The VMS Authentication Module (VAM) provides controlled access to both user-written applications and the OpenVMS system overall using LDAP, RADIUS or the local VMS User Authentication File (UAF). It can be incorporated into an OpenVMS-based platform in three ways:
Process Software’s VAM product integrates cleanly into the OpenVMS environment. It supports the MultiNet and TCPware TCP/IP stacks and HP TCP/IP Services.
VAM is easy to install using the
VMSINSTAL installation procedure. It takes less than five minutes to configure. The system administrator can control VAM by editing the configuration file.
VAM’s configuration file is robust and can be customized to meet an organization’s specific security requirements.
VAM supports VAX, Alpha, and Integrity systems running various versions of OpenVMS. When each node in an OpenVMS cluster shares a common system disk, the cluster needs to store just one copy of most VAM files. Only a few system-specific configuration files are required on each machine that runs the software.
An application programming interface (API) is provided to allow VAM to be incorporated into existing user applications. The heart of the API is the
VMSAuthenticate function call, where the calling program supplies (as required) the username and password to be authenticated, the type of authentication (LDAP, RADIUS, or LOCALUAF), and pointers to user-written callbacks in the user program. These callbacks are used by VAM to communicate with the user (e.g., to prompt for passwords or to provide informational messages.)
VAM provides a callout module used to implement LDAP and RADIUS authentication using the standard VMS LOGINOUT mechanism. It may be configured so that if a VAM login can’t be completed for any reason other than an invalid username or password (for, example, in the case of a network outage that prevents communication with an LDAP or RADIUS server), the normal VMS SYSUAF will be used to validate the user.
VAM provides LDAP and RADIUS agents for the VMS ACME (Authentication and Credential Management Extension) subsystem for OpenVMS V8 and higher on Alpha and Integrity platforms.
VAM provides a client for LDAPv3 servers on various platforms. Examples of supported servers are Microsoft Active Directory and OpenLDAP from the OpenLDAP Foundation.
This client may be used in the form of an API that is incorporated into an application, as a VMS ACME agent, or as a callout module for the VMS LOGINOUT mechanism.
Transactions with LDAP servers may be performed using unencrypted clear-text (the default), or the transactions may be encrypted using certificates. The VAM configuration file is used to specify if transactions are encrypted (LDAPS) or not (LDAP).
To provide maximum flexibility, multiple searches may be specified for any supported server, and multiple servers may be searched. The servers and searches on those servers are specified in the VAM configuration file by the system manager. Searches are first conducted using either a specified Distinguished Name and password or anonymously (where supported by the server). In addition, all LDAP usernames may be mapped to a single VMS username on the client system.
When a user is successfully authenticated via an LDAP directory, attributes (as specified in the configuration file) may be returned. If using the API, these attributes are returned as a list of attribute/value tuples. If using the VMS ACME system, the attributes are set as logical names in the process’s process logical name table. If using the LOGINOUT callouts, the attributes are set as logical names in the process’s job logical name table.
If using the LOGINOUT callouts and upon successful authentication, the last login date and time and the user’s password are updated in the VMS UAF file, to ensure the information is as synchronized when possible. This behavior may be overridden by the
LDAP_NO_PASSWORD_SYNC keyword in the configuration file.
VAM provides a client for RADIUS server systems on various platforms. An example of this would be a server running the FreeRADIUS server.
This client may be used in the form of an API that is incorporated into an application, or as a callout module for the VMS LOGINOUT mechanism.
Transactions with RADIUS servers are performed using unencrypted clear-text data, but with the password encrypted using MD5 encryption.
In addition, all RADIUS usernames may be mapped to a single VMS username on the client system.
If using the LOGINOUT callouts and upon successful authentication, the last login date and time and the user’s password are updated in the VMS UAF file, to ensure the information is synchronized when possible. This behavior may be overridden by the
RADIUSNOPASSWORDSYNC keyword in the configuration file.
The local User Authorization file (UAF) may be used within the API to provide authentication for an application.
VAM requires at least one network controller supported by MultiNet, TCPware or TCP/IP Services.
VAM supports the following operating system versions:
VAM supports the following TCP/IP stacks and versions: