With the ever-increasing demand for tighter security measures in iSeries and multiplatform shops today, IBM has provided some key security enhancements in V5R3. Here are a few noteworthy additions:

      Enterprise Identity Mapping (EIM) has been enhanced to include new “mapping policy” support. This allows the use of policy associations with or without specific identifier associations in an EIM domain, which defines relationships between user identities in different user registries. Policy associations give users a way to create “many-to-one” mappings between multiple user identities and a single user identity.

      Additionally, a new parameter (EIMASSOC) has been added to the Create User Profile and Change User Profile commands, allowing users to define EIM identifier associations for the specified user profile in the local registry.

      “My absolute favorite security enhancements for V5R3 are the enhancements to Enterprise Identity Mapping. EIM is one of the underlying technologies that make single sign-on possible on OS/400 and i5/OS. Configuration enhancements make the likelihood very high that OS/400 and i5/OS shops will at least give single sign-on a try — and they will succeed at a very high success rate,” says Carol Woodbury, co-founder, SkyView Partners, Issaquah, WA.

      Single sign-on has been enhanced to include the iSeries Navigator Synchronize Functions wizard, which duplicates the configurations on the model system and copies them to the other systems in the group. Additionally, enhanced single sign-on support for OS/400 applications (that use Management Central servers) eliminates the need for identical passwords on systems that are managed through a central system in iSeries Navigator.

      Digital Certificate Manager (DCM) has been enhanced to include the “Manage LDAP Location” task, allowing certificates issued by the Local Certificate Authority to be stored in an LDAP location. Additionally, the “Assign a User Certificate” task stores the assigned certificates in an LDAP location rather than with a user profile. Another enhancement is the new “Check Certificate Expiration” function, which allows users to view and manage certificates based on an expiration date.

      Network authentication service has been enhanced to include the Kerberos Service Principal Configuration wizard, allowing administrators to add service principles for OS/400 Kerberos Authentication, Directory services (LDAP), the IBM HTTP Server for iSeries, and/or iSeries NetServer interfaces. Also, Host Name Resolution has been improved to send messages to administrators when host names from a PC and the iSeries do not match. The HTTP server for iSeries has also been enhanced in V5R3 to support Kerberos authentication. Additionally, a Kerberos server can be configured in the OS/400 Portable Application Solutions Environment (PASE) in V5R3.

      Virtual private networking (VPN) has been enhanced to include two new identifier types — My Local IP Address and IPv4 host name. These can be selected when defining VPN key exchange policies and connection data endpoints.

      New audit support includes a new system value, QAUDLVL2, to minimize the amount of audit data. “I’m happy to see this auditing enhancement. New values can be specified for QAUDLVL system value. The *SECURITY and *NETCMN values produce a lot of audit journal entries, many of which shops really don’t care about. These two values, or one of their subsetted values, can still be specified. These subsetted values allow administrators to get the audit entries they want without getting the extra noise,” says Woodbury.

      For more information about V5R3 security enhancements, see the iSeries Information Center at http://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/index.htm.