We have developed serveral EGL applications running on WAS on the IBM i.

Customers have asked us to implement Single Sign On to the Windows Active Directory, they want to bypass the logon screen.

I managed to configure EIM and SPNEGO on the IBM i and WAS.

With this configuration I can secure the RUI application and get a LTPA token stored in a cookie.

This cookie is placed in the request header of the REST service call. 

With some Java code I managed to get to perform some tasks on the IBM i running under the IBM i profile of the Windows user.

What we want to achieve is to get the EGL Program Calls also running under the IBM i profile.

The Program Calls are processed by the fda7.jar and as far as I can see the connections are bases on username and password and not on identity tokens.

Does anyone know if there is a solution for that ?

Thanks in advance,

Carlos,

A couple of questions:

a.) Do you mean a pure "call pgm" type statement with a linkage table specifying the remote call?   Or the externalType HostProgram?

b.) Are you using Java400 or Java400J2C as the linktype ?  

take care.

Mark

Hi Mark,

Thanks for your response.

We are using the call statement with the linkage table, in the linkage tabel we use Java400.

Sample code:

                        ReturnCode char(7) = "";                        UserProfile char(10) = "";                        UserName char(25) = "";                        call "MNR2XFR" (ReturnCode, UserProfile, UserName);

Linkage table:

remoteCall pgmName="MNR2XFR" conversionTable="CSOE1140" library="*LIBL" luwControl="SERVER" remoteBind="GENERATION" remoteComType="JAVA400" remotePgmType="STATEFUL"

If we need to use a other solution, like JAVAJ2C or HostProgram, please let me know.

Thanks,

Carlo

Carlo,

I looked at the java400J2C resource adapter and did not see anyway to set it up to use the LTPA token.  But you may want to install the resource adapter and see if you see a way to set the connection pool authentication to use the LTPA token.

Otherwise, there is not anything I am aware of in EGL that allows this today.   That said, in the past (VisualAge Generator) we supported the ability to specify/set a GSS Credential.  If this was enabled in EGL, would it give you what you are looking for.  Or does it need to be an identity token.    It may be possible to expose either one (if different), but would require an RFE.

Another more complicated solution may be to use external types to do your own "program call".   It would follow some of the concepts/logic in the current IBM i libraries EGL provides for data queue and data store access from Java where we use external types within the JT400 toolkit.     The program call is probably more complicated due to things like data conversion etc, but this might be programmatically taken care of as well since EGL provides conversion functions.

So, sorry it is not a definitive answer, but maybe one will be something you want to pursue.

take care. 

Mark