Hi Alan, Thanks for the info.
We are not planning to link the zOS and zVM databases as we have been advised not to do, but was just asking if anyone did. So since we are not going to do it, it's not work talking about anyway.. So we did install the LDAP server sometime ago in zVM and have been trying to get something with TDI going. We spoke today with our normal LDAP folks and they asked why .. if it's just keeping some LDAP files in sync do we just not let LDAP do that all by it self as they indicated that LDAP most often does that all by itself? So we read some more on the zVM LDAP server and what it can do ... it seems I could without TDI ... Do we really need TDI? Also you state that with TDI we can only keep the passwords in sync .. is there no way even with LDAP and TDI to add, change and delete userids? Thanks, Paul -----Original Message----- From: Linux on 390 Port [mailto:[email protected]] On Behalf Of Alan Altmark Sent: Thursday, June 04, 2009 1:11 PM To: [email protected] Subject: Re: zVM RACF database synchronization On Thursday, 06/04/2009 at 11:24 EDT, "Ayer, Paul W" <[email protected]> wrote: > Today we have many zVM systems to using RACF that are all stand alone > across our data centers. These zVM are to support our zLinux guests. > > Is there a way to have the RACF databases (adds, deletes, password > changes) kept in sync between all of the zVM's on our network? There is currently nothing that will synchronize z/VM RACF databases (a la RRSF), though you can synchronize user passwords with LDAP and a product such as IBM Tivoli Directory Integrator. I'm assuming that the z/VM systems are not close enough to share DASD, as it is ok for z/VM systems to share the RACF database with other z/VM systems. So that means replicating the database. Note, however, that you cannot just slide a new db under RACF. You need to take him down and up. The other alternative is automation. > We have been told that our zOS and zVM databases can not be connected at > all so we have not even looked into that. Has anyone done this? You can share a RACF database between z/VM and z/OS with the following caveats: - You can't build a long-term dependency on it. It is tactical only. - The z/OS system cannot be part of a Sysplex - Since systems aren't close enough for shared dasd, that means one companion z/OS system per z/VM system. - There's no such thing as a "free" z/OS system. - The z/VM audit trail has no record of any database change made from z/OS - The z/OS audit trail has no record of any database change made from z/VM - Operationally, you can't hide RACF on z/VM. SETROPTS and SETEVENT must be issued on the z/VM system and you have to processes RACF/VM's SMF records (the audit trail) - Having a z/VM user in the z/OS RACF database may provide unintended access to z/OS resources - Having a z/OS user in the z/VM RACF database may provide unintended access to z/VM resources ** Particulary w.r.t. remote access! ** - If z/OS introduces an incompatibility in the RACF database, your z/VM system is at risk - If z/VM introduces an incompatibility in the RACF database, your z/OS system is at risk - You can explain to management and auditors how the above makes things "better" for you and them For the above reasons, the Weasel-in-Chief of z/VM Security at IBM recommends AGAINST sharing the RACF database between z/OS and z/VM. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
