|
|
|
The PAM Server needs a configuration file named PAMD CONF on the PAMSERVE 191 if a CMS file is used, or pamd.conf if a BFS file is used. This section describes the options that can be specified. You need to create this file with at least the userid statement/
You can define the options in any order. If you specify an option more than once the last value is taken.
None of the keywords are case sensitive, but the values are. Make sure that you enter things like file names, including the directory portion, in the correct case for the values.
If an option has a default value it is documented. If the default value is the desired value, you do not need to specify that option in the configuration file.
The following options can be specified in the pamd.conf configuration file:
Specifies the maximum number of threads the PAM Server can start. The default is 32.
Specifies how to handle the mapping of the Linux for zSeries user ID VM security. Valid values are:
Note: Do not change this setting after configuring the types of long user Ids supported. If you make a change after the user ID is added to the /etc/passwd file on the Linux for zSeries machine using PAM, the PAM Client will not find the “old” values to update. It will add the user ID as a new user.
Specifies the address of the interface over which the serve is to accept connections. This value is optional
host network-address
Where network-address specifies a domain name or an IP address in dotted decimal notation. If a domain name is specified, the server will convert it to an IP address.
If this option is specified the server will only accept connection requests from the interface address specified. If this option is omitted then the server will accept connection requests from all interface addresses configured for this host.
Specifies the level at which debugging statements and operations statistics should be system logged (currently logged to the PAM Server virtual console). Debug levels are additive and available levels are listed in the following table:
|
Value |
Debug Information |
|---|---|
|
1 |
Trace function calls |
|
2 |
Print out packets sent and received |
|
4 |
Heavy trace debugging |
|
8 |
Connection management |
|
16 |
Traces all socket I/O function calls |
|
64 |
Configuration file processing |
Specifies the file from which the server obtains the initial seed for the pseudo-random number generator (PNG). The server updates this file each time the server starts so that the starting value of the PNG changes each time the server is run.
Specifies the path and name of the server’s certificate. This certificate must be in PEM format. The server sends this certificate to a client so that the client can validate the server.
This option is required to use TSL or SSL for communications with clients.
Note: If you do not specify a server certificate and the associated private key, no SSL conversation can be started. If SSL_Required is specified on the Linux client then no communications will ever be started.
Specifies the path and name of a file that contains the secret private key that matches the certificate stored in the TLSCertificateFile file. This file must be in PEM format. If this file is password protected the server prompts for the password at the time that the server reads the configuration file.
Except as noted below this option is required to use TLS or SSL for communications with clients.
If the server certificate and the associated private key are stored in the same file, this option can be omitted.
Note: Since you run the server as a disconnected service machine, prompting for a password is not possible. In this case you should ensure that the private key is not password protected.
Specifies the path and name of a file that contains the certificate for all Certificate Authorities that can sign a client certificate. Each certificate must be in PEM format.
If you have a single CA certificate that is used to sign all client certificates, just specify this file with this keyword. If you have more than one CA certificate, concatenate them together into a composite file and specify the path and name of this composite file with this keyword.
Specifies whether a client is required to present a certificate when attempting to establish a SSL or TLS connection with the server. Valid values are:
NEVER—The server does not request a certificate. This is the default.
Note: The values OFF, NO, or FALSE are accepted and are equivalent to NEVER.
ALLOW—The server requests a certificate. If no certificate is provided the session proceeds normally. If a bad certificate is provided it is ignored and the session proceeds normally.
TRY—The server requests a certificate. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session terminates immediately.
DEMAND—The server requests a certificate. If no certificate is provided, or a bad certificate is provided, the session terminates immediately.
Note: The values HARD, ON, YES, and TRUE are accepted as DEMAND.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |