Re: Any looking at CA-ACF2?

Sat, 14 Feb 2004 05:03:54 -0800 

Hi Eric, 
 
I'm the original designer of the CA PAM client for ACF2 and Top Secret. To answer your 
questions, the source code for the PAM client is indeed available - if you call the 
support team, they will be more than happy to help you get it. Although our emphasis 
is Linux on zSeries computers, we have tested the code on Linux Intel, and if you 
wanted to port it, we believe that the code would run fine on any PAM platform. 
 
As to our own PAM client versus LDAP, realize that our mainframe security products 
support both, so you certainly have the choice of using either approach - or even both 
in parallel (say, for different platforms). In the specific case of authenticating 
Linux users, we believe there are important performance, security and feature 
differences between the two...LDAP is a bit of an awkward protocol for performing user 
authentication, and our product-specific PAM architecture enables us to have better 
performance and to implement some important security features that aren't possible 
over LDAP. 
 
Hope that's some help...
 
Vince Re
Sr. VP and Chief Architect
Computer Associates

        -----Original Message----- 
        From: Linux on 390 Port on behalf of Eric Sammons 
        Sent: Sat 2/14/2004 1:22 AM 
        To: [EMAIL PROTECTED] 
        Cc: 
        Subject: Any looking at CA-ACF2?
        
        

        Our security group is looking at CA-ACF2 and the pam_acf2 library offering
        from CA.  There claim is that CA has committed to releasing this source to
        the open source community.  Thus far I have only seen a white paper that
        states it supports only Linux installs on the Z platform.  I am arguing
        that with wide acceptance and support this solution is the wrong solution.
         I have instead suggested that we go with an LDAP pam_ldap.so solution.
        Given our environment includes Most Unix platforms available to the masses
        and that z/Linux is only just now breaking ground in our environment the
        CA-ACF2 pam library solution is not the best solution.  How our security
        group opts to secure VM is really of no concern to me, CA-ACF2 at this
        layer is fine with me, it is the pam_acf2 library that concerns me.
        
        Has anyone else looked at this solution?  Any thoughts?  Any ideas how to
        argue against and provide a stronger case?
        
        Thanks!
        Eric Sammons

Reply via email to