Early in the history of IT, the mainframe was the only system with which users performed their daily work. Today’s IT environments look different. While often there’s still a central mainframe system to perform business-critical work, most users sit in front of a PC or workstation. A user may use the mainframe to perform business tasks as well as other servers or even Internet applications such as email services, which are available on the Web.
Most systems and applications require the user to sign-in using a userid and password. Due to the huge number of different systems and applications, every user typically owns many different userids or accounts. Each system or application may have its own rules and policies. Keeping track of all these accounts and remembering the passwords associated with the accounts is challenging. While you might be able to use the same password for most of your accounts, you still have to remember the different userids. Some systems require you to change your password every 90 days or so. This makes it difficult or even impossible to use the same password for all accounts. From a security perspective, it’s suggested that you have a different password for all your accounts.
The distributed world is moving increasingly toward centralized identity management systems such as Lightweight Directory Access Protocol (LDAP), Active Directory, etc. This reflects the shear amount of workstations and servers in use. Performing userid management separately on every single workstation isn’t practical. Instead, the workstations connect to a centralized system and retrieve account information and profile data when the user signs in.
The mainframe systems mostly use their own identity management system, such as RACF or other security management products, to manage the userids accessing the mainframe applications. While mainframe security management systems are usually powerful and secure, you still have at least two different places where you must manage identities and accounts: the mainframe and the distributed servers. Since many users work with mainframe applications and distributed servers, they must have at least two different userids: one for the mainframe and another for the distributed system.
Having different places where identities are managed creates additional work for the security administrators and increases security risks. When a person leaves the company or moves to another job role, administrators need to update or delete the person’s userids on all affected systems. If you don’t update the person’s userid on one of the systems, the user might still be able to access that system and access data.
Most companies have security policies in place that define how userids and passwords should look, how often passwords must be changed, what rules apply for passwords (minimum length, complexity), and so on. If you have two or more different identity management systems, you need to enforce these policies on all systems. However, some systems may have constraints that don’t let you comply with an aspect of the policies (e.g., userid length).
To reduce the risks and amount of work facing security administrators, it’s a good idea to have only one centralized identity management system that manages all the accounts for all surrounding systems, including the mainframe. With such a centralized identity management system, the risk of missing a userid when making changes to it is greatly reduced. All changes to an account automatically affect all systems without additional manual intervention.
Corporate security policies also can be enforced much more easily with a central identity management system. Common security tasks such as resetting a password, unlocking a userid, etc. can be easily provided through an automated self-service help desk, keeping manual intervention to a minimum. Besides the benefits for the administrators, users also benefit from having to remember fewer userids and passwords. Optimally, one person would have only a single userid, which is easy to remember and easy to relate to the person (e.g., by using the email address as userid).
To realize such a centralized identity management solution, all servers and mainframe systems must be able to “talk” to the identity management system. While many different protocols and concepts exist, LDAP is used most often. Most identity management systems store the account information in some kind of a directory. The LDAP protocol can then be used to query the directory tree, as well as to authenticate against the identity management system. For the remainder of this article, the term “LDAP server” is synonymous with identity management system and we’ll assume the identity management system can be accessed via the LDAP protocol.
The New z/VSE LDAP Sign-On Support