CA LDAP Server for z/OS Modernization Guide

CA LDAP Server for z/OS provides Lightweight Directory Access Protocol (LDAP) services specifically tailored for the z/OS environment. It acts as an interface, allowing LDAP-enabled applications to access and manage security information stored within CA ACF2 and CA Top Secret security systems. This enables centralized authentication and authorization for diverse applications using the mainframe security infrastructure.

CA LDAP Server for z/OS is middleware. It bridges the gap between LDAP-compliant applications and the security databases of CA ACF2 and CA Top Secret. It translates LDAP requests into commands understood by these security systems and returns the results in an LDAP-compatible format.

Organizations that rely on CA ACF2 or CA Top Secret for mainframe security and need to integrate with LDAP-enabled applications commonly use CA LDAP Server for z/OS. This includes large enterprises in industries such as banking, finance, insurance, and government, where mainframe systems play a critical role.

Consider CA LDAP Server for z/OS when you need to provide LDAP access to security information managed by CA ACF2 or CA Top Secret. This is particularly relevant when integrating mainframe applications with modern, distributed systems that rely on LDAP for authentication and authorization. It allows leveraging existing mainframe security investments for new applications.

Alternatives to CA LDAP Server for z/OS include other LDAP servers that might be able to interface with mainframe security systems, potentially through custom development or other integration tools. Native z/OS LDAP servers could be an option, but might require significant configuration and customization to work with CA ACF2 or CA Top Secret. Custom-built solutions are also possible, but generally require more development effort.

CA LDAP Server for z/OS runs on the z/OS operating system. It operates within an LPAR (Logical Partition) on the mainframe. It requires CA ACF2 or CA Top Secret to be installed and configured, as it relies on these security systems for authentication and authorization data.

The server typically uses standard LDAP ports (e.g., 389 for LDAP, 636 for LDAPS). It communicates with CA ACF2 or CA Top Secret using their respective APIs or command interfaces. The specific communication protocols depend on the configuration and version of the security systems.

Configuration files define how the LDAP server maps LDAP attributes to CA ACF2 or CA Top Secret security attributes. These files also control access permissions and other server settings. The specific format and location of these files are detailed in the product documentation.

The product exposes LDAP APIs, allowing LDAP clients to interact with the server. These APIs support standard LDAP operations such as bind, search, add, modify, and delete. The server translates these LDAP operations into corresponding commands for CA ACF2 or CA Top Secret.

CA LDAP Server for z/OS enables organizations to leverage their existing mainframe security infrastructure for modern applications. This reduces the need to duplicate security information and policies across multiple systems. It also simplifies user management by providing a centralized point of authentication and authorization.

Without CA LDAP Server for z/OS, organizations would need to implement alternative methods for integrating LDAP-enabled applications with CA ACF2 or CA Top Secret. This could involve custom development, which is costly and time-consuming, or maintaining separate security databases, which increases administrative overhead and the risk of inconsistencies.

The product helps reduce the total cost of ownership by leveraging existing mainframe security investments. It avoids the need to purchase and maintain separate LDAP servers and security databases. It also simplifies user management and reduces the risk of security breaches.

CA LDAP Server for z/OS supports various authentication methods, including simple bind, SASL (Simple Authentication and Security Layer), and TLS/SSL-based authentication. The specific methods supported depend on the configuration of the server and the capabilities of the LDAP client.

The product uses an access control model based on Access Control Lists (ACLs). ACLs define which users or groups have permission to access specific LDAP attributes and perform certain operations. These ACLs are typically defined in the configuration files of the LDAP server.

The product supports encryption using TLS/SSL to protect the confidentiality of data transmitted between the LDAP client and the server. This encryption is typically enabled by configuring the server to use LDAPS (LDAP over SSL).

The product provides audit logging capabilities, recording all LDAP operations performed on the server. These logs can be used to track user activity, identify security breaches, and comply with regulatory requirements. The logs typically include information such as the user ID, the operation performed, the timestamp, and the result of the operation.

Implementing CA LDAP Server for z/OS requires technical expertise in z/OS, CA ACF2 or CA Top Secret, and LDAP. Ongoing operational requirements include monitoring server performance, managing user access, and maintaining the configuration files. Common implementation challenges include mapping LDAP attributes to security attributes and ensuring compatibility with existing applications.

Administrative interfaces are available through command-line tools and configuration files. User management is typically handled through CA ACF2 or CA Top Secret, as the LDAP server relies on these security systems for user authentication and authorization. Monitoring and logging capabilities are provided through z/OS system logs and the LDAP server's own log files.

The main system components include the LDAP server process, the configuration files, and the interfaces to CA ACF2 or CA Top Secret. These components communicate through APIs and command interfaces. The server uses the security databases of CA ACF2 or CA Top Secret for storing user and group information.