As computers become more interconnected, administrators are often charged with administering security for other platforms across various types of network. Providing effective security across these connections is a challenge.
This series examines common problems and approaches to cross-platform security, some basic underlying principles, and provides recommendations to make this security easy and effective.
In the first article, which appeared in the Winter issue of Enterprise Tech Journal (available at http://esmpubs.com/u4eqv), we discussed some of the options and obstacles to implementing cross-platform information security. We provided some simplifying guidelines, and suggested Lightweight Directory Access Protocol (LDAP) and Kerberos as part of any optimum solution. Here we explain what LDAP is and how it contributes to effective cross-platform security.
LDAP is a means to store and access information about users. It consists of a program called the LDAP server, a database containing user information, and a set of rules on how the servers are to be organized and how the data is to be accessed.
The D in LDAP stands for Directory; that is, a database optimized for mostly reading. For example, a telephone directory will likely have frequent reads and infrequent updates.
Managing User Information
LDAP directories almost always store information about users. In the previous article, we examined UNIX cash registers connected to an iSeries (AS/400) midrange computer in a retail store, which connects to an IBM mainframe at a company’s headquarters. An LDAP directory on the iSeries computer could store information about cashiers who log onto the cash registers. This information might include their userids and the passwords or other information used to prove their identity.
LDAP stores and supports access to information about a user. It doesn’t verify the user’s identity; that’s a separate function. LDAP interfaces with several types of verification techniques, including Kerberos and digital certificates.
How LDAP Is Extensible
LDAP servers and directories are extensible in several ways. You can add new attributes (similar to adding a new field to a flat file record layout). For example, you could define the employeeNumber attribute as part of an LDAP directory. Then, for each user, you could store the value of this attribute. Programs and online users could then query this information.
The LDAP server maintains the LDAP directory and controls access to it. It can communicate with LDAP servers on other computers, usually via TCP/IP. For this communication to work, you must establish trust between the two servers. You accomplish this with the Kerberos security protocol, which we will describe in a future article. In our example, the LDAP server on the iSeries could be set up to trust an LDAP server on the mainframe. LDAP servers on mainframe computers can exchange information with the IBM RACF, CA ACF2 and CA Top Secret security software there.
IBM recently added a new feature to mainframes called identity propagation. This lets you tell RACF, ACF2 or Top Secret to trust an LDAP server such as Active Directory that has already verified a user’s identity. This will apply to our example configuration from the previous issue of a programmer’s workbench: a Windows computer that connects through a Local Area Network (LAN) to TSO and CICS on an IBM mainframe.