Alan:
You make some good points so now instead of confused I am very confused (an
easy task to do believe me, it is not you).
My original question: do I need CA's eTrust or can I use any LDAP server to
interface to ACF2 under zOS?
no zVM in this shop yet but it is coming soon and no RACF yet but we have
talked about the possibility.
Regards,
[EMAIL PROTECTED]
NCCI
Boca Raton, Florida
561.893.2415
greetings / avec mes meilleures salutations / Cordialmente
mit freundlichen Grüßen / Med vänlig hälsning
Alan Altmark
<[EMAIL PROTECTED] To:
[email protected]
ibm.com> cc:
Sent by: Linux on Subject: Re: Supporting zLinux
390 Port
<[EMAIL PROTECTED]
IST.EDU>
08/23/2005 11:49
AM
Please respond to
Linux on 390 Port
On Monday, 08/22/2005 at 11:40 AST, David Boyes <[EMAIL PROTECTED]>
wrote:
> > is there any option to eTrust (i.e. LDAP Server under zOS to
> > interface to
> > ACF2) that fit the LDAP model better than eTrust?
> > or easier to implement than eTrust?
>
> Not that I know of, although the Linux IUCV driver we posted last week
> opens up a lot of interesting opportunities, such as connecting to the
VM
> *RPI CP service, allowing you to implement a Linux guest as a CP
external
> security manager. Once that's done (and the smart way to do it would be
to
> write a *RPI to PAM bridge widget), then any
authentication/authorization
> method available to Linux would be available for CP and Linux equally.
This
> would be particularly helpful if the RACROUTE macro also used that
interface
> -- I don't know for certain if it does, but Alan Altmark can probably
> confirm one way or another. If it does, then most of the IBM stuff would
> also work properly against an arbitrary AAA source. I'm still thinking a
bit
> more about how this should be done, so don't take this as gospel.
You would not write a "*RPI to PAM bridge widget". *RPI is how the ESM
provides services to the control program, not guests.
RACROUTE is a CMS/GCS/MVS/VSE API "shell" whose job it is to hand the
request to a vendor-provided service. That service does whatever the
vendor wants it do: issue a diagnose, use IUCV, or VMCF, all in an attempt
to requests services of the ESM. The guests do not connect to *RPI.
The underlying communications mechanism to request services from the ESM
is not architected. And rather than architect Yet Another Proprietary
Interface, the better solution is for the ESM to provide LDAP-based
authentication services. Then any guest or remote host can access the
service.
But, yes, you could write a new PAM that uses a non-standard interface to
request ESM services.
Alan Altmark
z/VM Development
IBM Endicott
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
The information contained in this e-mail message is intended only for
the personal and confidential use of the recipient(s) named above. This
message may be an attorney-client communication and/or work product and
as such is privileged and confidential. If the reader of this message
is not the intended recipient or an agent responsible for delivering it
to the intended recipient, you are hereby notified that you have
received this document in error and that any review, dissemination,
distribution, or copying of this message is strictly prohibited. If you
have received this communication in error, please notify us immediately
by e-mail, and delete the original message.
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
