Paul, here's one problem with your idea. Let's suppose you've organized your systems such that z/OS-based applications and services must rely on an external LDAP server "somewhere" for authentication and authorization. Yes, even batch programs, for example. Now...SCENE! The external LDAP server is either unreachable or offline, which amounts to the same thing. Which never happens, right? :-) What happens then? Well, what happens is that the applications and services on z/OS cannot proceed, and even parts of z/OS cannot proceed -- not for very long, anyway. That'd be a problem! It's also a problem for other platforms and services. If the security provider is down, you're down, hard, at least for new authentications and authorizations.
Your security and risk people can also decide whether they want to delegate all z/OS-related security decisions to an LDAP server running on a Microsoft Windows server, for example. But hey, if you haven't started enforcing passphrases, haven't moved to AES encryption for your RACF databases, still have extremely powerful RACF credentials flying over your LAN or WAN (or the Internet?) in cleartext, and still ship unencrypted tapes containing sensitive information, as examples, what's another potential security problem? :-( The server capable of the highest service qualities in your enterprise is your IBM mainframe running z/OS. Whether you have configured z/OS that way and operate it that way is a separate question, but that's a widely appreciated and recognized fact. So there is a solution: put z/OS in charge of enterprise LDAP services, at least to some degree. That works, and it doesn't undermine service qualities. There is another "class" of approaches called "Identity Management." (Or, better yet, "Identity Governance," a broader set of capabilities.) The basic, starting idea is that there's a service (or collection of services) handling authentication/authorization grants and revokes across all platforms and services. Including for/with RACF, and with uniform IDs and passphrases if that's what you want(*), to the extent the various systems support commonality. To get familiar with that class of approaches, you can start here: http://www.ibm.com/software/products/en/ibm-security-identity-governance-and-intelligence For the record, z/OS does have LDAP client APIs. Actually, OS/390 had some starting in V2R4, but the modern, greatly enhanced LDAP APIs debuted in z/OS 1.6. You also have some Java-oriented options. In principle you can write and add your own security routines that use those APIs. It's not an approach I'd recommend for generalized use cases. (*) "Be careful what you wish for." If you do this (or often even if you don't), implementing Multi-Factor Authentication is a darn good idea: http://www.ibm.com/systems/z/os/zos/multifactor-authentication.html -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
