Identity & Access Management on OS/400.....How Much LDAP can be useful

[Joy Dubey]

Hi,

I am looking into the Identity & access Management on OS/400 and for proper clarification, I prepared a questionnaire.
So kindly go through it and help me in answering them.

Thanks & regards
Joy
//////////////////////////////////////////////////////

Queries on OS/400

• Basic Access Questions:
• What are Access profiles?
• How access Profiles are associated with the User and Group Profiles?
• What all information is stored in the profiles?
• What is the Profile format/schema?
• Where the Profiles are stored physically in the System?

 

• User Authentication Questions:
• How the User Authentication is taken care?
• Which component (Kernel or anything) handles the Authentication?
• What is the Architecture of the Authentication Manager?

 

• User Authorization Questions:
• Is there any Access manager/Identity Manager/Security Manager, who works as a component or as a service exists in the System? If Y then how it is handled (architecture) and If N then how these profiles are handled?
• What is authorization Lists (access Lists related with the OS/400 Objects better known as Specific Authorization)?
• How authorization lists are associated with the Access profiles?
• Whenever User performs any action (say types a command and fires it)
• Which component intercepts the event and performs an action based on the Type of event and parameters to the events?
• How it verifies the access rights of the individual.

 

• Other Questions:
• What are other services/carriers keeps the User information?
• How is LDAP associated with the System?
• Is LDAP, the optional service, which can be enabled/disabled?
• Does it contain the User Provisioning/Access/Group Information implicitly?
• If y then what is Schema?
• What is System Distribution Directory?
• Is SDD, the optional service, which can be enabled/disabled?
• If SDD is itself a directory, can it be accessible through JNDI or simply is it LDAP compatible?

 

• Is the User Provisioning/Access/Group Information can be published in LDAP?
• Is User Provisioning/Access/Group Information If can be published with the help of Directory Services enables System Distribution Directory (SDD)?
• If yes then
• Is there any CL command/External API/External tool required to do the same?
• Is publishing data, from SDD to LDAP, would be a one-time service or periodic service?
• What is the Schema?
• Is there any service, which keeps the synchronization between SDD & LDAP?
• If Y then
• Does it behave like a switch means is it possible to make/unmake the synchronization as an optional behavior?  If yes then what are commands to that?
• What set of user access rights (on OS/400) to perform enabling/disabling these actions?
• Do you need some extra set of rights to manipulate data on LDAP?

[jmc...@us.ibm.com]

Why are you asking? Your questions sound more like a book than a typical
mailing list question.

I suggest you start with iSeries Information Center:
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/html_nav/info/rzahgicsecurity.htm

John

[Joy Dubey]

> Why are you asking? 

# I dont see a question over question. I wanted to to know how "Identity & Access Management on OS/400" is done and handled and in the said link its never said anytime. My main concern is whr these access and User information is stored(Primary repository) and if LDAP is used then how much reliable and synchronized it would be the primary repository.

 

>Your questions sound more like a book than a typical mailing list question.

# I rephrased my main concerns in the SUbject line itself.

 

Joy

//////////////////////////////////////////////////////////////////////////////////

<jmc...@us.ibm.com> wrote in message news:d62pvu$11gm$1...@news.boulder.ibm.com...

[Shalomc]

Joy,
You ask excellent questions, but their scope is vast, and cannot be
contained in a single post.
Answering your questionnaire also requires a considerable amount of
time.

I suggest that you break up your question into manageable chunks and
repost them.

I also suggest that you cross post in comp.sys.ibm.as400.misc, which is
where many of the experts hang around.

Shalom Carmel
-----------------------
www.venera.com - Exposing iSeries insecurity

[Joy Dubey]

hey all,

 

The link you sent to me was a bit useful. Thanks for it!

 

I just couldn't be able to find out certain thing.

 

So plz let me explain what and what for I m information looking for:[My Requirement]

• I am looking to Add/Modify/Delete users and their access rights, present in the AS/400 System, programmatically. 
• The preferred language is Java and Java Technology.

So for the same, I have questions which are:[My Research points]

• Is there any Interface/service/component available which can help me communicating with AS/400 System programmtaically(ion any language).
• What kind of access rights need to be associated with the User/session with which I am connecting with the System, for performing the above said actions?
• if there is any interface/service/component available, then do they deal with the Primary repository with the System, if not then how much that is synchonized with the actual System?

If any worries, plz revert.

 

P.S.: If u could plz route me to someone else, if these queries is distinctive from  your Domain. Thanks again!

 

Thanks & Regards
Joy

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

<jmc...@us.ibm.com> wrote in message news:d62pvu$11gm$1...@news.boulder.ibm.com...

[Christian Chateauvieux]

Joy,

- LDAP access to user profiles is supported by recent releases of
OS/400 (V5R2 and above). ITDI's LDAP connector would then allow you to
add/delete/modify accounts, as well as setting passwords. If you want to
write your own Java application to do this, then use JNDI and the LDAP
provider.
- For older releases (at least V4R4), you should be able to do one way
synch to an AS/400 using the "IBM Toolbox for Java". That allows a Java
application running remotely to issue command calls or call APIs. It
includes a RUser class that can be used to change or delete users --
apparently not create them. It also has a CommandCall class that could
be used to issue the Create/Change/Delete User Profile commands. In
either case, your connector would need to be able to connect to the
remote iSeries system using the AS400 class - needs a system name, user
name and password.

Here's a link to the V5R2 documentation:
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzahh/page1.htm

For other releases goto
http://publib.boulder.ibm.com/html/as400/infocenter.html. Once you have
selected the area/language/release, drill down to: Programming -> Java
-> IBM Toolbox for Java.

Hope this helps,

Christian

Joy Dubey wrote:

> hey all,
>
> The link you sent to me was a bit useful. Thanks for it!
>
> I just couldn't be able to find out certain thing.
>
> So plz let me explain what and what for I m information looking for:[My
> Requirement]
>

> * I am looking to Add/Modify/Delete users and their access rights,

> present in the AS/400 System, programmatically.

> * The preferred language is Java and Java Technology.

>
> So for the same, I have questions which are:[My Research points]
>

> * Is there any Interface/service/component available which can help

> me communicating with AS/400 System programmtaically(ion any
> language).

> * What kind of access rights need to be associated with the

> User/session with which I am connecting with the System, for
> performing the above said actions?

> * if there is any interface/service/component available, then do

> they deal with the Primary repository with the System, if not then
> how much that is synchonized with the actual System?
>
> If any worries, plz revert.
>
> P.S.: If u could plz route me to someone else, if these queries
> is distinctive from your Domain. Thanks again!
>
>
>
> Thanks & Regards
> Joy
>
> /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

> <jmc...@us.ibm.com <mailto:jmc...@us.ibm.com>> wrote in message

[Joy Dubey]

Christian,

 

The LDAP information helped. Thanks for it.

 

> For IBM Toolbox suggestion

# JTOpen I cannot use it coz i want to handle the things with the Java Interface and there are some limitations clearly visible like as u said and I dont want to get into the command call coz i dont have expertise in CL.

 

> For LDAP Access

# That was really useful information. I am thinking on exloring in that direction. So could u plz help me in answering them:

1) With LDAP access(Directory Server access) the user profiles can be accessed and it allowed us to add/delete/modify profiles, but will the User provisioning information(in the Directory server) be the Synchronized with the Information on the System?

2) Is the system itself publishes the User provisioning information in the Directory Server?

3) If yes, then is there any possibility u see, of data discrepency i.e. a synchonization

4) System keeps the User profiling and access information in what form? Say if i have a user named "johndoe" whr his information would be saved?

5) Do you see/know/find/experienced any LIMITATIONS?

6) Lastly, if there is any other Security component/service handles the User provisioning then do we have any java interface to communicate with it?

 

Plz correct me, if I am wrong in any of my understandings.

regards

Joy

///////////////////////////////////////////////////////////////////////////////////////////

"Christian Chateauvieux" <christian.c...@fr.ibm.com> wrote in message news:d6iauj$3vui$1...@news.boulder.ibm.com...

[Christian Chateauvieux]

Joy,

I am not certain what you mean by 'User Provisioning information'.
Perhaps you are looking for an Identity Management solution where you
define business roles and policies allowing people with certain roles to
be entitled to have accounts given systems. AS/400 would be one of the
endpoints you would be able to provision accounts into.

If this is what you are looking for, take a look at Tivoli Identy Manager:
http://www-306.ibm.com/software/tivoli/products/identity-mgr/

Now, back to the LDAP discussion: as I explained earlier AS/400 allows
you to manage accounts and profiles via command line tools or via LDAP
(just like MS Active Directory or RACF do). You can use identity
management solutions to interact with the AS/400 interfaces (ITIM has
got a provisioning agent for AS/400) but you can also use Data
Integration solutions such as IBM Tivoli Directory Integrator
(http://www-306.ibm.com/software/tivoli/products/directory-integrator/)
to provision or synchronize AS/400 data (exposed by LDAP) with other
systems. Directory Integrator allows you to create dataflows in whatever
manner you like (in opposition with Identity Manager which is a
centralized IdM solution) so with Directory integrator you could
perform, for example, point to point sync of the LDAP data exposed by
AS/400 with other platforms (other LDAP servers, Lotus Notes, databases,
files, message queues, etc).

Does this help?

Christian

Joy Dubey wrote:

> <mailto:christian.c...@fr.ibm.com>> wrote in message

[Joy Dubey]

hey Christian,

 

Yes when I say 'User Provisioning information' i mean Identity Management.

So I inferred that:

1) I can use ITIM to communicate(but if ITIM is setup/configured on my System) - specifically intended for User access and identity managment.

2) I can use ITDI to communicate(but if ITDI's provisioning Agent need to be configured on System) - with the Intergrator all the information which is published on a directory server is accessible.

3) I can directly speak to as400 via LDAP.(I guess for the same there is no setup, just some configurations).

 

Actually I am looking for the solution 3(as listed above) coz i may not getting into configuration of any other component. I want to write a connecting program which will directly speak to as/400 and get the Identity mangemnt Information.

 

But my bsic question still remains unanswered:

1) How does as/400 keeps the user information...does it keep the information in files, in some external persistent store(like DB or directory server)

 

correct me if I am wrong.

Hope this time I am clear.

 

thanks & regards

Joy DUbey

 

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

"Christian Chateauvieux" <christian.c...@fr.ibm.com> wrote in message news:d6khrd$58s6$1...@news.boulder.ibm.com...

[Christian Chateauvieux]

Joy,

The answer is 'yes' for all questions.

- You can use ITIM to read/write accounts to AS/400. ITIM would use an
agent that would need to be installed on AS/400 to do so. Alternatively
ITIM could also use ITDI as an agent; in that case ITDI could connect to
AS/400 via LDAP (provided the LDAP backend is configured) or Java calls
(the classes mentioned earlier in the thread).
- You can use ITDI to read/write accounts via LDAP or via Java calls
to the JT400 APIs.
- You can use an LDAP client (e.g a Java client) to read/write AS/400
accounts via LDAP, provided the LDAP backend is configured.

ITIM and ITDI can be driven from outside, too: ITIM exposes a Java API,
so does ITDI. ITDI could also accept any transport (HTTP based, MQ
based, email based, etc) to perform actions, provided you configure it
to do so.

> does as/400 keeps the user information...does it keep the
> information in files, in some external persistent store(like DB or
> directory server)

I have no idea. I'd check the LDAP projection backend documentation in
the iSeries book. I don't know wether this backend is active by default
on recent AS/400 or not.

Maybe someone else is listening?

Christian

Joy Dubey wrote:

[Joy Dubey]

Christian,

 

Thanks for all the efforts.

 

So there are certain Ideas, which I am baselining(for my understanding):

1) Via LDAP I can communicate to AS/400 System and knowing the right DNs I can retrieve the desired information and can make my own java client which can:

            - add/delete/modify User/grp information

            - add/delete/modify resource information

            - add/delete/modify associations information(which can be partially either on my user profiles or on objects or on authorization lists)

 

Now need the "communication of AS/400 via LDAP expertise". Now some affirmations:

1) As I am using LDAP that means I am Speaking to the Directory Server.

2) If I am speaking to a Directory Server then

            a) either AS400 keeps the information on a Directory Server  

            b) or AS400 information is getting published into the directory Server

3) If 2(a) is true then what is the schema of the Directory

4) If 2(b) is true then what are the limitation of this directory publishing?

 

I know I am making it very specific and difficult. I hope its explanatory.

 

thanks & regards

Joy 

 

//////////////////////////////////////////////////////////////////////////////////////////////////////////////

"Christian Chateauvieux" <christian.c...@fr.ibm.com> wrote in message news:d6kna5$5jru$1...@news.boulder.ibm.com...

[Joy Dubey]

Christian,

 

One more question,

 

- Is the ITDI is external component that need to be installed on my System?

- DO I need the separate ITDI license for it?

- Is it the existent optional component, that can be enabled or disabled?

- If its inbuilt and can be enabled then,(only then) could u plz send me the APIs (Java API URL) which it exposes to communicate?

 

I hope I am not bugging but I am new to this domain and no document is talking these questions directly.

 

thanks & regards

Joy

////////////////////////////////////////////////////////////////////////////////////

"Christian Chateauvieux" <christian.c...@fr.ibm.com> wrote in message news:d6kna5$5jru$1...@news.boulder.ibm.com...

[jmc...@us.ibm.com]

The i5/OS Directory Server "system projection backend" is a LDAP wrapper
around user profiles:
- an LDAP add request is converted to a "create user profile" command
invocation,
- an LDAP search request calls system APIs to list user profiles and
returns the information in LDAP format,
and so on.

User profiles are not stored in LDAP, nor are they synchronized to the
LDAP server. User profiles are stored as operating system managed
objects. Further explanation of that is beyond the scope of a note.

The system project backend currently allows access only to user profiles.
In i5/OS, group profiles are implemented a special case of user profiles.
You can manage group members, but in i5/OS this is done by modifying the
user profile to indicate which groups it belongs to.

Schema - you really need access to an iSeries system. There is an
os400-usrprf objectclass with attributes that directly map to parameters
of the CRT/CHGUSRPRF commands. If you had the output from a search and
were familiar with the CRTUSRPRF command and the DSPUSRPRF output, you
would find the schema pretty much self-explanatory. We chose not to try
to document it in detail because of this relationship and an assumption
that users would have access to a system to try it out.

For example, you could create a user using an LDIF file like:
dn: os400-profile=TESTUSER,cn=accounts,os400-sys=mysys.ibm.com
objectclass: os400-usrprf
os400-profile=TESTUSER
os400-password=changeme
os400-pwdexp=*YES
os400-usrcls=*SECOFR
os400-text=John Doe,555-5555

which corresponds to the command:
CRTUSRPRF PROFILE(TESTUSER) PASSWORD('changeme') PWDEXP(*YES)
USRCLS(*SECOFR) TEXT('John Doe,555-5555')
The system projection backend is always present if the server is running.
To access it, you must authenticate as an i5/OS user. Access to user
profiles is governed by the the identity of the user and his authority on
the system. He can exactly what he can running commands directly on the
system.

John