Installing and Configuring the Novell Identity Manager Mainframe and IBM AS/400 Connector Doug Anderson Product Manager Boyd Wilson Product Architect, Jeff Bate Engineering Randy Martin Engineering

© March 10, 2004 Novell Inc, Confidential & Proprietary 2 one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions. The one Net vision Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

© March 10, 2004 Novell Inc, Confidential & Proprietary 3 The one Net vision Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably. Novell Nsure ™ Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

© March 10, 2004 Novell Inc, Confidential & Proprietary 4 Agenda Overview and Roadmap AS/400 Connectivity AS/400 Configuration Demo RACF Driver for Mainframe Connectivity RACF Driver Configuration Demo Futures Q&A

© March 10, 2004 Novell Inc, Confidential & Proprietary 5 What’s Up With NAM and IDM? Let’s clear this up now These are complementary products, not competing products Identity Manager is the family, and NAM is part of it NAM is going to go from cousin to brother

© March 10, 2004 Novell Inc, Confidential & Proprietary 6 How are Novell Account Management and Identity Manager Related? NAM has functionality not available in IDM2 (Fan-Out Drivers, Windows Standalone Mode, Authentication Redirection, Native Script Handling, password sync using standard eDir password) NAM also has limitations not found in IDM2 (Subscriber-Only, Different Architecture, Different Management Console)

© March 10, 2004 Novell Inc, Confidential & Proprietary 7 What’s the Mission? To make it easy for any Novell Account Management customer (and there are thousands), be it version 2.1 or 3.0, on any platform, to move forward, without losing any critical functionality, and, in fact, gaining significant functionality.

© March 10, 2004 Novell Inc, Confidential & Proprietary 8 But, for today... But for right now, let’s talk about how NAM works today, and how it will work in the future

AS/400 Connectivity

© March 10, 2004 Novell Inc, Confidential & Proprietary 10 Account Provisioning to a Target By permitting a collaborative unit such as a container or a group to a target system, you automate the management of all users that may be associated with the collaborative unit in the future. OS/390 Mainframe With RACF AS/400 Application Server Set of Linux Web Servers AS/400 RACF Linux Servers

© March 10, 2004 Novell Inc, Confidential & Proprietary 11 NAM 3.0 Principal Components AS/400 Unix Other Windows 390 Core Services Agents Event Listener Manager Services Object Services Audit Services Certificate Services Web Services Journal Services Platform Services eDirectory Novell DirXML

© March 10, 2004 Novell Inc, Confidential & Proprietary 12 AS/400 Unix Other Windows 390 NAM 3.0 Principal Components eDirectory Authentication Services API Platform Services System Intercept Platform Services Process User and Group Management Platform Receiver Scripts User Authentication Core Services Agents Event Listener Manager Services Object Services Audit Services Certificate Services Web Services Journal Services SSL Novell DirXML

© March 10, 2004 Novell Inc, Confidential & Proprietary 13 Receiver Scripts Default Scripts are delivered for each security system for each platform. May be modified or replaced by the customer. Target system administrators already know how to write scripts since the local scripting environment is used on each platform (REXX, Shell Script, Windows Script, etc) In many cases administrators already have scripts to perform operations on their local system and these can be plugged directly in.

© March 10, 2004 Novell Inc, Confidential & Proprietary 14 Adding Users To The Directory Authentication Services API eDirectory Novell DirXML Platform Services System Intercept Platform Services Process User Authentication User and Group Management Platform Receiver Scripts Core Services Agents Event Listener Manager Services Object Services Audit Services Certificate Services Web Services Journal Services SSL 1. A new user is created in eDirectory 4. Object Services creates an E-user object in the Census, associates it to the proper Platform and passes this information on to Event Journal Services 3. An Access Management Event is created and sent to Object Services 5A. The Platform Receiver requests an Access Management Event from Event Journal Services pertaining to the Platform Set that this particular platform is associated with 5B. Event Journal Services reads the information for the object specified in the Access Management Event out of eDirectory and passes it on to the Platform Receiver 6. The Platform Receiver processes the Access Management Event through a suitable script (Add User) and passes it on the local user security system 7. Event Journal Services notifies Audit Services which records the actions taken in the Audit Log 2. The Event Listener sees the change

© March 10, 2004 Novell Inc, Confidential & Proprietary 15 AS/400 Connector Facts AS/400 and Windows platforms share many of the same challenges with regard to provisioning and password synchronization. Security system is not as accessible or extensible as eDirectory or even RACF on the mainframe. Provisions users and groups from eDirectory™ to AS/400 security system. Supports bi-directional sync of passwords. Account Management API is available on the AS/400 platform.

© March 10, 2004 Novell Inc, Confidential & Proprietary 16 AS/400 Password Intercept Password check cannot be intercepted. This means we cannot use redirection. Password change can be intercepted via exit specified in the system value QPWDVLDPGM. This means we can use password replication. Authentication Services API System Intercept Platform Services Process User Authentication

© March 10, 2004 Novell Inc, Confidential & Proprietary 17 AS/400 Basics Uses a scripting language called “CL”, which is the language that the Account Management platform receiver scripts are provided in. System security profiles are based on levels: 10, 20, 30, 40 and 50. Determines required elements for a user profile. We support integration with systems at any security level.

18 AS/400 Security System Basic user information is kept in a user profile. All other user and group information in kept in the distribution directory. We update both UID SalesGroup Member Sales Manager Description BobUsername Profile Distributio n Directory User and Group Management Platform Receiver Scripts attrmap.conf

Account Management AS/400 Configuration Demo

RACF Driver for Mainframe Connectivity

© March 10, 2004 Novell Inc, Confidential & Proprietary 21 Identity Manager Driver and Account Management 3 Connector Options for Mainframes Identity Manager 2.0 Driver for RACF In Beta Now. Announced at BrainShare 2004 SLC. Useful if need to have RACF authoritative for Accounts More info to come… Account Management Connector for Mainframes Supports RACF, ACF2, and Top Secret security systems on OS/390. Allows account provisioning from eDirectory to each of the above security systems. Supports bi-directional password sync. Supports extendable control through REXX scripting.

© March 10, 2004 Novell Inc, Confidential & Proprietary 22 RACF Driver Facts Bi-directional for User Accounts and Groups. Bi-directional for passwords. Supports being run as a native or remotable driver. Leverages IDM 2.0 password management framework through Universal Password in eDirectory. Uses auxiliary classes add MVS RACF schema attributes to User and Group objects in eDirectory. Can be used to sync one RACF system with another through eDirectory.

© March 10, 2004 Novell Inc, Confidential & Proprietary 23 RACF Driver Requirements Novell Nsure Identity Manager 2.0 or later iManager 2.02 or later Any IBM supported OS/390 or z/OS release RACF 1.9 or later

© March 10, 2004 Novell Inc, Confidential & Proprietary 24 RACF Driver Components Driver Shim – Interface between the Identity Manager Engine and RACF. Contains both a Subscriber channel and a Publisher channel. Sample Policies and Filters for controlling bi- directional flow of data between eDirectory and RACF. RACF Event Subsystem – Captures RACF events and provides and interface into the Subscriber and Publisher channels.

25 z/OS RACF Event Subsystem (One for each system sharing the RACF dataset) RACF Driver Shim (Can also run local to the DirXML Engine) Change Log RACF Command Exit RACF RACINIT Exit Cross Memory Queue Change Log Started Task Publisher Subscriber DirXML Engine RACF commands (ADDUSER, ALTUSER, DELUSER, ADDGROUP, ALTGROUP, DELGROUP, CONNECT, REMOVE, PASSWORD) LDXSERV command (GETNEXT and MARKDONE) DirXML Remote Loader Policies LDXSERV Command (NOLOG and ISSUE) RACF commands (LISTUSER, LISTGROUP)

© March 10, 2004 Novell Inc, Confidential & Proprietary 26 Rules and Style Sheets Customization is handled through rules and style sheets. The shim itself avoids implementing policy. Examples … RACF Password Interval is 1–254 Days; eDirectory is number of seconds EDir User: Group Membership, Group: Members; RACF has profiles for users, groups, and connects. RACF does no cleanup. eDir User delete becomes RACF revoke. Group delete blocked. The behavior of the driver is governed by its configuration of options, policies, and filters. The configuration of the Driver for RACF is stored in its driver object in eDirectory.

27 RACF Event Subsystem Uses standard RACF exits (IRREVX01 and ICHRIX02) to capture events of interest. Places events in a ECSA-based cross memory queue. Started Task moves events from queue to Change Log Direct Access (DA) dataset. Publisher channel is provided events from the Change Log dataset via LDXSERV TSO command. RACF Exit Change Log Started Task Change Log Dataset Queue Driver Publisher Channel

RACF Driver Configuration Demo

Futures

© March 10, 2004 Novell Inc, Confidential & Proprietary 30 Facts The same engineering team now develops and supports the Account Management and RACF Driver deliveries in the Mainframe solution space as well as the AS/400 connector. Account Management and Identity Management are converging using a multiple phase approach.

© March 10, 2004 Novell Inc, Confidential & Proprietary 31 IDM/NAM Convergence This does NOT mean simply that Account Management is going away and being converted to drivers. Convergence requires new functionality in the current IDM Engine and management infrastructure as well as a change in current NAM management methodologies. This will open up new possibilities for managing how drivers work. This will allow for a common management and customization infrastructure. Migrations from current DirXML®/Identity Manager drivers and NAM implementations will be made seamless. No need to wait to deploy!

© March 10, 2004 Novell Inc, Confidential & Proprietary 32 NAM Futures and Convergence The following slides constitute one phase in the convergence process. All current functionality is taken forward.

© March 10, 2004 Novell Inc, Confidential & Proprietary 33 Component Location (Core Driver) The Core Driver now includes all the functionality of the former Event Listener, Manager and Agents. A Core Driver must be installed on the server(s) where replicas of the provisioned users and ASAM System container reside. The Core Driver uses a mix of DirXML and LDAP calls to accomplish its mission You can install more than one Core Driver for redundancy, when you upgrade upgrade the Manager first, then the agents all to Core Drivers

© March 10, 2004 Novell Inc, Confidential & Proprietary 34 Principal Components AS/400 Unix Other Windows 390 Core Driver(s) Fan Out Auditing UIDGID Mgmt Authentication Redirection Bi-directional Password Replication UP Support IDM2 Integration Requires fewer objects in eDirectory Platform Services eDirectory Novell DirXML

© March 10, 2004 Novell Inc, Confidential & Proprietary 35 AS/400 Unix Other Windows 390 Principal Components eDirectory Authentication Services API Platform Services System Intercept Platform Services Process User and Group Management Platform Receiver Scripts User Authentication Core Driver(s) Manager Services Object Services Audit Services Certificate Services Web Services (iManager Integration) Journal Services Auth Redirection (agent) SSL Novell DirXML

© March 10, 2004 Novell Inc, Confidential & Proprietary 36 eDirectory Novell DirXML Core Driver Manager Services Object Services Audit Services Certificate Services Web Services Journal Services Agent Services DirXML LDAP/SSL Core Driver Communications Installed on the Same System

© March 10, 2004 Novell Inc, Confidential & Proprietary 37 Multiple Core Drivers eDirectory Novell DirXML eDirectory Novell DirXML Multiple Core Drivers can watch for events in different or the same replica rings. DirXML LDAP/SSL DirXML LDAP/SSL Core Driver Manager Services Object Services Audit Services Certificate Services Web Services Journal Services Agent Services Core Driver Manager Services Object Services Audit Services Certificate Services Web Services Journal Services Agent Services

© March 10, 2004 Novell Inc, Confidential & Proprietary 38 Component Location (Platform Services) Platform Services run on the target system. Delivery and Installation based on the Native Platform.

© March 10, 2004 Novell Inc, Confidential & Proprietary 39 Core Driver(s) eDirectory Novell DirXML Platform Services – AS/400 LDAP Security System API Interf ace Proces s Intercep ts And Interfac es AS/400 APP 1 APP 2 APP 3 APP N

Question and Answer

© March 10, 2004 Novell Inc, Confidential & Proprietary 41

General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.