z/OS Integration
There are three options for managing z/OS users and passwords, on any currently available version of MVS, OS/390 or zOS:
- Install a local agent (P-Synch®/390) as a started task on the
LPAR with the z/OS security database. This agent acts as a TCP/IP
listener and accepts inbound connections on a designated TCP port.
The ID-Synch® server negotiates a cryptographic handshake with
the started task (128-bit AES, shared secret key, mutual
authentication, random session keys) and asks the started task
to issue RACROUTE commands to enumerate users, verify current
passwords and reset passwords.
Advantages: Fast, secure, reliable, easy to configure.
Disadvantages: Change control to install a local, privileged agent on the mainframe. - Manage passwords using a Telnet or TN3270 script, assuming
that a Telnet or TN3270 service is enabled and available. This
option is less secure and robust than the P-Synch/390 started task,
but requires no change control on the mainframe.
Advantages: No change control, no local agent on the mainframe.
Disadvantages: Slower connections, no cryptographic protection, fragile if the terminal user interface is substantially changed. - Install an LDAP directory server on the mainframe, which uses
the z/OS security database as its back-end, at least for user
and password data. IBM and CA both provide such directory products.
With the LDAP service installed,
ID-Synch can integrate with the mainframe as through it were
a normal LDAP directory.
Advantages: Fast and potentially secure -- if LDAP+SSL is used.
Disadvantages: Mainframe LDAP directory products are relatively new and quite fragile. Change control and a local software footprint on the mainframe are still required.
ID-Synch supports all three of these integration options.
ID-Synch can create, delete, enable, disable, modify and rename RACF, ACF2 and TopSecret users in any specified LPAR/security database. It creates new mainframe users by cloning existing ones, copying and adjusting the various associated segments (e.g., TSO, OMVS) in the process. It can also manage the membership of mainframe users in RACF, ACF2 or TopSecret security groups.