Linux/390 has security functionality. However, there are a number of reasons to integrate this into ACF2 or Top Secret with the CA PAM Client for Linux for zSeries product:
- In Linux security, the id/pswd and home directory have to be created ahead of time before a user can logon. With the PAM Server and client from CA, this is not a requirement. As part of the logon, when the id/pswd is authenticated to the security product, the users home dir, UID and GID is extracted and returned to the PAM client code running on Linux/390. This code dynamically adds the user to the /etc/password file (if so configured) and then creates the home dir if needed. The user is then allowed on to the Linux node with zero Linux administrative effort.
As an example, if a site is in the process of setting up approximately 1000 Linux/390 LPARs, the administrative effort to maintain user id/pswds in the nodes would require a number of administrators. Unless the administrative staff is growing to service security requirements, the decreased administrative effort provided by the CA PAM client should be reason enough to add a very thin layer to enhance and centralize the security in a site's environment.
- Standardization - Since ACF2 or Top Secret is controlling the home, program, UID and GID, there will be consistent values across all nodes.
- Source controls - Using ACF2 or Top Secret's built in source controls, not only is there control for which Linux nodes a user can logon to, but there is also more granular control over the days and time of day a user can log on.
- Passwords - Using ACF2 or Top Secret as a central enterprise security repository, there are also standardized password controls. Min/max length, min # of days before a change, pswd history, etc. The user also only has a single password value to remember. The user is not required to 'sync' their passwords.
- Security policy - When trying to create a security policy for an enterprise, there are always the differences in the security of each platform that makes it difficult to have a standard policy. Exceptions are always found. Using ACF2 or Top Secret as a central enterprise security repository makes this no longer an issue.
- Portability - The PAM client will be released as open source from CA. This will allow any client of CA to 'port' the PAM client to any platform that has a PAM framework as part of the operating system. This includes Linux on other platforms such as Intel, Sun Solaris, HP-UX and IBM's AIX.
- Employees leave the company - When employees leave the company, there is no need to delete the user account from every node they ever logged on to. Suspending/deleting that account from ACF2 or Top Secret makes sure that every Linux system using the PAM client is secure and that ID can't be (mis)used.
- Scalable - ACF2 and Top Secret are very scalable. Using either to control the Linux nodes just adds to its value.
Details on the CA PAM Client for Linux for zSeries can be found in the System Z Security Communication Servers (DSI, LDAP, PAM) 15.1 documentation under PAM Client Product Overview.