Technology Platform Support z/OS, OS390 and MVS

z/OS Integration

P-Synch®, a component of Hitachi ID Management Suite®, is enterprise password management software. It reduces the frequency of help desk calls, improves user productivity and strengthens security with password synchronization, self-service password reset, help desk password reset and simplified administration of other authentication factors, such as hardware tokens and biometric samples. P-Synch includes connectors to manage passwords on over 70 types of systems.

z/OS Security Product Integration

P-Synch can manage passwords on RACF, ACF2 and TopSecret.

There are three options for managing mainframe users and passwords, on any currently available version of MVS, OS/390 or zOS:

• Install a local agent (P-Synch/390) as a started task on the LPAR with the mainframe security database. This agent acts as a TCP/IP listener and accepts inbound connections on a designated TCP port. The P-Synch server negotiates a cryptographic handshake with the started task (128-bit AES, shared secret key, mutual authentication, random session keys) and asks the started task to issue RACROUTE commands to enumerate users, verify current passwords and reset passwords.

  Advantages: Fast, secure, reliable, easy to configure.
  Disadvantages: Change control to install a local, privileged agent on the mainframe.

• Manage passwords using a Telnet or TN3270 script, assuming that a Telnet or TN3270 service is enabled and available. This option is less secure and robust than the P-Synch/390 started task, but requires no change control on the mainframe.

  Advantages: No change control, no local agent on the mainframe.
  Disadvantages: Slower connections, no cryptographic protection, fragile if the terminal user interface is substantially changed.

• Install an LDAP directory server on the mainframe, which uses the mainframe security database as its back-end, at least for user and password data. IBM and CA both provide such directory products. With the LDAP service installed, P-Synch can integrate with the mainframe as through it were a normal LDAP directory.

  Advantages: Fast and potentially secure -- if LDAP+SSL is used.
  Disadvantages: Mainframe LDAP directory products are relatively new and quite fragile. Change control and a local software footprint on the mainframe are still required.

P-Synch integration is endorsed by IBM on the following website:

Triggering Password Synchronization

Native password changes made on zOS, OS390 or MVS mainframes, with any security product, can trigger transparent password synchronization, through insertion of a suitable exit program (provided with P-Synch/390) in the LPAR with the security program.

© Hitachi ID Systems, Inc. 2008. All rights reserved.