Re: IHS NTLM authentication
On Mon, 13 Jul 2020 09:37:44 +0800, Timothy Sipples wrote: >If your organization has some sort of reasonable identity management >service that provisions, de-provisions, and otherwise manages user >identities, then you could probably hook TLS client certificate management >for z/OS into that. Any options there? There is indeed a coupling from the HR management system into RACF. And I know somewhere there are client certificates in AD. It is worth digging into that, indeed. Thanks for the suggestion. Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
Jantje wrote: >If it were me, yes, we would go for that. But... If your organization has some sort of reasonable identity management service that provisions, de-provisions, and otherwise manages user identities, then you could probably hook TLS client certificate management for z/OS into that. Any options there? If the service desk department is "big" and has "high" turnover, then presumably you're managing RACF identities at a fairly high velocity. How are you doing that today? Could you fairly straightforwardly extend that high velocity identity management to TLS client certificates for z/OS HTTPS access? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
On Thu, 9 Jul 2020 12:57:39 +0800, Timothy Sipples wrote: >How many worms? How many TLS client certificates do you expect you'll need >for this purpose? Much, much more than a few. And for a rather moving target. We tend to have quite a bit of turnover in the service desk department, unfortunately. > >Especially if the answer is "more than a few," how about using the z/OS >PKI Services? If it were me, yes, we would go for that. But... Cheers, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
On Wed, 8 Jul 2020 07:59:39 -0600, Grant Taylor wrote: >Discussing NTLM makes me think that you might be in an environment with >Active Directory, which means Kerberos. Not yet, actually. But then I would need to implement Kerberos on mainframe, because my problem is that I need to authenticate (and authorize) against RACF, not AD... Cheers, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
>Not yet, because it opens a different can of worms: that >of having to manage the client certificates. I am not sure >I want to do that… But I agree: it would be a good >alternative. How many worms? How many TLS client certificates do you expect you'll need for this purpose? Especially if the answer is "more than a few," how about using the z/OS PKI Services? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
On 7/8/20 5:34 AM, Jantje. wrote: Not yet, because it opens a different can of worms: that of having to manage the client certificates. I am not sure I want to do that… But I agree: it would be a good alternative. Fair. Discussing NTLM makes me think that you might be in an environment with Active Directory, which means Kerberos. Have you considered Kerberos directly? -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
On Tue, 7 Jul 2020 19:25:46 +0800, Timothy Sipples wrote: >Have those "powers that be" offered a list of acceptable alternatives? No, of course not. >Unless they insist, I don't think NTLM over HTTP is a good protocol idea I don't think so either. >nowadays for a variety of reasons, so can we skip that one? Probably not. See above… :-( >The IBM HTTP Server for z/OS supports TLS client certificate >authentication with RACF. That's not basic authentication, so it >ostensibly qualifies. It's also widely accepted. Have you considered that >option? Not yet, because it opens a different can of worms: that of having to manage the client certificates. I am not sure I want to do that… But I agree: it would be a good alternative. >Or you could adopt a token-based approach. The classic way is forms-based >authentication, i.e. some application-based mechanism. H…. That would mean I need to code to interrogate RACF, with all the problems of running authorised (z/OS lingo) code. I don't want to go there unless I really, really, *really* have to. > Another, widely >accepted choice is OAuth 2.0. However, OAuth 2.0 would require either a >custom, additional module or an authenticating proxy arrangement of some >kind. I don't know that one. But does look as a lot of hassle for something where basic authentication over HTTPS is all I really need. Thanks for the suggestions. At the very least, they give me some ammunition… Cheers, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
>Some powers that be have decided not to allow basic >authentication anymore, even over HTTPS. So I am >looking for an alternative. Have those "powers that be" offered a list of acceptable alternatives? Unless they insist, I don't think NTLM over HTTP is a good protocol idea nowadays for a variety of reasons, so can we skip that one? The IBM HTTP Server for z/OS supports TLS client certificate authentication with RACF. That's not basic authentication, so it ostensibly qualifies. It's also widely accepted. Have you considered that option? Or you could adopt a token-based approach. The classic way is forms-based authentication, i.e. some application-based mechanism. Another, widely accepted choice is OAuth 2.0. However, OAuth 2.0 would require either a custom, additional module or an authenticating proxy arrangement of some kind. The (non-Apache) mod_oauth2 module code is available here: https://github.com/zmartzone/mod_oauth2 I have not looked at this code, but there it is. I'll pause there. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
On Mon, 6 Jul 2020 09:24:36 -0600, Grant Taylor wrote: > >You might want to try this on a stock version of Apache, probably on a >Linux (virtual) machine somewhere. Ha, but the more stock versions of Apache run on Windows or Linux and typically come with a pre-compiled module that one just loads... But the IHS I am dealing with runs on z/OS and does not have the module I need included. > > From memory IBM HTTP Server /should/ be a one-for-one replacement for a >comparable version of Apache HTTP Server. It is indeed a rather 1-4-1. > >Get the procedure down in a more common environment and then try to >apply it to IHS. I am already rather clear on the procedure, it is the module I am missing. > >You might also inquire in more typical Apache HTTP Server and / or >Oracle HTTP Server (also a recompile of Apache) forums. I rather doubt if I can get z/OS help over there... > >The motivation might be annoying. It is. Thanks and very best regards, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
On 7/6/20 8:56 AM, Jantje. wrote: Dear listers, Hi, Would any of you have implemented the NTLM authentication scheme in their IBM HTTP Server by Apache on z/OS? This would require the mod_ntlm2, but the Sourceforge files date from 2003, does not seem to support NTLM v2, which is a requirement. Besides, I need to authenticate users against RACF, not against a Windows domain controller... So before I set out on a wild (old...) goose chase, I thought I better ask first. Ugh. You might want to try this on a stock version of Apache, probably on a Linux (virtual) machine somewhere. From memory IBM HTTP Server /should/ be a one-for-one replacement for a comparable version of Apache HTTP Server. But I wouldn't bet on it. Get the procedure down in a more common environment and then try to apply it to IHS. You might also inquire in more typical Apache HTTP Server and / or Oracle HTTP Server (also a recompile of Apache) forums. And if you wonder why... Well... Some powers that be have decided not to allow basic authentication anymore, even over HTTPS. So I am looking for an alternative. The motivation might be annoying. But the request doesn't seem that atypical to me. Thanks and very best regards, Good luck. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IHS NTLM authentication
Dear listers, Would any of you have implemented the NTLM authentication scheme in their IBM HTTP Server by Apache on z/OS? This would require the mod_ntlm2, but the Sourceforge files date from 2003, does not seem to support NTLM v2, which is a requirement. Besides, I need to authenticate users against RACF, not against a Windows domain controller... So before I set out on a wild (old...) goose chase, I thought I better ask first. And if you wonder why... Well... Some powers that be have decided not to allow basic authentication anymore, even over HTTPS. So I am looking for an alternative. Thanks and very best regards, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN