zLinux CA PAM and ACF2
All, having seen several posts relating to CA PAM and ACF2 in the distant past on this forum, I thought I would pose my humble questions here.. A customer of mine is "still" running z/OS 1.5 using ACF2 as the ESM. He has installed several IFL's with bleeding edge z/VM 5.4.. and wants to authenticate his z/OS users using an LDAP method from zLinux (SLES11). Will CA PAM talk with such an old release of z/OS and presumably an equally old release of ACF2?? What are you considered opinions?? Regards, Andre www.lavache.com : l'email gratuit sans pub, vachement meuh. www.hugolescargot.com : coloriage, fiches recettes et bricolage, chansons, etc. www.jeux-gratuits.com : des jeux en ligne pour toute la famille. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: zLinux CA PAM and ACF2
On Wed, Jun 1, 2011 at 1:03 PM, Andre Massena wrote: > All, > > having seen several posts relating to CA PAM and ACF2 in the distant past on > this forum, I thought I would pose my humble questions here.. > > > A customer of mine is "still" running z/OS 1.5 using ACF2 as the ESM. He has > installed several IFL's with bleeding edge z/VM 5.4.. and wants to > authenticate his z/OS users using an LDAP method from zLinux (SLES11). > > Will CA PAM talk with such an old release of z/OS and presumably an equally > old release of ACF2?? According to the Wikipedia article, z/OS 1.5 was introduced around 2004. Looking in the ACF2 book (from 2003), it says: eTrust CA-ACF2 6.5 includes enhancements to support an interface for LINUX users. This includes a new PAM (Plug-in Authentication Module) to be used as an interface to eTrust CA-ACF2 for user authentication. Enhancements include a new LINUX User Profile record to map a LINUX name to the eTrust CA-ACF2 LID and Global LINUX Node records identifying nodes to eTrust CA-ACF2. This interface becomes part of the Security Integrator and will run as a daemon on z/OS and OS/390. My pedestrian view would be that timing could be such that your customer's ACF2 came with the PAM module. But you would have to see whether that lets itself fit on a more recent kernel like in SLES11. It's not impossible CA did some proprietary protocol rather than inplement full LDAP. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: zLinux CA PAM and ACF2
I would use CA/DSI and ONLY use the LDAP for any application specific authorizartion. DSI connect directly to the z/OS backend. We sue it for TSS and my guess its the same for ACF2 Richard (Gaz) Gasiorowski Solution Architect CSC 3170 Fairview Park Dr., Falls Church, VA 22042 845-889-8533|Work|845-392-7889 Cell|rgasi...@csc.com|www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: Andre Massena To: LINUX-390@vm.marist.edu Date: 06/01/2011 07:06 AM Subject: zLinux CA PAM and ACF2 All, having seen several posts relating to CA PAM and ACF2 in the distant past on this forum, I thought I would pose my humble questions here.. A customer of mine is "still" running z/OS 1.5 using ACF2 as the ESM. He has installed several IFL's with bleeding edge z/VM 5.4.. and wants to authenticate his z/OS users using an LDAP method from zLinux (SLES11). Will CA PAM talk with such an old release of z/OS and presumably an equally old release of ACF2?? What are you considered opinions?? Regards, Andre www.lavache.com : l'email gratuit sans pub, vachement meuh. www.hugolescargot.com : coloriage, fiches recettes et bricolage, chansons, etc. www.jeux-gratuits.com : des jeux en ligne pour toute la famille. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: zLinux CA PAM and ACF2
Dankje Rob, I have also read the piece you quoted. As it is impossible to communicate with CA or speak with a Techie without a customer number or a Site ID, I posed the question on this forum. Andre En réponse à Rob van der Heij : > -- Début du message d'origine > > On Wed, Jun 1, 2011 at 1:03 PM, Andre Massena > wrote: > > All, > > > > having seen several posts relating to CA PAM and ACF2 in the > distant past on > > this forum, I thought I would pose my humble questions > here.. > > > > > > A customer of mine is "still" running z/OS 1.5 using ACF2 as > the ESM. He has > > installed several IFL's with bleeding edge z/VM 5.4.. and > wants to > > authenticate his z/OS users using an LDAP method from zLinux > (SLES11). > > > > Will CA PAM talk with such an old release of z/OS and > presumably an equally > > old release of ACF2?? > > According to the Wikipedia article, z/OS 1.5 was introduced > around > 2004. Looking in the ACF2 book (from 2003), it says: > > eTrust CA-ACF2 6.5 includes enhancements to support an > interface for LINUX > users. This includes a new PAM (Plug-in Authentication Module) > to be used as > an interface to eTrust CA-ACF2 for user authentication. > Enhancements include a > new LINUX User Profile record to map a LINUX name to the > eTrust CA-ACF2 > LID and Global LINUX Node records identifying nodes to eTrust > CA-ACF2. This > interface becomes part of the Security Integrator and will run > as a daemon on > z/OS and OS/390. > > My pedestrian view would be that timing could be such that > your > customer's ACF2 came with the PAM module. But you would have > to see > whether that lets itself fit on a more recent kernel like in > SLES11. > It's not impossible CA did some proprietary protocol rather > than > inplement full LDAP. > > Rob > > -- > For LINUX-390 subscribe / signoff / archive access > instructions, > send email to lists...@vm.marist.edu with the message: INFO > LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > > --- Fin du message d'origine - www.lavache.com : l'email gratuit sans pub, vachement meuh. www.hugolescargot.com : coloriage, fiches recettes et bricolage, chansons, etc. www.jeux-gratuits.com : des jeux en ligne pour toute la famille. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: zLinux CA PAM and ACF2
We are using CA ESM with TSS for many years and love it. We are years ahead of the Unix guys down the hall, who key in each user one server at a time. I do little to no work on setting up users, as our mainframe security department now does all that work for us (where it belongs). However, we also tend to be cutting edge with our software versions and support level, so I do not know if I can correctly answer your question. What you need to do is open a question with CA support (CA_ACF2 support) to verify that the started task for the PAM server (CA DSI Server) is compatible and supported with zOS 1.5 and the level of eTrust CA-ACF2 you are using. The more important question is the version of ACF2 than the version of zOS (other than issues with support and the versions of ACF2 with the operating system). We are currently at version 15 for the CA DSI Server (with eTrust Top Secret), but you may find that you will need to back level to version 12. zVM 5.4 is not a factor at all, communications is only between the Linux Guest and the mainframe started task (CA DSI Server). The External Security Manager (ESM) has been around for a long time. I have found CA support once you get past level one for the CA ESM product to be very good, Wayne Bruce did a great job with this and it is a free add-on. But there is little to no information on the web (www.ca.com) on the product. James Chaplin Systems Programmer, MVS, zVM & zLinux Base Technologies, Inc -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Andre Massena Sent: Wednesday, June 01, 2011 7:03 AM To: LINUX-390@VM.MARIST.EDU Subject: zLinux CA PAM and ACF2 All, having seen several posts relating to CA PAM and ACF2 in the distant past on this forum, I thought I would pose my humble questions here.. A customer of mine is "still" running z/OS 1.5 using ACF2 as the ESM. He has installed several IFL's with bleeding edge z/VM 5.4.. and wants to authenticate his z/OS users using an LDAP method from zLinux (SLES11). Will CA PAM talk with such an old release of z/OS and presumably an equally old release of ACF2?? What are you considered opinions?? Regards, Andre -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: zLinux CA PAM and ACF2
There is a CA LDAP Server r15 for z/OS bookshelf. In there you wil find select a book title to view the documentation: CA DSI Installation Guide View HTML Download PDF CA DSI Messages Guide View HTML Download PDF CA DSI Product Guide View HTML Download PDF CA DSI Release Notes View HTML Download PDF CA LDAP Installation Guide View HTML Download PDF CA LDAP Messages Guide View HTML Download PDF CA LDAP Product Guide View HTML Download PDF CA LDAP Release Notes View HTML Download PDF CA PAM Client Product Guide View HTML Download PDF Richard (Gaz) Gasiorowski Solution Architect CSC 3170 Fairview Park Dr., Falls Church, VA 22042 845-889-8533|Work|845-392-7889 Cell|rgasi...@csc.com|www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: Rob van der Heij To: LINUX-390@vm.marist.edu Date: 06/01/2011 07:18 AM Subject: Re: zLinux CA PAM and ACF2 On Wed, Jun 1, 2011 at 1:03 PM, Andre Massena wrote: > All, > > having seen several posts relating to CA PAM and ACF2 in the distant past on > this forum, I thought I would pose my humble questions here.. > > > A customer of mine is "still" running z/OS 1.5 using ACF2 as the ESM. He has > installed several IFL's with bleeding edge z/VM 5.4.. and wants to > authenticate his z/OS users using an LDAP method from zLinux (SLES11). > > Will CA PAM talk with such an old release of z/OS and presumably an equally > old release of ACF2?? According to the Wikipedia article, z/OS 1.5 was introduced around 2004. Looking in the ACF2 book (from 2003), it says: eTrust CA-ACF2 6.5 includes enhancements to support an interface for LINUX users. This includes a new PAM (Plug-in Authentication Module) to be used as an interface to eTrust CA-ACF2 for user authentication. Enhancements include a new LINUX User Profile record to map a LINUX name to the eTrust CA-ACF2 LID and Global LINUX Node records identifying nodes to eTrust CA-ACF2. This interface becomes part of the Security Integrator and will run as a daemon on z/OS and OS/390. My pedestrian view would be that timing could be such that your customer's ACF2 came with the PAM module. But you would have to see whether that lets itself fit on a more recent kernel like in SLES11. It's not impossible CA did some proprietary protocol rather than inplement full LDAP. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: zLinux CA PAM and ACF2
James, thanks for the tips and tricks. Another reason I posted here was that I am a private consultant, and as such, do not possess a CA customer number or CA Site ID. The customer now has very little Mainframe knowhow and next to zero Unix/Linux knowledge, so I am the man in the middle as it were.. Regards, En réponse à "CHAPLIN, JAMES (CTR)" : > -- Début du message d'origine > > We are using CA ESM with TSS for many years and love it. We > are years > ahead of the Unix guys down the hall, who key in each user one > server at > a time. I do little to no work on setting up users, as our > mainframe > security department now does all that work for us (where it > belongs). > However, we also tend to be cutting edge with our software > versions and > support level, so I do not know if I can correctly answer your > question. > > > > > What you need to do is open a question with CA support > (CA_ACF2 support) > to verify that the started task for the PAM server (CA DSI > Server) is > compatible and supported with zOS 1.5 and the level of eTrust > CA-ACF2 > you are using. The more important question is the version of > ACF2 than > the version of zOS (other than issues with support and the > versions of > ACF2 with the operating system). We are currently at version > 15 for the > CA DSI Server (with eTrust Top Secret), but you may find that > you will > need to back level to version 12. zVM 5.4 is not a factor at > all, > communications is only between the Linux Guest and the > mainframe started > task (CA DSI Server). The External Security Manager (ESM) has > been > around for a long time. > > > > I have found CA support once you get past level one for the CA > ESM > product to be very good, Wayne Bruce did a great job with this > and it is > a free add-on. But there is little to no information on the > web > (www.ca.com) on the product. > > > > James Chaplin > > Systems Programmer, MVS, zVM & zLinux > > Base Technologies, Inc > > > > -----Original Message- > From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On > Behalf Of > Andre Massena > Sent: Wednesday, June 01, 2011 7:03 AM > To: LINUX-390@VM.MARIST.EDU > Subject: zLinux CA PAM and ACF2 > > > > All, > > > > having seen several posts relating to CA PAM and ACF2 in the > distant > past on > > this forum, I thought I would pose my humble questions here.. > > > > > > A customer of mine is "still" running z/OS 1.5 using ACF2 as > the ESM. He > has > > installed several IFL's with bleeding edge z/VM 5.4.. and > wants to > > authenticate his z/OS users using an LDAP method from zLinux > (SLES11). > > > > Will CA PAM talk with such an old release of z/OS and > presumably an > equally > > old release of ACF2?? > > > > What are you considered opinions?? > > > > Regards, > > > > > > > > Andre > > > > -- > > For LINUX-390 subscribe / signoff / archive access > instructions, > > send email to lists...@vm.marist.edu with the message: INFO > LINUX-390 or > visit > > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > -- > > For more information on Linux on System z, visit > > http://wiki.linuxvm.org/ > > > -- > For LINUX-390 subscribe / signoff / archive access > instructions, > send email to lists...@vm.marist.edu with the message: INFO > LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > > --- Fin du message d'origine - www.lavache.com : l'email gratuit sans pub, vachement meuh. www.hugolescargot.com : coloriage, fiches recettes et bricolage, chansons, etc. www.jeux-gratuits.com : des jeux en ligne pour toute la famille. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
