OnDemand User Group

Support Forums => z/OS Server => Topic started by: leodejong on December 20, 2022, 05:58:57 AM

Title: Convert from RACF authentication to LDAP authentication
Post by: leodejong on December 20, 2022, 05:58:57 AM
Hi all,

We are currently running CMOD on z/OS with RACF authentication. The customers are using the fat-client
This is implemented with a slightly modified version of the sample security exit.

However we want to convert to the content Navigator front-end instead of the fat client.
This gives us the opportunity to implement Single Sign-on. Something which is on our wish list for a long time.

A big bang scenario is out of the question. So i was thinking of running two instances for a period of time, one with RACF one with LDAP. Both accessing the same database.
I have done some experiment and i have some questions.

In the INI files i can separate all the setting of the authentication in different INI files. But there is also the "system parameters / Login Information" flag to LDAP authentication.
I found this sets a flag in the ARSSYS DB2 table.  This is common data between the two instances. What is the effect of that? Does this prohibit the RACF option?

Secondly i have tried the ARSLSYNC cmd and got it to work. But it deletes the RACF user entries if they are not in the AD.
So now i have to add them again to enable the RACF authentication to work. Is there a way to prevent ?

The intention is to have a relative short conversion period. So some ad-hoc tinkering during this period is not a problem.

Any comment on the total idea and the specific questions is welcome.
Best Regards, leo de Jong
Title: Re: Convert from RACF authentication to LDAP authentication
Post by: rjrussel on January 16, 2023, 05:57:57 PM
What you are proposing is not an option. You can only have one defined authentication method.

Why wouldn't you just use Content Navigator with RACF?

What version of CMOD are you currently using?
Title: Re: Convert from RACF authentication to LDAP authentication
Post by: leodejong on January 19, 2023, 08:49:55 AM
 rjrussel

Our ultimate goal is to enable Single Signon. No Signon screen for the end-users.
We had enabled this for years, with a home-grown Java front-end before the ARSGUI command. (adding /U & /P parameters)
But auditors has found a huge vulnerability in this code and it must be removed.
So we are looking for a way  to get SSO back in some other form.


We are running version 10.5
Title: Re: Convert from RACF authentication to LDAP authentication
Post by: rjrussel on January 19, 2023, 10:13:14 AM
I understand. At 10.5.0.6 (I have no eta on it) you will be able to have SSO with ICN and OnDemand using RACF.

You can also switch to native CMOD LDAP authentication and get SSO now if you choose. I am not sure what is preventing you from switching to LDAP at this time.

The following link shows the currently supported SSO technologies within IBM Content Naviagtor.

https://www.ibm.com/docs/en/content-navigator/3.0.13?topic=security-support-single-sign-sso (https://www.ibm.com/docs/en/content-navigator/3.0.13?topic=security-support-single-sign-sso)