Re: LDAP on z/os
On Mon, Nov 21, 2016 at 7:27 AM, Tom Marchant < 000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote: > On Sun, 20 Nov 2016 09:28:40 -0600, Walt Farrell wrote: > > >... and may seriously hurt the performance, reliability, and availability > of your z/OS > >system and the applications running on it. > > Not to mention relying on a platform that is more subject to hacking than > a properly > configured z/OS system. And one that does not include the assurance > provided by > the z/OS System Integrity Statement. > > http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype= > WH=SA=ZSL03361USEN=ZSL03361USEN.PDF > > -- > Tom Marchant > > ​Although I agree with all that has been said in this thread, I am certain, at least if other Windows people are like the Windows people here, that the Windows people would excrete a masonry product (s--t a brick) if anyone said that their systems had to validate against a z/OS based repository. Not to mention that, although z/OS does support LDAP and Kerberos, it does not support Windows Active Directory protocols. The mere fact that said protocol is both unsupported, proprietary, and "fluid" (as most MS protocols are) is not germane to the discussion (to them). The only solution that I can think of for this is a product which in the data base world would be called "bidirectional replication". -- Heisenberg may have been here. Unicode: http://xkcd.com/1726/ Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
On Sun, 20 Nov 2016 09:28:40 -0600, Walt Farrell wrote: >... and may seriously hurt the performance, reliability, and availability of >your z/OS >system and the applications running on it. Not to mention relying on a platform that is more subject to hacking than a properly configured z/OS system. And one that does not include the assurance provided by the z/OS System Integrity Statement. http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH=SA=ZSL03361USEN=ZSL03361USEN.PDF -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
Paul, here's one problem with your idea. Let's suppose you've organized your systems such that z/OS-based applications and services must rely on an external LDAP server "somewhere" for authentication and authorization. Yes, even batch programs, for example. Now...SCENE! The external LDAP server is either unreachable or offline, which amounts to the same thing. Which never happens, right? :-) What happens then? Well, what happens is that the applications and services on z/OS cannot proceed, and even parts of z/OS cannot proceed -- not for very long, anyway. That'd be a problem! It's also a problem for other platforms and services. If the security provider is down, you're down, hard, at least for new authentications and authorizations. Your security and risk people can also decide whether they want to delegate all z/OS-related security decisions to an LDAP server running on a Microsoft Windows server, for example. But hey, if you haven't started enforcing passphrases, haven't moved to AES encryption for your RACF databases, still have extremely powerful RACF credentials flying over your LAN or WAN (or the Internet?) in cleartext, and still ship unencrypted tapes containing sensitive information, as examples, what's another potential security problem? :-( The server capable of the highest service qualities in your enterprise is your IBM mainframe running z/OS. Whether you have configured z/OS that way and operate it that way is a separate question, but that's a widely appreciated and recognized fact. So there is a solution: put z/OS in charge of enterprise LDAP services, at least to some degree. That works, and it doesn't undermine service qualities. There is another "class" of approaches called "Identity Management." (Or, better yet, "Identity Governance," a broader set of capabilities.) The basic, starting idea is that there's a service (or collection of services) handling authentication/authorization grants and revokes across all platforms and services. Including for/with RACF, and with uniform IDs and passphrases if that's what you want(*), to the extent the various systems support commonality. To get familiar with that class of approaches, you can start here: http://www.ibm.com/software/products/en/ibm-security-identity-governance-and-intelligence For the record, z/OS does have LDAP client APIs. Actually, OS/390 had some starting in V2R4, but the modern, greatly enhanced LDAP APIs debuted in z/OS 1.6. You also have some Java-oriented options. In principle you can write and add your own security routines that use those APIs. It's not an approach I'd recommend for generalized use cases. (*) "Be careful what you wish for." If you do this (or often even if you don't), implementing Multi-Factor Authentication is a darn good idea: http://www.ibm.com/systems/z/os/zos/multifactor-authentication.html Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
On Sun, 20 Nov 2016 11:04:16 +0530, venkat kulkarni <venkatkulkarn...@gmail.com> wrote: >Yes, I think my requirement was not clear to all. Basically LDAP server is >running on some Windows or Linux box and we want to integrate mainframe >with that as LDAP client for any sort of login to mainframe can be tso, >cics,db2 etc. As I said, z/OS does not support that. It can work in the opposite direction, if you configure the LDAP server on z/OS, with RACF as the backend data store, and have other systems act as clients to the z/OS LDAP server. Timothy provided you with some documentation links. Otherwise (unless someone knows of a vendor product providing the function) you'll need to do a lot of exit coding and may seriously hurt the performance, reliability, and availability of your z/OS system and the applications running on it. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
Hello Paul, Yes, I think my requirement was not clear to all. Basically LDAP server is running on some Windows or Linux box and we want to integrate mainframe with that as LDAP client for any sort of login to mainframe can be tso, cics,db2 etc. Please suggest On Nov 20, 2016 05:24, "Paul Gilmartin" < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Sun, 20 Nov 2016 10:00:53 +0800, Timothy Sipples wrote: > > >Venkat, the base z/OS operating systems includes a terrific Lightweight > >Directory Access Protocol (LDAP) server at no additional charge. It > >supports industry standard LDAP v3 protocols. You can configure it in a > >variety of ways, but if you want a simple, straightforward implementation > >that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other > >applications and middleware to share the same IDs and passwords then (in > >basic outline): > > > I believe the OP was thinking of a client. > > I suspect that the mainframe LOB is less than 1% of my employer's > enterprise. The LDAP server is probably on Windows or Linux. > Realistically, Single Signon will not extend to those mainframes > until "the base z/OS operating systems includes a terrific Lightweight > Directory Access Protocol (LDAP)" client "at no additional charge. > > I'll provide your sales personnel the name of our CEO if they > promise anonymity. > > Our mainframes are probably considered laboratory equipment, > below the company policy radar. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
On Sun, 20 Nov 2016 10:00:53 +0800, Timothy Sipples wrote: >Venkat, the base z/OS operating systems includes a terrific Lightweight >Directory Access Protocol (LDAP) server at no additional charge. It >supports industry standard LDAP v3 protocols. You can configure it in a >variety of ways, but if you want a simple, straightforward implementation >that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other >applications and middleware to share the same IDs and passwords then (in >basic outline): > I believe the OP was thinking of a client. I suspect that the mainframe LOB is less than 1% of my employer's enterprise. The LDAP server is probably on Windows or Linux. Realistically, Single Signon will not extend to those mainframes until "the base z/OS operating systems includes a terrific Lightweight Directory Access Protocol (LDAP)" client "at no additional charge. I'll provide your sales personnel the name of our CEO if they promise anonymity. Our mainframes are probably considered laboratory equipment, below the company policy radar. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
Venkat, the base z/OS operating systems includes a terrific Lightweight Directory Access Protocol (LDAP) server at no additional charge. It supports industry standard LDAP v3 protocols. You can configure it in a variety of ways, but if you want a simple, straightforward implementation that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other applications and middleware to share the same IDs and passwords then (in basic outline): (a) Configure the z/OS LDAP Server so that it's able to access RACF; (b) Ideally, preferably, configure RACF (and TSO, etc.) to use passphrases (and with newer AES encryption of the database); (c) Point everything you'd like to integrate to the z/OS LDAP Server, including applications and middleware running on other platforms, and manage your IDs, permissions, and other LDAP fields there. (TLS encrypted connections are recommended and supported.) This approach is quite appealing in many ways. For more information on the z/OS LDAP Server, please visit: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.tds/tds.htm Here is the direct link to information on the technical capabilities of the z/OS 2.2 LDAP Server: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.glpa200/tivlcap.htm#tivlcap Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
Thank you all for response. Our idea is to have common LDAP server running somewhere else and we want login on z/OS Ex TSO, CICS, DB2, Netview etc should be authenticate using LDAP server. But the other option you mentioned in previous email, I could not able to understand having LDAP server running on z/OS and RACF as backend to authenticate. Can you please help in explaining the benefit of this kind of setup. Thanks once again. Regards On Thu, Nov 17, 2016 at 8:04 PM, Walt Farrell <walt.farr...@gmail.com> wrote: > On Thu, 17 Nov 2016 14:23:42 +0530, venkat kulkarni < > venkatkulkarn...@gmail.com> wrote: > > >Hello, > > > >Do we have any way to implement LDAP on z/os for authentication purpose. > > Your question is unclear. > > If you mean "could we run an LDAP server on z/OS so that applications > running elsewhere can authenticate using that z/OS LDAP server," the answer > is yes, using RACF as the backend to your z/OS LDAP server. Some > application configuration adjustments might be needed, though. > > On the other hand, if you mean "could we run an LDAP server someplace else > such that logins on z/OS (e.g., TSO, CICS) would authenticate using that > LDAP server" the answer is no. Authentication on z/OS is generally via RACF. > > Of course, with a robust set of exits (and possibly some z/OS application > modifications) it might be possible for you to offload part of the RACF > authentication processing to an off-system LDAP server, but that would be a > lot of programming and would probably degrade login performance > significantly, especially for applications like CICS. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
On Thu, 17 Nov 2016 14:23:42 +0530, venkat kulkarni <venkatkulkarn...@gmail.com> wrote: >Hello, > >Do we have any way to implement LDAP on z/os for authentication purpose. Your question is unclear. If you mean "could we run an LDAP server on z/OS so that applications running elsewhere can authenticate using that z/OS LDAP server," the answer is yes, using RACF as the backend to your z/OS LDAP server. Some application configuration adjustments might be needed, though. On the other hand, if you mean "could we run an LDAP server someplace else such that logins on z/OS (e.g., TSO, CICS) would authenticate using that LDAP server" the answer is no. Authentication on z/OS is generally via RACF. Of course, with a robust set of exits (and possibly some z/OS application modifications) it might be possible for you to offload part of the RACF authentication processing to an off-system LDAP server, but that would be a lot of programming and would probably degrade login performance significantly, especially for applications like CICS. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
You have two issues to consider. a) what ldap strings the client is "programmed" to be able to send. check your ITDS log file (or trace) on z/os to see what is being sent and make adjustments if needed b) what ldap strings the Tivoli Directory Server will accept. Only a few filters are allowed for the RACF backend. The RACF backend schemas cannot be modified But also read up on native authentication. That allows a non-RACF userid to utilize the RACF password for some other (or same) userid using a separate ITDS backend. Then you can also define non-RACF userids with non-RACF passwords in a separate ITDS backend. And configure it as you please. -- Donald J. dona...@4email.net On Thu, Nov 17, 2016, at 01:44 AM, venkat kulkarni wrote: > We need LDAP for two user id authentication purpose. Do we have any way to > implement this change > > On Nov 17, 2016 12:32, "Elardus Engelbrecht"> wrote: > > > venkat kulkarni wrote: > > > > >Thanks for reply. We want to implement LDAP for initial login > > authentication purpose. > > > > That is somewhat another story. Here we use the LDAP to reset the ids > > after verification. Then thereafter the user logon to the application with > > the id. > > > > Please tell us for what application(s) do you want the authencation > > process? > > > > Groete / Greetings > > Elardus Engelbrecht > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
We need LDAP for two user id authentication purpose. Do we have any way to implement this change On Nov 17, 2016 12:32, "Elardus Engelbrecht"wrote: > venkat kulkarni wrote: > > >Thanks for reply. We want to implement LDAP for initial login > authentication purpose. > > That is somewhat another story. Here we use the LDAP to reset the ids > after verification. Then thereafter the user logon to the application with > the id. > > Please tell us for what application(s) do you want the authencation > process? > > Groete / Greetings > Elardus Engelbrecht > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
venkat kulkarni wrote: >Thanks for reply. We want to implement LDAP for initial login authentication >purpose. That is somewhat another story. Here we use the LDAP to reset the ids after verification. Then thereafter the user logon to the application with the id. Please tell us for what application(s) do you want the authencation process? Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
Hello Elardus, Thanks for reply. We want to implement LDAP for initial login authentication purpose. On Nov 17, 2016 12:21, "Elardus Engelbrecht" <elardus.engelbre...@sita.co.za> wrote: > venkat kulkarni wrote: > > >Do we have any way to implement LDAP on z/os for authentication purpose. > > Yes there is a way to implemenet LDAP ('IBM Tivoli Directory Server > Administration') [1] > > Could you be kind to tell us for what purpose do you want to have LDAP for > authentication? Or what are you planning to use LDAP? Or what type of > authentication do you have in mind? > > Or, just say what are you trying to solve? > > Groete / Greetings > Elardus Engelbrecht > > [1] - I have setup LDAP with RACF as a backend and my client has written > some SSL selfhelp system to reset ids on an ad-hoc basis. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
venkat kulkarni wrote: >Do we have any way to implement LDAP on z/os for authentication purpose. Yes there is a way to implemenet LDAP ('IBM Tivoli Directory Server Administration') [1] Could you be kind to tell us for what purpose do you want to have LDAP for authentication? Or what are you planning to use LDAP? Or what type of authentication do you have in mind? Or, just say what are you trying to solve? Groete / Greetings Elardus Engelbrecht [1] - I have setup LDAP with RACF as a backend and my client has written some SSL selfhelp system to reset ids on an ad-hoc basis. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
LDAP on z/os
Hello, Do we have any way to implement LDAP on z/os for authentication purpose. Thanks for help. Regards Venkat -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN