Rocket LDAP Bridge consists of a base product and a flexible set of optional plug-ins. It is based on OpenLDAP with LDAPv3 support.
Rocket LDAP Bridge:
- Works with mainframe security database fields:
- All RACF fields
- All TSS fields including user-defined fields
- All ACF2 logonid record fields as well as Access and Resource rules.
- Provides bi-directional password synchronization between mainframe security database and the client
- Is constructed such that LDAP data and applications reside on the mainframe
- Uses TLS/SSL with Mutual Authentication and CRL checking
- Provides LDAP change logging and audit logging
- Provides alias management on user creation and deletion
- Allows you to search using standard LDAP filters
- Supports the pam_ldap authentication plug-in, for authenticating Linux logins against the RACF user database
Rocket LDAP Bridge serves as the foundation for a suite of plug-in products. Each plug-in enables you to customize your LDAP repository by adding new functionality.
Rocket LDAP Bridge plug-ins help simplify administration tasks in complex, heterogeneous environments that include z/OS mainframes. They work with third-party identity management solutions and web applications, and expose powerful, secure administration interfaces.
- racf2ldap, acf22ldap, tss2ldap – provide automatic outbound synchronization from RACF, CA ACF2, or CA Top Secret to the LDAP Server.
- ldap2racf, ldap2acf2, ldap2tss – provide inbound synchronization. These plug-ins are designed to allow you to update RACF, CA ACF2, or CA Top Secret fields.
- pticket – provides RACF PassTicket credentials to sufficiently authorized LDAP clients.
- ldifsync – provides a method for authorized LDAP clients to retrieve, in standard LDIF format, the changes that were made to the RACF, CA ACF2, or CA Top Secret database since the last ldifsync query.
- ldap2tso – provides a method for authorized LDAP clients to issue non-interactive TSO commands, in the security context of the authenticated LDAP user.
- pwdsync – provides a method for authorized LDAP clients to push passwords to the mainframe, or read the results of each user’s most recent password change.
Required z/OS System Software:
- IBM z/OS 1.7, 1.8, or 1.9, 1.10, 1.11 or 1.12
- A version of CA Top Secret that is currently supported by CA (when working with CA Top Secret)
- A version of CA ACF2 that is currently supported by CA (when working with CA ACF2)