LDAP Implementation And Customization On 390 (SHARE Session 2945)

1y ago
7 Views
2 Downloads
545.76 KB
31 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Aliana Wahl
Transcription

LDAP Implementation and Customization on 390 (SHARE Session 2945) Tim Hahn IBM OS/390 LDAP Development hahnt@us.ibm.com Copyright IBM Corp., 1999 1

What is a Directory? Listing of information about objects - phone directory, library card catalog Specialized database - read bias, static data, not transaction based (atomic) Not a general purpose database but a limited function database Usually distributed (client/server) with a defined API interface (LDAP) Security based on authentication (network security) and ACLs (access control lists) Copyright IBM Corp., 1999 2

Why is a Directory Service Important? Example - Domain Name Service (DNS). We use it everyday - without it we wouldn't find services on the Internet. Within an Intranet or across the Internet there is a need to provide "locating information". Example - BigYellow.com. In addition, remote, distributed, single point of control is necessary for Enterprise Management. Example - DEN (Directory Enabled Network). Some view this as the key to PKI (Public Key Infrastructure) and Single Sign-On. Copyright IBM Corp., 1999 3

What is LDAP? LDAP - Lightweight Directory Access Protocol de-facto Internet (TCP/IP-based) wire protocol for accessing and updating directory information "V2" defined in Internet Drafts "V3" defined in IETF RFCs 2251-2256, 2829, 2830 New RFCs all the time (e.g. RFC 2849 - LDIF format) Copyright IBM Corp., 1999 4

The IBM LDAP Solution SecureWay Directory - part of SecureWay brand due to strong ties with Security offerings AIX, OS/390, AS/400 products: LDAP V3 protocol DB2 backing store Each platform has made enhancements Copyright IBM Corp., 1999 5

IBM Interoperability No standards (yet!) for replication or Access control, although there are recent Internet drafts IBM offerings implement these in the same way Namespace can be split among servers using referrals Replication between platforms is available, within bounds Access control lists understood cross-platform, within bounds Copyright IBM Corp., 1999 6

Namespace Example Using Referrals and Replication Example using referrals and replication ussrv (AIX) o ibm,c us dn:ou pok,o ibm,c us ref:ldap://poksrv/ou pok,o ibm,c us ref:ldap://endsrv/ou pok,o ibm,c us endsrv (OS/390) poksrv (OS/390) ou pok,o ibm,c us ou end,o ibm,c us ou pok,o ibm,c us ou end,o ibm,c us ref ldap://ussrv ref ldap://ussrv masterserver ldap://poksrv masterserverDN "cn master" Copyright IBM Corp., 1999 7

LDAP on OS/390 Server packaged as part of the OS/390 Security Server Client packaged as part of the OS/390 base prior to OS/390 2.8 With OS/390 2.8, both server and client packaged as part of the OS/390 Security Server, always enabled Many possibilities for OS/390 server configuration: sysplex, multiserver, or single server DB2, RACF, or both Secure socket, normal socket, or both Copyright IBM Corp., 1999 8

LDAP on OS/390 Makes use of Unix System Services file system Configuration files install into /usr/lpp/ldap/etc Can be moved to datasets Default location for configuration and environment files is /etc/ldap Customized configuration files can be moved here or full path name can be specified to LDAP Server at start-up (or specify by DD card for started task) Client API documentation files (html) installed into /usr/lpp/ldap/doc z/OS R1 - use new LDAP Configuration Utility - LDAPCNF Copyright IBM Corp., 1999 9

Starting the LDAP Server DB2 V5,V6, or V7 is required in order to use the DB2 backing store of the LDAP server A sample configuration is provided but must be localized to the system/installation A sample configuration setup is also provided in /usr/lpp/ldap/examples/sample server STEPLIB must be setup prior to running the LDAP server (or add PDS(s) to LNKLST) PDS holding DLLs is GLDHLQ .SGLDLNK z/OS R1 - use new LDAP Configuration Utility - LDAPCNF Copyright IBM Corp., 1999 10

Starting the LDAP Server - 2 Set up DB2 and start DB2 Enable CLI DB2HLQ .SDSNLOAD in STEPLIB or LNKLST Bind Plan for CLI (DSNTIJCL sample) Run LDAPTBL.JCL to create database, tablespaces, and tables Modify the slapd.conf file for the system Using RDBM Run ldif2db (or GLDLD2DB JCL) to prime the Directory Using TDBM Run ldf2tdbm (or LDF2TDBM JCL) to prime the Directory Run slapd (or LDAPSRV JCL) to start the Directory Service (Sample JCL can be found in GLDHLQ .SGLDSAMP PDS). Copyright IBM Corp., 1999 11

Starting the LDAP Server - 3 DB2 is not required if only accessing RACF data through LDAP STEPLIB must still be set for locating LDAP DLLs prior to running the server (or add PDS to LNKLST) LDAP PDS ( GLDHLQ .SGLDLNK) plus other datasets must be APF-authorized and protected (or program-controlled) If configuring for both DB2 and RACF backing stores, the dataset containing the DB2 CLI DLL must also be APF-authorized and protected (or program-controlled) Modify the slapd.conf file for the system Copyright IBM Corp., 1999 12

LDAP Configuration Utility Streamlines implementation of LDAP servers on a system Input is a set of parameter files Output is a set of batch jobs (JCL) Batch jobs should be verified by Network Administrators Database Administrators Security Administrators System Programmers LDAP Administrators Once acceptable, batch jobs should be submitted which will create the necessary configurations and settings for the server Copyright IBM Corp., 1999 13

LDAP Configuration Utility LDAP config LDAP profile LDAPCNF DB2 tables DB2 Load DB2 Load JCL DB2 Load JCL DB2 JCL Load JCL JCL Setup TCP/IP config RACF Sys config Parmlib Copyright IBM Corp., 1999 14

Sysplex Support Multiple LDAP Servers can operate on the same DB2 tables which are made available across a sysplex using DB2 data sharing Exploits Sysplex DNS and TCP/IP connection optimization for load balancing across the sysplex Requires sysplex to be running in GOAL mode Copyright IBM Corp., 1999 15

Sysplex Support sysplex 1 Sysplex DNS system 2 system 1 LDAP protocol Handler LDAP protocol Handler DB2 interface DB2 interface DB2 tables Copyright IBM Corp., 1999 16

How to setup Sysplex support Configuration file keywords: SYSPLEXGROUPNAME - name of the WLM group for the set of LDAP Servers SYSPLEXGROUPNAME ldapgrp1 SYSPLEXSERVERNAME - name of the particular server within the group SYSPLEXSERVERNAME srv1 LDAP clients using the SYSPLEX DNS name will be routed to LDAP servers running on multiple machines in the sysplex Example: for set of LDAP servers on sysplex1, defined as ldapgrp1, all listening on port 389: ldapsearch -h ldapgrp1.sysplex1 -p 389 . Copyright IBM Corp., 1999 17

Security Server Access Support Implemented as a new "back-end" to the LDAP server USER and GROUP RACF profiles appear as a subtree of entries in the LDAP namespace Bind, add, modify, delete, and search LDAP protocol operations are supported Access controls for USER and GROUP profiles enforced by Security Server APAR OW41515 enhances bind support: password change as well as more information for a failed bind attempt Copyright IBM Corp., 1999 18

Security Server Access Support sysplex 1 Sysplex DNS system 1 system 2 LDAP protocol Handler RACF access LDAP protocol Handler DB2 interface DB2 interface RACF access DB2 tables RACF Copyright IBM Corp., 1999 19

How to Setup Security Server Support Add configuration keywords to LDAP Server configuration file: database sdbm GLDBSDBM suffix "cn plex1, o IBM, c US" Requires APF authorization and Program Control Re-start the LDAP server Copyright IBM Corp., 1999 20

RACF Functions that LDAP Server Supports User and Group Commands and Information Add or Delete Users and/or Groups ADDUSER (AU) and DELUSER (DU) Commands ADDGROUP (AG) and DELGROUP (DG) Commands Modify and Retrieve Information on Users and/or Groups LISTUSER (LU) and ALTUSER (ALU) Commands LISTGRP (LG) and ALTGROUP (ALG) Commands Supports LDAP Binds (Using RACF Password Verification) Dire c tory OS/390 LDA P V3 req ues ts Clie nt Reason code & text for failed binds, e.g. password has expired(OW41515) Password change support(OW41515) Network 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0000000000000000 00 000 000RACF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Copyright IBM Corp., 1999 Application 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00OS/390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Security 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Server 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00LDAP 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Server 21

LDAP Server And SSL LDAP Server can be set up to listen on a combination of secure and non-secure ports Default non-secure port is 389 Default secure port is 636 LDAP Server and Client use System SSL, also part of the OS/390 Security Server, for SSL connections and key-database management Copyright IBM Corp., 1999 22

LDAP Server Requirement for SSL Support Uses System SSL (OS/390 2.7) Uses Server Authentication (prior to OS/390 2.8) Uses Client and Server Authentication (OS/390 2.8) With APAR OW41326 LDAP server can use certificates in RACF OS/390 LDA PC lien t Dire ctor y re que sts 00 00 00 00 00 00 00 00 00 00 key db Network Application 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00OS/390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Security 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Server 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00LDAP 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Server 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000000000000000000000000 OS/390 Cryptographic Services System Secure Sockets Layer Programming Guide - SC24-5877 Copyright IBM Corp., 1999 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 key 00 00 000 000 000 000 000 000 000db 000 000 000 000 000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 00 00slapd.conf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00security 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ssl 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secureport 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 636 sslcipherspecs 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00/secure/ldapkey.kdb 00 00 00 2816 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00sslkeyringfile 00 00 00sslkeyringfilepw 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00os390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23

Securing the OS/390 LDAP Server with SSL LDAP Server Setup for SSL Support Server Customization Configuration Files LDAP Server Setup for Key Management LDAP Client Setup for SSL Support OS/390 LDA P Cl ient ts re q ues ctor y Dir e 00 00 00 00 00 00 00 00 00 00 00 0key 0 0 0 0 0 0db0 0 0 0 Network Application 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00OS/390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Security 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 slapd.conf 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000 000 000 000 000Server 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00key 0 00 00 00 00 00 00 00 00db 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00LDAP 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Server 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Copyright IBM Corp., 1999 24

LDAP Server Setup for Key Mgmt Build a Key Database and Fill with Certificates Can use RACF to keep the certificates Or use gskkyman for Key Management Need a Trusted CertAuth Certificate Also Need a Server (Default) Certificate OS/390 00 00 00 00 00 00 00 00 00 key db LDA PC lient Can Be Self-Signed Certificate if Appropriate Can Be from a Credited Certificate Authority Application req ues ts 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Signed with Trusted CertAuth Certificate 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 00 00 00OS/390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Security 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Server 00 00 00 00 00 00 00 00 00 database 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00LDAP 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 key Network 00 00 00Server 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00CertAuth 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Certificate 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000Server 0 0 0 0 0 0 0 0 0 0 0 0 0 Certificate 0000000000 Dire c tory slapd.conf S/390 New Technology Center S/390 New Technology Center Digital Certificate Digital Certificate Name: Serial number: Issued by: 540116 CA #z66x21 Name: Serial number: Issued by: Pat Herbert 540116 CA #z66x21 Issue date: 7/16/96 Issue date: 7/16/96 Expiration: 7/16/97 Expiration: 7/16/97 Public key: Digital signature of certificate issuer Copyright IBM Corp., 1999 Pat Herbert Public key: Digital signature of certificate issuer 25

LDAP Client Setup for SSL Support Need a Key Database Can use RACF to keep the certificates Used to Verify the LDAP Server's Certificate Must Contain the Signer's Certificate (IMPORT Option) Either Self-Signed Certificate or the CertAuth's Certificate 00key 00 00 00 00 00 00 00 00 00 00 00database 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OS/390 S/390 New Technology Center ues ts Issued by: Pat Herbert 540116 CA #z66x21 Issue date: 7/16/96 Expiration: 7/16/97 Public key: LDA PC Serial number: lien t Digital Certificate Name: Dire c tory r eq Digital signature of certificate issuer Network 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Copyright IBM Corp., 1999 Application 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00OS/390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Security 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Server 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 LDAP 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Server 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 slapd.conf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 00key 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26

GSKKYMAN and Certificates OS/390 Crytographic Services, System SSL, includes tool to administer key databases Replaced MKKF in OS/390 2.7 Used for generating Server and Client certificate requests Used to store Server and Client certificates for use by Server program and the Client APIs Concepts (default certificates, trusted certificates, self-signed certificates) System SSL (and LDAP server) supports use of server certificate stored in RACF Copyright IBM Corp., 1999 27

Recent LDAP Enhancements on OS/390 - OS/390 R10 OS/390 V2R10 LDAP V3 protocol support (more complete) Schema publication and update Many more syntaxes and matching rules Case Sensitive attributes in distinguished names limited Modify DN support Scalable backend/TDBM Small/fixed DB2 data model allows for tuning Allows multiple DB instances Access control check performance improvements New bulkload utility for TDBM z/OS R1 LDAP configuration utility Native Authentication Copyright IBM Corp., 1999 28

Configuring Password Encryption With APAR OW41326 (V2.8), userpassword attribute values can be stored in encrypted form. Encryption uses OCSF, ICSF, and hardware crypto Encryption triggered by presence of configuration file option Configuration file option: pwencryption, in the database section Only applies to DB2 data store (TDBM or RDBM) Possible configuration values: none(default), crypt, MD5, SHA, DES:keylabel Migration utility, db2pwden, will encrypt userpassword values in all existing entries Copyright IBM Corp., 1999 29

Features of the z/OS R2 LDAP Server z/OS R2 LDAP Server concurrent session scalability (up to 64K sessions) access to additional RACF USER profile fields access/update of RACF USER-GROUP connections Kerberos-based authentication (SASL GSSAPI) LDAP Client DNS locate capability for LDAP C/C client Client search result caching for LDAP C/C client Kerberos-based authentication (SASL GSSAPI) Copyright IBM Corp., 1999 30

For More Information LDAP RFCs http://sunsite.auc.dk/RFC/rfc/rfc2251.html- rfc2256.html OS/390 LDAP Documentation SC24-5861-04 OS/390 Security Server LDAP Server Administration and Usage Guide 21.pdf SC24-5878-01 OS/390 Security Server LDAP Client Application Development Guide and Reference 20.pdf Copyright IBM Corp., 1999 31

LDAP on OS/390 Server packaged as part of the OS/390 Security Server Client packaged as part of the OS/390 base prior to OS/390 2.8 With OS/390 2.8, both server and client packaged as part of the OS/390 Security Server, always enabled Many possibilities for OS/390 server configuration: sysplex, multiserver, or single server DB2, RACF, or both

Related Documents:

LDAP Parts z/OS LDAP provides - LDAP server: manages directory entries - LDAP client: C APIs to add, delete, modify, rename, compare and search entries - Command line client utilities: ldapadd, ldapdelete, ldapmodify, ldapmodrdn, and ldapsearch Any Version 3 LDAP client can be used with z/OS LDAP server z/OS LDAP client and utilities can .

LDAP or Active Directory (AD) Integration in Nagios XI. This process is required if your LDAP / AD server has a self signed certificate. Target Audience This document is intended for use by Nagios XI Administrators that require secure LDAP / AD connectivity. . Using SSL/TLS with Active Directory / LDAP. ssl, ad, active, directory, ldap, user .

Cisco Secure Access Control System (ACS) 5.x integrates with an LDAP external database (also called an identity store) by using the LDAP protocol. There are two methods used to connect to the LDAP server: plain text (simple) and SSL (encrypted) connection. ACS 5.x can be configured to connect to the LDAP server using both of these methods.

Access Control Server (ACS) 5.x integrates with an LDAP external database, also called an identity store, by using the LDAP protocol. There are two methods to connect to the LDAP server: plain text (simple) and SSL (encrypted) connection. ACS 5.x can be configured to connect to the LDAP server using both the methods. In

To install the LDAP Directory, you must explicitly mount the CD-ROM file system and provide a pointer to the directory containing the LDAP Directory installation images. Use the following procedure to install the LDAP Directory software: 1. Log in to the AIX server as root. 2. Install the LDAP Directory that is included on the AIX 4.3.2 CD-ROM

3. Select the LDAP Account unit from the drop-down list. 4. OPTIONAL: Assign scopes to this LDAP Group. 5. Click OK. Create Security Rules that use External LDAP User Group in the Security Policy: The most common use of this configuration is for Remote Access VPN. You can also create legacy Client Authentication rules with the same LDAP User .

Directory & LDAP concepts Directory Support on iSeries Management of directories LDAP and Applications Redbooks & More Information Suggested Actions Everything you learn during this presentation and much more is covered in the new IBM Redbook: Implementation and Practical Use of LDAP on the IBM eServer iSeries Server, SG24-6193 Great stuff !!

GLPSRV004I Terminating server. The IBM LDAP server starts in configuration-only mode. The IBM LDAP administration server cannot start. Cause . The SSL certificate that allows secure communication between LDAP and WebSphere Application Server is expired. The password for the LDAP keystore database is also expired. Solution