Configuring the PAM Server on a VM system requires setting up the PAM service machine and the setting of some options.
The PAM Server needs to run in a service machine, normally called PAMSERVE.
Create a VM directory entry for the PAM Server service machine. The PAM Server service machine needs to have at least a 1 cylinder 191 minidisk or equivalent SFS space. Below is a sample for the directory entry:
USER PAMSERVE pampass 24M 48M G IPL CMS PARM AUTOOCR MACHINE ESA OPTION ACCT MAXCONN 00032 QUICKDSP DIAG88 CONSOLE 0009 3215 T SPOOL 000C 2540 READER A SPOOL 000D 2540 PUNCH A SPOOL 000E 1403 A LINK MAINT 0190 0190 RR LINK MAINT 019D 019D RR LINK MAINT 019E 019E RR LINK TCPMAINT 0198 0198 RR LINK TCPMAINT 0591 0591 RR LINK TCPMAINT 0592 0592 RR MDISK 0191 3390 xxxx 1 vvvvvv MR readpw writepw multipw
Create a standard TCP/IP PROFILE EXEC similar to your other TCP/IP service machines, and place it on the PAMSERVE 191 minidisk. A sample PAMSERVE PROFILE:
/* PAM Server service machine PROFILE EXEC */ ‘ACCESS 198 D’ ‘ACCESS 591 E’ ‘ACCESS 592 F’ queue “EXEC TCPRUN”
Define the PAM server as a TCP/IP service machine by adding an entry in your SYSTEM DTCPARMS on the TCPMAINT 198 minidisk:
.* PAM server (PAM) daemon
:nick.PAMSERVE :type.server :class.pam
:nick.pam :type.class
:name.PAM daemon
:command.SRVRPAM
:runtime.C
:diskwarn.YES
:anonymous.NO
:ESM_Enable.Yes
:ESM_Validate.RPIVAL
:ESM_Racroute.RPIUCMS
:VMLINK.ZCAMAINT cuu (NONAMES
Note: The cuu value is based on what the Runtime Environment tag was set to for the ZCAMAINT server. A setting of PRIMARY, ALTERNATE, or PREVIOUS specifies to use PUBLIC(193), ALTPUBLIC(293) or PREVPUBLIC(493).
On the ZAKVnnnA 2C2 minidisk or SFS ZAKVnnnA LOCALMOD disk, you can see a sample RPIVAL XASSEMBL. You must provide the RPIVAL MODULE for the use of the PAMSERVE machine.
Modify your TCPIP Configuration File, normally on the TCPMAINT 198 minidisk, as follows:
PAMSERVE password ; PAM Server
For example to use port 1091:
1091 TCP PAMSERVE ; PAM Server
The PAM Server needs a configuration file named PAMD CONF on the PAMSERVE 191 if a CMS file is used, or pamd.conf if a BFS file is used. This section describes the options that can be specified. You need to create this file with at least the userid statement/
You can define the options in any order. If you specify an option more than once the last value is taken.
None of the keywords are case sensitive, but the values are. Make sure that you enter things like file names, including the directory portion, in the correct case for the values.
If an option has a default value it is documented. If the default value is the desired value, you do not need to specify that option in the configuration file.
The following options can be specified in the pamd.conf configuration file:
Specifies the maximum number of threads the PAM Server can start. The default is 32.
Specifies how to handle the mapping of the Linux for zSeries user ID VM security. Valid values are:
Note: Do not change this setting after configuring the types of long user Ids supported. If you make a change after the user ID is added to the /etc/passwd file on the Linux for zSeries machine using PAM, the PAM Client will not find the “old” values to update. It will add the user ID as a new user.
Specifies the address of the interface over which the serve is to accept connections. This value is optional
host network-address
Where network-address specifies a domain name or an IP address in dotted decimal notation. If a domain name is specified, the server will convert it to an IP address.
If this option is specified the server will only accept connection requests from the interface address specified. If this option is omitted then the server will accept connection requests from all interface addresses configured for this host.
Specifies the level at which debugging statements and operations statistics should be system logged (currently logged to the PAM Server virtual console). Debug levels are additive and available levels are listed in the following table:
|
Value |
Debug Information |
|---|---|
|
1 |
Trace function calls |
|
2 |
Print out packets sent and received |
|
4 |
Heavy trace debugging |
|
8 |
Connection management |
|
16 |
Traces all socket I/O function calls |
|
64 |
Configuration file processing |
Specifies the file from which the server obtains the initial seed for the pseudo-random number generator (PNG). The server updates this file each time the server starts so that the starting value of the PNG changes each time the server is run.
Specifies the path and name of the server’s certificate. This certificate must be in PEM format. The server sends this certificate to a client so that the client can validate the server.
This option is required to use TSL or SSL for communications with clients.
Note: If you do not specify a server certificate and the associated private key, no SSL conversation can be started. If SSL_Required is specified on the Linux client then no communications will ever be started.
Specifies the path and name of a file that contains the secret private key that matches the certificate stored in the TLSCertificateFile file. This file must be in PEM format. If this file is password protected the server prompts for the password at the time that the server reads the configuration file.
Except as noted below this option is required to use TLS or SSL for communications with clients.
If the server certificate and the associated private key are stored in the same file, this option can be omitted.
Note: Since you run the server as a disconnected service machine, prompting for a password is not possible. In this case you should ensure that the private key is not password protected.
Specifies the path and name of a file that contains the certificate for all Certificate Authorities that can sign a client certificate. Each certificate must be in PEM format.
If you have a single CA certificate that is used to sign all client certificates, just specify this file with this keyword. If you have more than one CA certificate, concatenate them together into a composite file and specify the path and name of this composite file with this keyword.
Specifies whether a client is required to present a certificate when attempting to establish a SSL or TLS connection with the server. Valid values are:
NEVER—The server does not request a certificate. This is the default.
Note: The values OFF, NO, or FALSE are accepted and are equivalent to NEVER.
ALLOW—The server requests a certificate. If no certificate is provided the session proceeds normally. If a bad certificate is provided it is ignored and the session proceeds normally.
TRY—The server requests a certificate. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session terminates immediately.
DEMAND—The server requests a certificate. If no certificate is provided, or a bad certificate is provided, the session terminates immediately.
Note: The values HARD, ON, YES, and TRUE are accepted as DEMAND.
Create the SRVRPAM EXEC on the PAM Server 191 minidisk. This exec contains the OPENVM RUN command that starts the PAM server module LXPAMD.
There are two required parameters and one options parameter used by LXPAMD:
LXPAMD -f config_file -p port [-d debug_level]
-f config_file
Specifies the configura5tion file to use for startup. This file can be a variable length record CMS file on the 191 minidisk, or it can be a BFS file. The name can be anything you setup.
The suggested value for BFS:
-f pamd.conf
The suggested value for CMS file:
-f “//PAMD CONF”
-p port
Specifies the startup TCP/IP port that it is running with.
-d debug_level
Specifies the level of debug and tracing messages to generate. The value can be from 0 to 65535. The default value is 0.
For example, to start PAM using the CMS file PAMD CONF and port 1091, create a SRVRPAM EXEC with the following lines:
/* SRVRPAM EXEC - Start the PAM Server */ 'GLOBAL LOADLIB SCREERUN SCEEILBO' 'OPENVM MOUNT /../VMBFS:SFS3XA10:ROOT/ /' 'NUCXLOAD LXPAMD' 'OPENVM RUN LXPAMD -f "//PAMD CONF" -p 1091 '
An OPENVM Mount command for the BFS root is required.
If any BFS files are used by the PAM server, an OPENVM SET DIRECTORY command to see the current directory is required.
You can issue commands to define the PAM server user ID and started task information in the CA Top Secret database.
Follow these steps:
TSS CREATE(PAMGROUP) NAME(“PAM Server Group”) TYPE(GROUP) DEPT(OMVSDEPT) TSS ADD(PAMGROUP) GID(gid_value)
Specifies the numeric GID assigned to this ACID. The GID is uniquely assigned to an ACID of type GROUP.
Range: 1 to 2147483647
TSS CREATE(PAMSERVE) NAME(“PAMSERVE Service Machine”) PASS(password,0) DEPT(dept_name) TYPE(USER) FAC(VM) NODSNCHK NORESCHK TSS ADD(PAMSERVE) UID(0) GROUP(PAMGROUP) DFLTGRP(PAMGROUP) TSS PERMIT(PAMSERVE) IBMFAC(ICHCONN) ACCESS(ALL) TSS PERMIT(PAMSERVE) VMMD(TCPMAINT.,ZCAMAINT.0+93) ACCESS(READ) TSS MODI(OMVSTABS)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|