VMS Authentication Module Software Product Description

• MultiNet
• PMDF Internet Messaging
• PreciseMail Anti-Spam
• SSH for OpenVMS
• TCPware
• VMS Authentication Module

VMS Authentication Module Software Product Description (PDF)

Download a PDF version of this document

The VMS Authentication Module Solution

The VMS Authentication Module (VAM) provides controlled access to both user-written applications and the OpenVMS system overall using LDAP, RADIUS or the local VMS User Authentication File (UAF). It can be incorporated into an OpenVMS-based platform in three ways:

• Via an API that can be incorporated into an application to control access to that application
• On a system-wide basis by using the OpenVMS ACME system on OpenVMS V8 and higher on Alpha and Integrity platforms
• On a system-wide basis via use of the LGI callouts for OpenVMS LOGINOUT.EXE.

Easy to Install and Operate

Process Software’s VAM product integrates cleanly into the OpenVMS environment. It supports the MultiNet and TCPware TCP/IP stacks and HP TCP/IP Services.

VAM is easy to install using the VMSINSTAL installation procedure. It takes less than five minutes to configure. The system administrator can control VAM by editing the configuration file.

Highly Configurable

VAM’s configuration file is robust and can be customized to meet an organization’s specific security requirements.

For example:

• Rightslist identifiers may be granted to specific users to determine if they should use VAM’s authentication methods.
• All users may be required to use specific VAM authentication methods.
• Multiple authentication methods (e.g., first attempt LDAP then RADIUS) may be specified.
• Multiple LDAP searches and servers may be specified.

Configuration Support

VAM supports Alpha and Integrity systems running various versions of OpenVMS. When each node in an OpenVMS cluster shares a common system disk, the cluster needs to store just one copy of most VAM files. Only a few system-specific configuration files are required on each machine that runs the software.

API Support

An application programming interface (API) is provided to allow VAM to be incorporated into existing user applications. The heart of the API is the VMSAuthenticate function call, where the calling program supplies (as required) the username and password to be authenticated, the type of authentication (LDAP, RADIUS, or LOCALUAF), and pointers to user-written callbacks in the user program. These callbacks are used by VAM to communicate with the user (e.g., to prompt for passwords or to provide informational messages.)

VMS LOGINOUT Callout Support

VAM provides a callout module used to implement LDAP and RADIUS authentication using the standard VMS LOGINOUT mechanism. It may be configured so that if a VAM login can’t be completed for any reason other than an invalid username or password (for, example, in the case of a network outage that prevents communication with an LDAP or RADIUS server), the normal VMS SYSUAF will be used to validate the user.

VMS ACME Support

VAM provides LDAP and RADIUS agents for the VMS ACME (Authentication and Credential Management Extension) subsystem for OpenVMS V8 and higher on Alpha and Integrity platforms.

LDAP Support

VAM provides a client for LDAPv3 servers on various platforms. Examples of supported servers are Microsoft Active Directory and OpenLDAP from the OpenLDAP Foundation.

This client may be used in the form of an API that is incorporated into an application, as a VMS ACME agent, or as a callout module for the VMS LOGINOUT mechanism.

Transactions with LDAP servers may be performed using unencrypted clear-text (the default), or the transactions may be encrypted using certificates. The VAM configuration file is used to specify if transactions are encrypted (LDAPS) or not (LDAP).

To provide maximum flexibility, multiple searches may be specified for any supported server, and multiple servers may be searched. The servers and searches on those servers are specified in the VAM configuration file by the system manager. Searches are first conducted using either a specified Distinguished Name and password or anonymously (where supported by the server). In addition, all LDAP usernames may be mapped to a single VMS username on the client system.

When a user is successfully authenticated via an LDAP directory, attributes (as specified in the configuration file) may be returned. If using the API, these attributes are returned as a list of attribute/value tuples. If using the VMS ACME system, the attributes are set as logical names in the process’s process logical name table. If using the LOGINOUT callouts, the attributes are set as logical names in the process’s job logical name table.

If using the LOGINOUT callouts and upon successful authentication, the last login date and time and the user’s password are updated in the VMS UAF file, to ensure the information is as synchronized when possible. This behavior may be overridden by the LDAP_NO_PASSWORD_SYNC keyword in the configuration file.

RADIUS Support

VAM provides a client for RADIUS server systems on various platforms. An example of this would be a server running the FreeRADIUS server.

This client may be used in the form of an API that is incorporated into an application, or as a callout module for the VMS LOGINOUT mechanism.

Transactions with RADIUS servers are performed using unencrypted clear-text data, but with the password encrypted using MD5 encryption.

In addition, all RADIUS usernames may be mapped to a single VMS username on the client system.

If using the LOGINOUT callouts and upon successful authentication, the last login date and time and the user’s password are updated in the VMS UAF file, to ensure the information is synchronized when possible. This behavior may be overridden by the RADIUSNOPASSWORDSYNC keyword in the configuration file.

VMS Local User Authorization File Support

The local User Authorization file (UAF) may be used within the API to provide authentication for an application.