Enterprise Knights of IBM Z

  • 1.  Connecting RACF to Cloud based Active Directory

    IBM Champion
    Posted Tue April 27, 2021 03:19 PM
    Hi
    I'm looking to see if there is a solution that connects the mainframe security product to a cloud-based Active Directory (AD) solution - like Azure. I have a client who wants to do all of their userid management through AD, but they need to enable single-sign-on to include z/OS and to allow for a direct mapping of an AD ID to z/OS Userids.

    They would also like to propagate a 'single-password' (I know there are security issues with that!) across all the platforms too, including z/OS. 

    Anyone ever come across such a solution or know if this is possible?

    Thanks

    ------------------------------
    Ian Chappell
    ------------------------------


  • 2.  RE: Connecting RACF to Cloud based Active Directory

    Posted Wed April 28, 2021 03:05 AM
    MFA is an option you may want to look at; it allows to use other authentication factors, one of them being ldap. This plugin is  the AZFLDAP1 Factor , and when you configure it, you can specify the  hostname (or IP address) of the primary LDAP server. This is where you will define your AD server, so that RACF users configured with that authentication factor will authenticate by entering their AD password. You can optionally indicate that you want to implement Compound In-band Authentication , in which case the credentials entered by the RACF userid will have to be in the form of ldap_password:RACF_password (separated by colon) for enhanced and multifactor security. The compound In-band Factor Separator Specifies the character to delimit the MFA credential from the RACF Password or Password Phrase. Valid values are: +, <, =, >, &, ', (, ), ,, _, -, ., /, :, ;, ?, %, *, ", or |.
    Default is  :
    More information can be found here: https://www.ibm.com/docs/en/zma/2.0?topic=customization-configuring-mfa-mfa-ldap

    ------------------------------
    philippe richard
    IBM Systems Lab Services
    ibm france
    ------------------------------

    Original Message


  • 3.  RE: Connecting RACF to Cloud based Active Directory

    Posted Tue February 06, 2024 03:17 PM

    Hi Philippe,

    1. Besides MFA, are there other methods to set up single sign-on between AD and RACF?
    2. If the AD password (without a compound in-band) exceeds 8 characters, is out-of-band MFA the only way to accommodate RACF without the password phrase option?  What are the pros and cons of in-band vs. out-of-band?

    Thanks,
    Dave



    ------------------------------
    David Cheng
    ------------------------------

    Original Message


  • 4.  RE: Connecting RACF to Cloud based Active Directory

    Posted Tue February 06, 2024 04:33 PM

    Hi David,

    I'm not aware of another method to use external LDAP server password with RACF, besides IBM MFA. 
    Most z/OS applications can accept credentials longer than 8 characters, but each application has it's own configuration settings to enable password phrase sized credentials. For instance, in TSO the IKJTSOxx PARMLIB member statement PASSPHRASE(ON) causes TSO to display a longer password field on the TSO logon screen.
    If an installation does not wish to configure applications to support phrase-sized credentials, it can use the IBM MFA out-of-band support to provide a web-based logon page for users to translate their longer credentials to 8-byte credentials. In-band provides a more direct way for users to logon to their z/OS applications with MFA/LDAP, but may require application configuration changes, or maybe even application changes to display a longer password fields.
    If you would like us to take you through some of these scenarios in more detail, please just let me know.

    Best regards,
    Ross



    ------------------------------
    Ross Cooper
    ------------------------------

    Original Message


  • 5.  RE: Connecting RACF to Cloud based Active Directory

    Posted Tue February 06, 2024 05:58 PM

    Hi Ross,

    Thank you for your answers.  For either in-band or out-of-band, can we add another TOTP factor (w/Microsoft Authenticator), so the user will enter both the AD password and the passcode for authentication? If you could provide some details, that would be great.

    Thanks,
    Dave



    ------------------------------
    David Cheng
    ------------------------------

    Original Message


  • 6.  RE: Connecting RACF to Cloud based Active Directory

    Posted Wed February 07, 2024 12:51 AM
    There used to be a product from Novell that synced between RACF and their Identity Manager.




    Original Message


  • 7.  RE: Connecting RACF to Cloud based Active Directory

    Posted Wed February 07, 2024 09:38 AM

    Hi David,

    Out-of-band, yes. Out-of-band is very flexible and it's possible to require multiple different factor types including TOTP and LDAP. 
    In-band, no. In-band can be configured with TOTP and RACF password but it does not currently support TOTP and LDAP. 
    If that would be useful for your use case please open a requirement via IBM ideas here: https://ideas.ibm.com 

    Please let me know if you have any further questions.

    Regards,
    Ross



    ------------------------------
    Ross Cooper
    ------------------------------

    Original Message