Good Morning All, We are running SLES9. We are putting up our first 'production' application - Communications Controller for Linux. We need to secure the Linux environment. We run ACF2 R8 SP02 on z/OS 1.4 & z/OS 1.7 (soon to be 1.7 across the board). There is a component of ACF2 called PAM (pluggable authentication module). We have uploaded the PAM binary to the Linux machine and I have run the rpm command to build the binary specific RPM file. I query rpm and the following is displayed
OSA-LNX5:~ # rpm -qi pam_CA_esm Name : pam_CA_esm Relocations: (not relocatable) Version : 8.0 Vendor: Computer Associates, Inc. Release : 2 Build Date: Thu Oct 7 17:37:39 2004 Install date: Wed Apr 5 11:59:28 2006 Build Host: linux023.ca.com Group : System Environment/Base Source RPM: pam_CA_esm-8.0-2.src.rpm Size : 1269716 License: LGPL Signature : (none) URL : http://www.ca.com/ Summary : PAM module for Computer Associates External Security Managers. Description : pam_CA_esm is a module for Linux-PAM that supports password verification and changes using Computer Associate's External Security Managers (ESMs) as the user database. Distribution: (none) OSA-LNX5:~ # The Getting Started documentation for PAM states the following PAM Server Overview The PAM Server runs as a USS daemon that communicates through operating system function calls directly to eTrust CA-ACF2 or eTrust CA-Top Secret. There are no other components or layers to install and configure. The PAM Server starts a TCP/IP listener thread that is used by the proxy server running on a Linux for zSeries system to communicate with it. This listener has the same TCP/IP address that the z/OS host has. The port that is used is configured as part of the start up parameters. The eTrust PAM Server includes support for both Secure Socket Layer (SSL) and Transport Layer Security (TLS). When used, SSL and TLS ensure that all data passed between the Linux for zSeries host and z/OS host is encrypted and secure at all times. After configuring the files for each service you want authenticated to your ESM, you must start the proxy server. Without a running proxy server, you might not be able to logon to the sytem. Make sure to test the specific service you changed before logging off. This way if the configuration fails a logon, when it should be allowed, you can revert the change back to the previous values. Refer to the documentation for you distribution to determine the best way to start the proxy server. We obviously need a proxy server. It sounds like we need to run the proxy server on Linux. It appears that SQUID is the proxy server that comes with SLES9. We don't have that configured and running. Has anyone implemented eTrust PAM Client for Linux for zSeries ? Does anyone know how to setup the SQUID proxy server for this purpose? We are also trying to get a handle on how this is going to function. We are assuming the user will establish a connection to the Linux box (just as we do today). They will be prompted for their userid and password. At that point CA-PAM will intercept the userid and password and ship it up to z/OS-ACF2 for authentication. This is all assumption on our part. Also, how does CA-PAM become active on Linux? I don't see anything where you issue a command to start. Is it a combination of the fact it's installed and the configuration files are in place???? If anyone out there can help us, we would greatly appreciate it. Pointing us to GOOD documentation would also be a help. Thank you, Mary Elwood 703-206-4201 Vienna, Virginia ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
