The VMS Authentication Module (VAM) provides users of OpenVMS V8.3 and higher the ability to perform LDAP and RADIUS authentication via the VMS ACME subsystem.
SSH logins will not use ACME.
This chapter assumes the user is familiar with ACME in general.
After installing and configuring VAM, the latest ACMELOGIN kit for VMS must be installed. This provides ACME-enabled LOGINOUT and SETP0 images to use the VAM ACME image(s). These images use ACME to perform logins to the system and use the VMS SET PASSWORD command, respectively. To install these images:
· Download the latest ACMELDAP ECO kit from HP.
· Execute the ZIPEXE file to uncompress the ACMELDAP PCSI kit.
· Extract the backup file ACME_DEV_KITS.BCK from the PCSI file.
· Extract the ACMELOGIN kit from ACME_DEV_KITS.BCK
· Install the ACMELOGIN PCSI kit just extracted.
User accounts that will use VAM ACME must have the following set up:
· In VAM:VAM_CONFIG.DAT, the proper REQUIRE keyword (e.g., REQUIRE_LDAP or REQUIRE_RADIUS) must be set up. Use of the rights list identifier in the user’s UAF record (e.g., VAM_LGI_LDAP or VAM_LGI_RADIUS) isn’t supported.
· Each user account that will use VAM ACME must have the EXTAUTH flag set in the account’s UAF record.
A VAM ACME agent is enabled by adding the ACMEprotocol keywords to the VAM_STARTUP.COM procedure when it’s executed to start VAM. For example:
$ @SYS$SYSDEVICE:[VAM]VAM_STARTUP ACMELDAP
or
$ @SYS$SYSDEVICE:[VAM]VAM_STARTUP ACMERADIUS
These commands will cause the following to be performed:
· The VAM ACME persona extension (PSC_PERSONA_EXT.EXE) will be loaded into the VMS kernel. This enables the SET PASSWORD processing.
· The VMS ACME server will be stopped, restarted with the privileges required to execute the VAM ACME agents, and both the default VMS agent and the LDAP or RADIUS VAM ACME agent will be loaded and enabled.
The file names for the Process-supplied agents are:
VMS$PSC_LDAP_DOI_ACMESHR.EXE
VMS$RADIUS_LDAP_DOI_ACMESHR.EXE
To display the loaded ACME agents, use the SHOW SERVER ACME command:
$ SHOW SERVER ACME
ACME Information on node BOSTON1 10-JUL-2022 13:54:58.30 Uptime 0 00:00:24
ACME Server id: 2 State: Processing New Requests
Agents Loaded: 2 Active: 2
Thread Maximum: 4 Count: 4
Request Maximum: 252 Count: 0
ACME Agent id: 1 State: Active
Name: "VMS"
Image: "DISK$SYS:[VMS$COMMON.SYSLIB]VMS$VMS_ACMESHR.EXE;1"
Identification: "VMS ACME built 27-SEP-2006"
Information: "No requests completed since the last startup"
Domain of Interpretation: Yes
Execution Order: 2
ACME Agent id: 2 State: Active
Name: "PSC_LDAP_DOI"
Image: "DISK$SYS:[VAM]MS$PSC_LDAP_DOI_ACMESHR.EXE;7"
Identification: "PSC_LDAP DOI"
Information: "PSC_LDAP_DOI Agent is initialized"
Domain of Interpretation: Yes
Execution Order: 1
Some restrictions exist when using VAM ACME. The following sections detail these restrictions.
Unlike using VAM with the LGI callouts, only a single VAM ACME agent (LDAP or RADIUS) may be loaded and active at any time.
The following keywords apply specifically to VAM ACME configurations:
PREAUTH_RETURNS_FAILURE
If set to 1, and when using the VAM ACME agents, controls whether the VAM LDAP and RADIUS agents return AUTHFAILURE when a pre-authenticated authentication (e.g., a batch job) is attempted. This defaults to 0 (continues processing, skipping the various authentication checks the VAM agents do).
The following LDAP-related and RADIUS-related configuration keywords are not supported by VAM ACME:
· FALLTHROUGH_TO_VMS
· PROMPT_FOR_FT_PWD
· LDAP_NOPASSWORD_SYNC
· LDAP_ALLOW_NULL_PASSWORD
· LDAP_COMMON_USERNAME
· RADIUS_COMMON_USERNAME