Then give CA the boot and get RACF. There are people that can help you convert. IBM will be more than happy to add it.
If you want to do the conversion yourself, there is a Redbook. If CA won't work on the contract $$$, then show them the door. CA is either a strategic partner.. or not. I wouldn't put up with it. Of course if this is just the fact that the software isn't free... Educate the manager. Rob Schramm On Oct 23, 2012 8:10 PM, "Dave McHenry" <[email protected]> wrote: > The "problem" being "solved" is twofold > 1. Cost of CA TSS > 2. Desire to eliminate CA. > > On Tue, Oct 23, 2012 at 4:52 PM, Tony Harminc <[email protected]> wrote: > > > On 23 October 2012 07:39, Dave McHenry <[email protected]> wrote: > > > A manager of ours read a link that claims OPENLDAP could be used to > > replace > > > our current mainframe security. Everyone I've asked about this laughs > and > > > says impossible. Is it impossible? > > > > I'm assuming you mean running OpenLDAP on some other platform, rather > > than on z/OS. If you mean running it on z/OS, what's the point - > > saving the cost of RACF? Regardless, many of my points below apply to > > this case too. > > > > It's not impossible, but it's not ready for prime time for several > reasons. > > > > First, there is no off the shelf implementation. You'd need something > > at the SAF level that would capture all SAF requests, translate them > > into appropriate LDAP requests, direct them to the LDAP server, > > retrieve the answers, translate them into the expected SAF results, > > and return them to the SAF caller. Maybe some ISV has already done > > this, and who knows - maybe IBM will announce it one day. I'm not > > aware that either has happened. So probably you are on your own here. > > > > Second, there are SAF calls that have no LDAP equivalent, or map only > > in an ugly fashion into LDAP concepts. These may be in use by IBM > > code, by your own applications, or by ISV code. And there are RACF > > interfaces that are not SAF. > > > > Third, there is the performance and concurrency issue. Are you willing > > to have your production logons and auth checks subject to network > > delays, server failures, and so on? Well, sure, you can beef up the > > LDAP server infrastructure, add transparent failover and such, isolate > > the network so it's fast, etc. etc. But will it reliably support the > > hundreds or thousands of SAF calls per second that are common in a big > > production environment? > > > > Fourth, there is a chicken and egg issue: RACF (or whichever of its > > two competitors you use) generally starts before TCP/IP, and TCP/IP > > configuration depends to some degree on the result of SAF calls. Well, > > the world is full of bootstrapping problems that get solved one way or > > another, but it does have to be solved. > > > > It sounds as though your manager thinks there is an off the shelf, > > drop-in solution (what was the problem being solved, btw?), and I > > think there's virtually no chance of that. > > > > Tony H. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
