NT user accounts that require SSO. For example, suppose your company has two master account domains—BIGDOMAIN and BIGDOMAIN2—and a resource domain, SMALLDOMAIN. If your SNA servers are in the resource domain and all your NT users need SSO, you install the host account cache service on the PDC of SMALLDOMAIN, and you install the NT account synchronization service on the PDCs of BIGDOMAIN and BIGDOMAIN2.

In the SNA subdomain, you need to create a host security domain, which contains control information about how you want to map NT and mainframe accounts and which connection (physical unit—PU—in mainframe terminology) to use to send user credentials to the mainframe. You can use the mapped and replicated methods for user IDs and passwords to set up default user account mapping in the SSO database. If NT user IDs are different from the mainframe user IDs, use the mapped method. If NT user IDs are the same as mainframe user IDs, use the replicated method. The same rule applies to user passwords. The host security domain also lets you override the default by using the host account manager after you enable the override function in the host security domain. For example, Screen A shows that you can manually map John Smith's NT user ID—BIGDOMAINJSMITH—to his mainframe user ID—JOHNS—in the host account manager even if you chose the mapped method for user IDs in the host security domain definition.

Creating the host security domain in the SNA subdomain will create two NT local groups in the NT domain that the SNA subdomain belongs to. The two domain groups are the user group and the user proxy group. If you name the host security domain HOSTDOMAIN, for example, the user group name will be HOSTDOMAIN and the user proxy group name will be HOSTDOMAIN_PROXY. Each group has a different use. You must add a user's NT domain account to the user group if the user needs SSO. If a multiuser application running under a proxy account performs SSO with the account of the user who accesses the application, rather than with the proxy account, you need to add the proxy account to the user proxy group.

SNA Server's host security integration also provides a host account synchronization service to support third-party implementation of user password synchronization between NT and a mainframe. You don't need to install this service on SNA servers if you don't use a third-party password synchronization utility.