The new z/VSE LDAP sign-on support is part of z/VSE V4.2. It isn’t available on any earlier release. z/VSE LDAP sign-on support consists of an LDAP client implementation that can connect to an LDAP server using TCP/IP. For security reasons, communication between the LDAP client and LDAP server can be encrypted using Secure Sockets Layer (SSL). In addition, z/VSE provides a special sign-on program that performs the authentication through the LDAP server. The authentication process is similar to the processing that occurs with the Pluggable Authentication Module (PAM) LDAP that you may know from UNIX/Linux systems. An LDAP sign-on overcomes the previous limitations in z/VSE that:
• VSE Interactive Interface (ICCF) userids could be up to only four characters.
• CICS userids could be between four and eight characters long.
• Passwords could be up to eight characters long.
Using an LDAP sign-on:
• Userids and passwords can be up to 64 characters long.
• The LDAP server can force users to use complex passwords. For example, passwords might have to contain a mixture of numerical and alphabetical characters or upper- and lower-case characters.
• Centralized management of “companywide” userids and passwords is possible. Each user can be forced to change a password that’s used on all systems in a predefined period (such as every three months) as well as comply with other security policy rules.
Because most z/VSE subsystems internally use fixed length fields (e.g., 8 bytes) for userid and password, the z/VSE developers couldn’t simply increase the length of the userid and password. Doing so would require changing all subsystems (including CICS, VSE/POWER, VSE/ICCF, etc.) and all screens that display userids.
Instead, the z/VSE LDAP sign-on support uses another approach to support long userids and passwords: a mapping occurs when the user signs in. The system maps the long (companywide) userid used to authenticate with the LDAP server to a short z/VSE userid that the z/VSE subsystems use. The mapping information is stored in a VSAM Keyed Sequence Data Set (KSDS) cluster on z/VSE. A batch tool is available to allow the security administrator to maintain the mapping information. Figure 1 shows the components of the z/VSE LDAP support.