Re: Using RACF for Single Signon ( logon )
OOPS! You are correct. PSYNCH is from M-TECH MERCURY INFORMATION TECHNOLOGY David Long <[EMAIL PROTECTED]> Sent by: IBM Mainframe Discussion List 10/20/2008 04:09 PM Please respond to IBM Mainframe Discussion List To IBM-MAIN@BAMA.UA.EDU cc Subject Re: Using RACF for Single Signon ( logon ) I think the Vanguard product is called ez/Signon. We don't use it, so I can't comment on it. Dave Long On Fri, 17 Oct 2008 13:25:43 -0500, Mark Zelden <[EMAIL PROTECTED]> wrote: >On Fri, 17 Oct 2008 12:50:49 -0400, Jerry Fuchs ><[EMAIL PROTECTED]> wrote: > >>Marv, >> >>We use Vanguard PSYNCH. > >I thought it was from M-Tech? > >I just googled it and it looks like it is now Hitachi ID Systems, not >M-Tech Information Technology. > >Does Vanguard also have a product called PSYNC? > >Mark >-- >Mark Zelden >Sr. Software and Systems Architect - z/OS Team Lead >Zurich North America / Farmers Insurance Group - ZFUS G-ITO >mailto:[EMAIL PROTECTED] >z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ >Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Using RACF for Single Signon ( logon )
I think the Vanguard product is called ez/Signon. We don't use it, so I can't comment on it. Dave Long On Fri, 17 Oct 2008 13:25:43 -0500, Mark Zelden <[EMAIL PROTECTED]> wrote: >On Fri, 17 Oct 2008 12:50:49 -0400, Jerry Fuchs ><[EMAIL PROTECTED]> wrote: > >>Marv, >> >>We use Vanguard PSYNCH. > >I thought it was from M-Tech? > >I just googled it and it looks like it is now Hitachi ID Systems, not >M-Tech Information Technology. > >Does Vanguard also have a product called PSYNC? > >Mark >-- >Mark Zelden >Sr. Software and Systems Architect - z/OS Team Lead >Zurich North America / Farmers Insurance Group - ZFUS G-ITO >mailto:[EMAIL PROTECTED] >z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ >Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Using RACF for Single Signon ( logon )
John Giltner writes: >In addition to politics you may also run into password >length problems. Our distributed guys want 16 character >passwords at a minimum. They feel that 6 characters is >too short (our current RACF minumum), even with a 4 tries >and your revoked. RACF (and the z/OS LDAP Server) have supported long passphrases for quite some time now, though (since 1.8 at least). And z/OS 1.10 probably closes any remaining gaps (such as passphrase support for TSO/E logon if you need that). So I don't think this is a problem any more. To the original poster If you can get everything using the z/OS LDAP Server, that's wonderful and neatly solves the problem. Well worth doing as much as you can. (Let's call that "directory consolidation.") The reality is that a lot of companies are going to have more than one authentication/authorization repository in their organization, unfortunately. Now, there are several ways to address this, and you might apply more than one weapon. In no particular order here are some solution categories: 0. Directory consolidation (as mentioned). Just point everything to the z/OS LDAP Server, basically. IBM did a lot of directory consolidation internally, and it's worked very well for us. (It's not 100%, but it's a very high percentage.) 1. You can sync directories with each other. Example product: Tivoli Directory Integrator (available for both z/OS and Linux on z, and other platforms)., 2. You can manage identities in multiple directories through a common identity provisioning/management/revocation service. Example product: Tivoli Identity Manager (available for both z/OS and Linux on z, and other platforms). 3. You can keep separate directories and identities but manage single sign-on through a front-end service (Web, client OS, etc.) which handles your different credentials on your behalf. Example product: Tivoli Access Manager (available for Linux on z, and other platforms; TAM supports z/OS LDAP and RACF). Other vendors in some or all of these solution categories include, in no particular order, CA, Novell, Cisco, RSA, Entrust, BMC, Vanguard, Sun, Oracle, and several others. HP just exited the market. You are correct that not all of them support z/OS, although some do. I agree that "politics" (or, more charitably, security policies) are a big part of the discussion. And this works both ways. There's a school of thought that RACF is sacred, and it should be its own security "zone," separated from those awful/evil/vulnerable other platforms, because our company applications and data on the mainframe are just so darn sensitive. I'm sympathetic to that argument, although it's oversimplified. (People are accessing mainframes from vulnerable clients, after all.) What I really think it means is that there's high value to extending RACF and z/OS LDAP-related services across the enterprise, making the mainframe the "security hub" in order to help protect and secure even more company assets, to get at least partial benefit even if these assets aren't lucky enough to be hosted on the mainframe. Note that there is enormous value in having security services hosted on the mainframe simply for availability reasons. Just as with encryption (if you lose the keys, you lose the data), if you lose your authentication/authorization services you lose access to the applications and data. So authentication/authorization (in particular) is one of those mission critical services in most organizations. I think this is probably a reason why some non-mainframe single sign-on implementations flounder. By the way, one of the lessons we learned is that you need the application developers to participate in the common security regime. Inside IBM there's a lot of "marketing" to line-of-business and other application development teams to use our common directory services, including an internal Web site describing how to do it, with environment-specific examples (such as code examples and downloadable kits). Otherwise security is an afterthought with many application designers and programmers. And, as the "single sign-on" universe grew within our company, employees themselves became some of the best marketers because they wouldn't tolerate that odd application that didn't participate. (That's called a "network effect."), Hope all that helps. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Based in Tokyo, Serving IBM Japan / Asia-Pacific E-Mail: [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Using RACF for Single Signon ( logon )
As Rich Smrcina said, this can be accomplished by using LDAP. For OS that support using NIS servers (Unix/Linux), you can even use LDAP on z/OS as a NIS server, thus you don't even have to add users to the local security database. In addition to politics you may also run into password length problems. Our distributed guys want 16 character passwords at a minimum. They feel that 6 characters is too short (our current RACF minumum), even with a 4 tries and your revoked. Marvin Lukasik wrote: In thinking about uses for the mainframe to extend its life, one that came to mind is using RACF as a password server so users need only a single password to logon into the many systems they must access. Like most shops today, we have a multitude of Microsoft & Unix servers, each having different security and hence, different passwords. We have reviewed many offerings from vendors and most ( if not all ) completely ignore the mainframe and are ENORMOUSLY expensive. Also, their performance was disappointing and their systems were buggy. I would be interested in hearing comments about anyone who has heard of a RACF-based product or written something of their own to accomplish this. Also comments about the general feasability and difficulty of such an endeavor would be welcome. To do this relatively inexpensively on the mainframe would be quite a coup for an 'obsolete' platform. Marv Lukasik Systems Programmer Carle Clinic Association -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Using RACF for Single Signon ( logon )
On Fri, 17 Oct 2008 12:50:49 -0400, Jerry Fuchs <[EMAIL PROTECTED]> wrote: >Marv, > >We use Vanguard PSYNCH. I thought it was from M-Tech? I just googled it and it looks like it is now Hitachi ID Systems, not M-Tech Information Technology. Does Vanguard also have a product called PSYNC? Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Using RACF for Single Signon ( logon )
Oops I forgot. Here is Vanguard's contact info VANGUARD Integrity Professionals Enterprise Security Software 6625 S. Eastern Avenue, Suite 100 Las Vegas, Nevada 89119 Phone: (702)794.0014 | Fax: (702)794.0023 We also use their RIOVISON product to maintain RACF. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Using RACF for Single Signon ( logon )
This is must not an easy project. I believe we are on our third attempt to do single signon. The first two failed and I think I heard this one isn't going so well either. I also think we've tried three different solution providers. None of the implementations are mainframe based. Alan Subject: Using RACF for Single Signon ( logon ) In thinking about uses for the mainframe to extend its life, one that came to mind is using RACF as a password server so users need only a single password to logon into the many systems they must access. Like most shops today, we have a multitude of Microsoft & Unix servers, each having different security and hence, different passwords. We have reviewed many offerings from vendors and most ( if not all ) completely ignore the mainframe and are ENORMOUSLY expensive. Also, their performance was disappointing and their systems were buggy. I would be interested in hearing comments about anyone who has heard of a RACF-based product or written something of their own to accomplish this. Also comments about the general feasability and difficulty of such an endeavor would be welcome. To do this relatively inexpensively on the mainframe would be quite a coup for an 'obsolete' platform. Marv Lukasik Systems Programmer Carle Clinic Association -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Using RACF for Single Signon ( logon )
Marv, We use Vanguard PSYNCH. All ID's and passwords are maintained in RACF and are propagated to other platforms when a password changes. I can't really address cost, but it interfaces with just about everything and our security people are very happy with it. Jerry Marvin Lukasik <[EMAIL PROTECTED]> Sent by: IBM Mainframe Discussion List 10/17/2008 12:44 PM Please respond to IBM Mainframe Discussion List To IBM-MAIN@BAMA.UA.EDU cc Subject Using RACF for Single Signon ( logon ) In thinking about uses for the mainframe to extend its life, one that came to mind is using RACF as a password server so users need only a single password to logon into the many systems they must access. Like most shops today, we have a multitude of Microsoft & Unix servers, each having different security and hence, different passwords. We have reviewed many offerings from vendors and most ( if not all ) completely ignore the mainframe and are ENORMOUSLY expensive. Also, their performance was disappointing and their systems were buggy. I would be interested in hearing comments about anyone who has heard of a RACF-based product or written something of their own to accomplish this. Also comments about the general feasability and difficulty of such an endeavor would be welcome. To do this relatively inexpensively on the mainframe would be quite a coup for an 'obsolete' platform. Marv Lukasik Systems Programmer Carle Clinic Association -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Using RACF for Single Signon ( logon )
Marvin Lukasik wrote: In thinking about uses for the mainframe to extend its life, one that came to mind is using RACF as a password server so users need only a single password to logon into the many systems they must access. Like most shops today, we have a multitude of Microsoft & Unix servers, each having different security and hence, different passwords. We have reviewed many offerings from vendors and most ( if not all ) completely ignore the mainframe and are ENORMOUSLY expensive. Also, their performance was disappointing and their systems were buggy. I would be interested in hearing comments about anyone who has heard of a RACF-based product or written something of their own to accomplish this. Also comments about the general feasability and difficulty of such an endeavor would be welcome. To do this relatively inexpensively on the mainframe would be quite a coup for an 'obsolete' platform. Marv Lukasik Systems Programmer Carle Clinic Association With the LDAP server on z/OS this is certainly possible. But implementing it may go far beyond technology. There may be political battles between your mainframe and distributed people that only management decree can solve. There is a redbook published on the subject, see the redbooks site for the technical details. It can't help you with the politics. :) -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Using RACF for Single Signon ( logon )
In thinking about uses for the mainframe to extend its life, one that came to mind is using RACF as a password server so users need only a single password to logon into the many systems they must access. Like most shops today, we have a multitude of Microsoft & Unix servers, each having different security and hence, different passwords. We have reviewed many offerings from vendors and most ( if not all ) completely ignore the mainframe and are ENORMOUSLY expensive. Also, their performance was disappointing and their systems were buggy. I would be interested in hearing comments about anyone who has heard of a RACF-based product or written something of their own to accomplish this. Also comments about the general feasability and difficulty of such an endeavor would be welcome. To do this relatively inexpensively on the mainframe would be quite a coup for an 'obsolete' platform. Marv Lukasik Systems Programmer Carle Clinic Association -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html