Previous Topic: Configuring the PAM ServerNext Topic: Console Interface


Configuring CA ACF2 for z/VM Security for Use With the PAM Server

Now that the PAM Server has been installed and configured, you must setup CA ACF2 for z/VM to support the PAM Server.

The following sections detail the steps required to setup CA ACF2 for z/VM to support the PAM Server.

Step 1: Defining the Linux for zSeries Hosts

Using VMO LINUX records, the first step in enabling the PAM Server is defining all Linux for zSeries hosts and their TCP/IP addresses that are using this security database. Without these definitions, all logons fail.

SET CONTROL(VMO)
INSERT LINUX.qual MACHNAME(the linux machine name) IPADDR(the.ip.addr.here)

Repeat inserts

ACFSERVE RELOAD CONTROL VMO LINUX

Note: The MACHNAME value can be determined by issuing 'hostname -f' on the Linux system. The IP can then be determined by PINGing the hostname value from the z/VM system.

Step 2: Defining the Linux for zSeries Group Profile Records

Before you assign the Linux group name to a users profile record, you should define it and the GID that is associated with it. During RACROUTE EXTRACT processing, if the GID cannot be found for a group name, processing will fail and the user will not be allowed on to the Linux system.

SET PROF(GROUP) DIV(LINUX) 
INSERT grpname LINUXGID(gid#)

Repeat the inserts for each group that needs to be defined, then issue the following to enable the changes:

ACFSERVE RELOAD PROFILE LINUX GROUP

Note: When defining groups, you should ensure that GID values are unique and that one group is not assigned the same value as another.

Step 3: Defining the Linux for zSeries User Profile Records

When signing on to a Linux for Series system, the user can use their existing 8-byte (short) CA ACF2 for z/VM user id, or if it is desired to allow the user to log on with a long name (greater than 8-byte), it can be mapped to their existing CA ACF2 for z/VM id.

The PAM Server installs by default with MIXED mode mapping enabled. Mixed mode configures the PAM Server to map the logon id to a short name before issuing the RACROUTE VERIFY call. If the mapping is successful, then the RACROUTE VERIFY is issued. If the mapping failed, but the length of the id is 8-bytes or less, it will issue the RACROUTE VERIFY with the original value.

If you want to define a user profile record that supports id mapping, issue the following.

SET PROF(USER) DIV(LINUX)
INSERT lid_here LINUXNAM(the linux long name) LINUXUID(uid#) LINUXGRP(grpname) LINUXHOM(home.dir) LINUXPGM(shell_name)

If id mapping is not required, omit the LINUXNAM parm.

For the LINUXGRP parameter, specify a group name that matches one of the Linux group profiles you have defined.

Repeat inserts for each user that needs to be configured, then issue the following to enable the changes:

ACFSERVE RELOAD PROFILE LINUX USER

Note: If id mapping will never be used, you can disable the mapping call prior to the VERIFY. Refer to the userid parameter in the Installing and Configuring the PAM Server chapter.

Tip: When defining users, you need to ensure that UID values are not assigned to more than one user.

Step 4: Defining the Linux for zSeries Resource Rules

Using the resource rule type of LNX, you now define who can access which Linux for zSeries system.

SET RESOURCE(LNX)
COMPILE
$KEY(linux_Machine_name) TYPE(LNX)
 UID(string) ALLOW

Step 5: Define Secondary Group Membership

The resource rule type LGR defines who is a member of which group. Linux makes a distinction between a user's primary and secondary groups. You define the user's primary group when you define the Linux User Profile record for the user (the LINUXGRP option). Secondary groups are defined here.

Note: Skip this step if no user is a member of a secondary group.

To define who is a member of which group

  1. Issue the following commands:
    SET RESOURCE(LGR)
    COMPILE
    . $KEY(groupname) TYPE(LGR)
    . UID(uidmask) ALLOW
    . additional resource rule entries
    .
    END
    STORE
    

    Repeat the COMPILE-END-STORE sequence for each group that needs to be defined.

  2. Issue the following to enable the changes:
    ACFSERVE RELOAD RESOURCE LGR
    

    Include one resource rule entry for each user that is a member of this group. Do not list users who have this group as a primary group; only list users that have this group as a secondary group.

Note: Because CA ACF2 for z/VM implements secondary group membership through resource rules, any user who has the SECURITY attribute becomes a member of any group configured here whether or not they are listed.