Microsoft BizTalk Server 2004 is the most recent version of Microsoft's enterprise applications integration (EAI) and business process integration server software. BizTalk Server 2004 helps enterprises integrate systems, employees, and partners so that they can automate and orchestrate interactions. Host Integration Server 2004 (HIS 2004) is the most recent version of Microsoft's mainframe gateway server software. (Microsoft called earlier HIS versions SNA Server.) HIS 2004 lets enterprises integrate mission-critical, host-based Microsoft .NET applications, data sources, messaging, and security systems and use IBM mainframe and midrange data and applications across distributed environments.
BizTalk and HIS now fea-ture Enterprise Single Sign-On . ENTSSO extends the Windows platform's built-in SSO functionality to include other OSs (e.g., Linux, UNIX) and mainframe and legacy enterprise applications such as enterprise resource planning (ERP) software (e.g., SAP). Architecturally, ENTSSO is an excellent example of a server-side, credential-caching automated SSO solution. Like BizTalk and HIS, EN-TSSO is a valuable service for enterprises that have heterogeneous IT infrastructures and want to streamline and integrate the Windows-rooted portions of their infrastructures and applications with other legacy systems and applications.
ENTSSO Architecture
The ENTSSO architecture, which Figure 1, page 11, shows, is built around a module that maps a user's Windows account to one or more non-Windows accounts and their corresponding credentials. These credentials are necessary for SSO to occur when users access mainframe- or other non-Windows applications or platforms (called affiliate applications).
The ENTSSO credential mappings are securely stored in a Microsoft SQL Server database. You can use ssoconfig.exe and ssomanage.exe, a set of command-line administration utilities, to configure them. On the server side, you install the ENTSSO administration tools as part of the ENTSSO service installation. On the client side, you use ssoclient.msi or ssoclientinstall.exe to install the tools as part of the ENTSSO client software installation. You can also remotely administer credential mappings and other ENTSSO configuration parameters. Because ENTSSO doesn't have an administration GUI, you must perform all ENTSSO administration and configuration tasks from the command line, as Figure 2 shows.
You can trigger credential-mapping lookups by using BizTalk-rooted application adapters (for Windows-initiated lookups) or HIS-rooted data providers (for Windows- or host-initiated lookups). The first scenario is linked to a Windows-initiated SSO sequence. The second scenario can be linked to either a Windows- or host-initiated SSO sequence. Windows-initiated SSO means that users who log on to a Windows environment can use SSO when they access non-Windows resources. Host-initiated SSO means that users who log on to a non-Windows environment (e.g., a mainframe application) can use SSO when they access Windows resources. Host-initiated SSO is a unique feature of HIS.
ENTSSO supports four account-mapping mechanisms:
- A Windows individual mapping defines a one-to-one relationship between Windows and non-Windows accounts. A user or administrator can manage this mapping.
- A Windows group mapping defines a many-to-one relationship between Windows and non-Windows accounts. All Windows users use the same non-Windows account to access the back-end system. Only administrators can manage this mapping.
- A host individual mapping is an HIS-specific mapping that's available only for host-initiated SSO and defines a one-to-one relationship between non-Windows and Windows accounts. A user or administrator can manage this mapping.
- A host group mapping is an HIS-specific mapping that's available only for host-initiated SSO and defines a many-to-one relationship between non-Windows and Windows accounts. Only administrators can manage this mapping.
To securely store the legacy credentials in the SQL Server database, ENTSSO uses a 128-bit symmetric encryption key called the master secret to encrypt and decrypt passwords. The master secret is securely stored on a dedicated master secret server, which is a special ENTSSO server that multiple ENTSSO servers can share.
The ENTSSO installation program creates an SSO database (SSODB) in the SQL Server database. The SSODB holds 11 ENTSSO-specific tables, including the SSOX_IndividualMapping table, which stores the Windows domain name, Windows account name, external application name, and external account name, and the SSOX_ExternalCredentials table, which stores the external application name, external account name, and encrypted external credentials. You use the master key to encrypt these credentials.
A typical ENTSSO setup consists of multiple ENTSSO servers (one for each application server that hosts a BizTalk adapter or HIS data provider), one ENTSSO master secret server, and one SQL Server machine that hosts the ENTSSO database. Every time an ENTSSO server decrypts or encrypts SSO data from the ENTSSO database, the server retrieves the master secret from the master secret server via a secure remote procedure call (RPC). For fault-tolerance purposes, you can cluster the SQL Server machine and the ENTSSO master secret server.
ENTSSO Packaging and Installation
BizTalk Server 2004 and HIS 2004 ship with ENTSSO server and client software. You can use the BizTalk installation program or the HIS installation program to install and configure the ENTSSO server. (Figure 3 shows the BizTalk installation wizard.) To install the client-side software, you can use the ssoclientinstall.exe program for BizTalk or the ssoclient.msi program for HIS.
BizTalk and HIS have long lists of preinstallation requirements. You'll find the detailed requirements at http://www.microsoft.com/biztalk/evaluation/sysreqs/default_2004.asp (for BizTalk) and http://www.microsoft.com/hiserver/evaluation/sysreqs/ default_2004.asp (for HIS).
As I mentioned earlier, only HIS supports host-initiated SSO scenarios. HIS also supports other capabilities that BizTalk doesn't. For example, HIS supports bidirectional password synchronization between Windows and non-Windows environments. HIS ENTSSO also includes password-synchronization interfaces and the Password Change Notification Service (PCNS).