Re: LDAP on z/os

2016-11-21 Thread John McKown 
On Mon, Nov 21, 2016 at 7:27 AM, Tom Marchant <
000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 20 Nov 2016 09:28:40 -0600, Walt Farrell wrote:
>
> >... and may seriously hurt the performance, reliability, and availability
> of your z/OS
> >system and the applications running on it.
>
> Not to mention relying on a platform that is more subject to hacking than
> a properly
> configured z/OS system. And one that does not include the assurance
> provided by
> the z/OS System Integrity Statement.
>
> http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=
> WH=SA=ZSL03361USEN=ZSL03361USEN.PDF
>
> --
> Tom Marchant
>
>
​Although I agree with all that has been said in this thread, I am certain,
at least if other Windows people are like the Windows people here, that the
Windows people would excrete a masonry product (s--t a brick) if anyone
said that their systems had to validate against a z/OS based repository.
Not to mention that, although z/OS does support LDAP and Kerberos, it does
not support Windows Active Directory protocols. The mere fact that said
protocol is both unsupported, proprietary, and "fluid" (as most MS
protocols are) is not germane to the discussion (to them).

The only solution that I can think of for this is a product which in the
data base world would be called "bidirectional replication".


-- 
Heisenberg may have been here.

Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-21 Thread Tom Marchant 
On Sun, 20 Nov 2016 09:28:40 -0600, Walt Farrell wrote:

>... and may seriously hurt the performance, reliability, and availability of 
>your z/OS 
>system and the applications running on it.

Not to mention relying on a platform that is more subject to hacking than a 
properly 
configured z/OS system. And one that does not include the assurance provided by 
the z/OS System Integrity Statement.

http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH=SA=ZSL03361USEN=ZSL03361USEN.PDF

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-20 Thread Timothy Sipples 
Paul, here's one problem with your idea. Let's suppose you've organized
your systems such that z/OS-based applications and services must rely on an
external LDAP server "somewhere" for authentication and authorization. Yes,
even batch programs, for example. Now...SCENE! The external LDAP server is
either unreachable or offline, which amounts to the same thing. Which never
happens, right? :-) What happens then? Well, what happens is that the
applications and services on z/OS cannot proceed, and even parts of z/OS
cannot proceed -- not for very long, anyway. That'd be a problem! It's also
a problem for other platforms and services. If the security provider is
down, you're down, hard, at least for new authentications and
authorizations.

Your security and risk people can also decide whether they want to delegate
all z/OS-related security decisions to an LDAP server running on a
Microsoft Windows server, for example. But hey, if you haven't started
enforcing passphrases, haven't moved to AES encryption for your RACF
databases, still have extremely powerful RACF credentials flying over your
LAN or WAN (or the Internet?) in cleartext, and still ship unencrypted
tapes containing sensitive information, as examples, what's another
potential security problem? :-(

The server capable of the highest service qualities in your enterprise is
your IBM mainframe running z/OS. Whether you have configured z/OS that way
and operate it that way is a separate question, but that's a widely
appreciated and recognized fact. So there is a solution: put z/OS in charge
of enterprise LDAP services, at least to some degree. That works, and it
doesn't undermine service qualities.

There is another "class" of approaches called "Identity Management." (Or,
better yet, "Identity Governance," a broader set of capabilities.) The
basic, starting idea is that there's a service (or collection of services)
handling authentication/authorization grants and revokes across all
platforms and services. Including for/with RACF, and with uniform IDs and
passphrases if that's what you want(*), to the extent the various systems
support commonality. To get familiar with that class of approaches, you can
start here:

http://www.ibm.com/software/products/en/ibm-security-identity-governance-and-intelligence

For the record, z/OS does have LDAP client APIs. Actually, OS/390 had some
starting in V2R4, but the modern, greatly enhanced LDAP APIs debuted in
z/OS 1.6. You also have some Java-oriented options. In principle you can
write and add your own security routines that use those APIs. It's not an
approach I'd recommend for generalized use cases.

(*) "Be careful what you wish for." If you do this (or often even if you
don't), implementing Multi-Factor Authentication is a darn good idea:

http://www.ibm.com/systems/z/os/zos/multifactor-authentication.html


Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-20 Thread Walt Farrell 
On Sun, 20 Nov 2016 11:04:16 +0530, venkat kulkarni 
<venkatkulkarn...@gmail.com> wrote:


>Yes, I think my requirement was not clear to all. Basically LDAP server is
>running on  some Windows or Linux box and we want to integrate mainframe
>with that as LDAP client for any sort of login to mainframe can be tso,
>cics,db2 etc.

As I said, z/OS does not support that. It can work in the opposite direction, 
if you configure the LDAP server on z/OS, with RACF as the backend data store, 
and have other systems act as clients to the z/OS LDAP server. Timothy provided 
you with some documentation links.

Otherwise (unless someone knows of a vendor product providing the function) 
you'll need to do a lot of exit coding and may seriously hurt the performance, 
reliability, and availability of your z/OS system and the applications running 
on it.

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-19 Thread venkat kulkarni 
Hello Paul,

Yes, I think my requirement was not clear to all. Basically LDAP server is
running on  some Windows or Linux box and we want to integrate mainframe
with that as LDAP client for any sort of login to mainframe can be tso,
cics,db2 etc.

Please suggest

On Nov 20, 2016 05:24, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 20 Nov 2016 10:00:53 +0800, Timothy Sipples wrote:
>
> >Venkat, the base z/OS operating systems includes a terrific Lightweight
> >Directory Access Protocol (LDAP) server at no additional charge. It
> >supports industry standard LDAP v3 protocols. You can configure it in a
> >variety of ways, but if you want a simple, straightforward implementation
> >that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other
> >applications and middleware to share the same IDs and passwords then (in
> >basic outline):
> >
> I believe the OP was thinking of a client.
>
> I suspect that the mainframe LOB is less than 1% of my employer's
> enterprise.  The LDAP server is probably on Windows or Linux.
> Realistically, Single Signon will not extend to those mainframes
> until "the base z/OS operating systems includes a terrific Lightweight
> Directory Access Protocol (LDAP)" client "at no additional charge.
>
> I'll provide your sales personnel the name of our CEO if they
> promise anonymity.
>
> Our mainframes are probably considered laboratory equipment,
> below the company policy radar.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-19 Thread Paul Gilmartin 
On Sun, 20 Nov 2016 10:00:53 +0800, Timothy Sipples wrote:

>Venkat, the base z/OS operating systems includes a terrific Lightweight
>Directory Access Protocol (LDAP) server at no additional charge. It
>supports industry standard LDAP v3 protocols. You can configure it in a
>variety of ways, but if you want a simple, straightforward implementation
>that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other
>applications and middleware to share the same IDs and passwords then (in
>basic outline):
> 
I believe the OP was thinking of a client.

I suspect that the mainframe LOB is less than 1% of my employer's
enterprise.  The LDAP server is probably on Windows or Linux.
Realistically, Single Signon will not extend to those mainframes 
until "the base z/OS operating systems includes a terrific Lightweight
Directory Access Protocol (LDAP)" client "at no additional charge.

I'll provide your sales personnel the name of our CEO if they
promise anonymity.

Our mainframes are probably considered laboratory equipment,
below the company policy radar.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-19 Thread Timothy Sipples 
Venkat, the base z/OS operating systems includes a terrific Lightweight
Directory Access Protocol (LDAP) server at no additional charge. It
supports industry standard LDAP v3 protocols. You can configure it in a
variety of ways, but if you want a simple, straightforward implementation
that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other
applications and middleware to share the same IDs and passwords then (in
basic outline):

(a) Configure the z/OS LDAP Server so that it's able to access RACF;

(b) Ideally, preferably, configure RACF (and TSO, etc.) to use passphrases
(and with newer AES encryption of the database);

(c) Point everything you'd like to integrate to the z/OS LDAP Server,
including applications and middleware running on other platforms, and
manage your IDs, permissions, and other LDAP fields there. (TLS encrypted
connections are recommended and supported.)

This approach is quite appealing in many ways. For more information on the
z/OS LDAP Server, please visit:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.tds/tds.htm

Here is the direct link to information on the technical capabilities of the
z/OS 2.2 LDAP Server:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.glpa200/tivlcap.htm#tivlcap


Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-18 Thread venkat kulkarni 
Thank you all for response.

Our idea is to have common LDAP server running somewhere else and we want
login on z/OS Ex TSO, CICS, DB2, Netview etc should be authenticate using
LDAP server.

But the other option you mentioned in previous email, I could not able to
understand having LDAP server running on z/OS and RACF as backend to
authenticate. Can you please help in explaining the benefit of this kind of
setup.


Thanks once again.

Regards


On Thu, Nov 17, 2016 at 8:04 PM, Walt Farrell <walt.farr...@gmail.com>
wrote:

> On Thu, 17 Nov 2016 14:23:42 +0530, venkat kulkarni <
> venkatkulkarn...@gmail.com> wrote:
>
> >Hello,
> >
> >Do we have any way to implement LDAP on z/os for authentication purpose.
>
> Your question is unclear.
>
> If you mean "could we run an LDAP server on z/OS so that applications
> running elsewhere can authenticate using that z/OS LDAP server," the answer
> is yes, using RACF as the backend to your z/OS LDAP server. Some
> application configuration adjustments might be needed, though.
>
> On the other hand, if you mean "could we run an LDAP server someplace else
> such that logins on z/OS (e.g., TSO, CICS) would authenticate using that
> LDAP server" the answer is no. Authentication on z/OS is generally via RACF.
>
> Of course, with a robust set of exits (and possibly some z/OS application
> modifications) it might be possible for you to offload part of the RACF
> authentication processing to an off-system LDAP server, but that would be a
> lot of programming and would probably degrade login performance
> significantly, especially for applications like CICS.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-17 Thread Walt Farrell 
On Thu, 17 Nov 2016 14:23:42 +0530, venkat kulkarni 
<venkatkulkarn...@gmail.com> wrote:

>Hello,
>
>Do we have any way to implement LDAP on z/os for authentication purpose.

Your question is unclear.

If you mean "could we run an LDAP server on z/OS so that applications running 
elsewhere can authenticate using that z/OS LDAP server," the answer is yes, 
using RACF as the backend to your z/OS LDAP server. Some application 
configuration adjustments might be needed, though.

On the other hand, if you mean "could we run an LDAP server someplace else such 
that logins on z/OS (e.g., TSO, CICS) would authenticate using that LDAP 
server" the answer is no. Authentication on z/OS is generally via RACF. 

Of course, with a robust set of exits (and possibly some z/OS application 
modifications) it might be possible for you to offload part of the RACF 
authentication processing to an off-system LDAP server, but that would be a lot 
of programming and would probably degrade login performance significantly, 
especially for applications like CICS.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-17 Thread Donald J. 
You have two issues to consider.  

a) what ldap strings the client is "programmed" to be able to send.
check your ITDS log file (or trace) on z/os to see what is being sent
and make adjustments if needed

b) what ldap strings the Tivoli Directory Server will accept.
Only a few filters are allowed for the RACF backend.  The RACF
backend schemas cannot be modified

But also read up on native authentication.  That allows a 
non-RACF userid to utilize the RACF password for some other
(or same) userid using a separate ITDS backend.

Then you can also define non-RACF userids with non-RACF passwords
in a separate ITDS backend.  And configure it as you please.

-- 
  Donald J.
  dona...@4email.net

On Thu, Nov 17, 2016, at 01:44 AM, venkat kulkarni wrote:
> We need LDAP for two user id authentication purpose. Do we have any way to
> implement this change
> 
> On Nov 17, 2016 12:32, "Elardus Engelbrecht" 
> wrote:
> 
> > venkat kulkarni wrote:
> >
> > >Thanks for reply. We want to implement LDAP for initial login
> > authentication purpose.
> >
> > That is somewhat another story. Here we use the LDAP to reset the ids
> > after verification. Then thereafter the user logon to the application with
> > the id.
> >
> > Please tell us for what application(s) do you want the authencation
> > process?
> >
> > Groete / Greetings
> > Elardus Engelbrecht
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-17 Thread venkat kulkarni 
We need LDAP for two user id authentication purpose. Do we have any way to
implement this change

On Nov 17, 2016 12:32, "Elardus Engelbrecht" 
wrote:

> venkat kulkarni wrote:
>
> >Thanks for reply. We want to implement LDAP for initial login
> authentication purpose.
>
> That is somewhat another story. Here we use the LDAP to reset the ids
> after verification. Then thereafter the user logon to the application with
> the id.
>
> Please tell us for what application(s) do you want the authencation
> process?
>
> Groete / Greetings
> Elardus Engelbrecht
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-17 Thread Elardus Engelbrecht 
venkat kulkarni wrote:

>Thanks for reply. We want to implement LDAP for initial login authentication 
>purpose.

That is somewhat another story. Here we use the LDAP to reset the ids after 
verification. Then thereafter the user logon to the application with the id.

Please tell us for what application(s) do you want the authencation process?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-17 Thread venkat kulkarni 
Hello Elardus,
Thanks for reply. We want to implement LDAP for initial login
authentication purpose.

On Nov 17, 2016 12:21, "Elardus Engelbrecht" <elardus.engelbre...@sita.co.za>
wrote:

> venkat kulkarni wrote:
>
> >Do we have any way to implement LDAP on z/os for authentication purpose.
>
> Yes there is a way to implemenet LDAP ('IBM Tivoli Directory Server
> Administration')  [1]
>
> Could you be kind to tell us for what purpose do you want to have LDAP for
> authentication? Or what are you planning to use LDAP? Or what type of
> authentication do you have in mind?
>
> Or, just say what are you trying to solve?
>
> Groete / Greetings
> Elardus Engelbrecht
>
> [1] - I have setup LDAP with RACF as a backend and my client has written
> some SSL selfhelp system to reset ids on an ad-hoc basis.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-17 Thread Elardus Engelbrecht 
venkat kulkarni wrote:

>Do we have any way to implement LDAP on z/os for authentication purpose.

Yes there is a way to implemenet LDAP ('IBM Tivoli Directory Server 
Administration')  [1]

Could you be kind to tell us for what purpose do you want to have LDAP for 
authentication? Or what are you planning to use LDAP? Or what type of 
authentication do you have in mind?

Or, just say what are you trying to solve?

Groete / Greetings
Elardus Engelbrecht

[1] - I have setup LDAP with RACF as a backend and my client has written some 
SSL selfhelp system to reset ids on an ad-hoc basis.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

LDAP on z/os

2016-11-17 Thread venkat kulkarni 
Hello,

Do we have any way to implement LDAP on z/os for authentication purpose.

Thanks for help.

Regards
Venkat

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN