Re: RACF and Linux for z/Series

Thu, 11 Jun 2009 11:44:09 -0700 

On Thursday, 06/11/2009 at 12:51 EDT, Michael Coffin 
<michaelcof...@mccci.com> wrote:

> There is NO version of the RACF product that runs on Linux.  The  RACF 
server 
> must be licensed for and run on a supported platform (e.g. z/OS or 
z/VM).  Is 
> that correct? 

Correct.

> If z/VM, it must be 5.4 or  higher?

I'm not sure what you're asking.  Each release of z/VM contains a RACF 
feature.  z/VM 5.3 and 5.4 include LDAP, but z/VM 5.4 is where you want to 
be.

> If  the RACF server runs on z/VM, are there any other licensed program 
> products  that are co-requisite?

If you want to use the RACF panels instead of the RACF command line, you 
need ISPF/VM.  If you want to customize RACF widgets that live in CP 
(HCPRWA), or you want to modify some exits, you will need High-Level 
Assembler (HLASM).  If you want to run the Common Criteria-certified 
version of HCPRWA (documented in the Secure Configuration Guide), then you 
can use the provided text deck and forego HLASM.  One of the big 
differences in the default HCPRWA and the certified version is in how CP 
treats a "not defined to RACF" error.  The default is to defer to CP.  The 
Better answer is to fail the request, ensuring that ALL resources in a 
protected class have an applicable profile defined for them.  This 
enforces a Right and Proper resource deployment model.

> Is the same true for z/OS-based RACF  servers?

Yes, but z/OS includes ISPF and HLASM at no additional charge.

> Are there any licensed program products that must be installed on Linux?

No.

> I see reference to IBM Tivoli Directory Server, but it's unclear if this 
runs
> on the Linux instances or the z/Series RACF hosts.

IBM Tivoli Directory Server (ITDS) is LDAP.  Linux LDAP PAM can 
communicate with any LDAP server for authentication when you logon to a 
Linux user (e.g. root).  If that LDAP server is running on z/OS or z/VM, 
then it can use RACF to authenticate the *Linux* user.  I.e. you could 
translate Linux user root to z/VM user MAINT if you wanted to, or you 
could just enroll ROOT in RACF.

The LDAP server that runs on z/OS has the ITDS brand.  The LDAP server on 
z/VM is a cleverly disguised z/OS ITDS server, but it does not have the 
ITDS brand.

Alan Altmark
z/VM Development
IBM Endicott

Reply via email to