IBM Support

Support Policy for PAM and ClearCase

Preventive Service Planning


Abstract

This technote outlines the support policy for IBM Rational ClearCase authentication use through PAM (Pluggable Authentication Modules) as it relates to the ClearCase Web (CCWeb) interface on UNIX and Linux.

Content

SETUP INSTRUCTIONS:

All that is needed to configure PAM for use with ClearCase is the service name. The name of the service for ClearCase to add a block in the PAM configuration file(s) is 'clearcase'.

For your benefit, here is a clearcase service 'block' from a sample pam.conf file from a SolarisĀ® system, just so you can see what it looks like. The data content is fabricated, but the pattern is valid:

clearcase   auth requisite          pam_authtok_get.so.1
clearcase   auth required           pam_dhkeys.so.1
clearcase   auth required           pam_unix_auth.so.1
Clearcase   auth required           pam_dial_auth.so.1

For Linux:

If you have not modified the default login, you can copy it:
#cd /etc/pam.d
#cp login clearcase

Or get a default copy of the login from the applicable linux kernel.

Sample contents of login (this is from Red Hat 6.0)
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so


For AIX add the following lines to /etc/pam.conf:

#


# Authentication
#
clearcase       auth    required        /usr/lib/security/pam_aix

#
# Account Management
#
clearcase       account required        /usr/lib/security/pam_aix

#
# Password Management
#
clearcase       password  required      /usr/lib/security/pam_aix


#
# Session Management
#
clearcase       session required        /usr/lib/security/pam_aix

You can define entries in your PAM configuration file(s) for the clearcase service, informing it what libraries to authenticate against. This needs to be done on the machine where the authentication will take place, for example your web server if configuring PAM to work with CCRC or CCWeb in the context of using Rational Web Platform (RWP).

With this set up enabled, provided you have properly configured your PAM and authentication methods, ClearCase will look to see if the clearcase service is enabled in your PAM configuration file(s) and thus authentication through PAM should work.

Note: IBM Rational does not provide documentation, guidelines or recommendations concerning the configuration of PAM due to the secure (and liable) nature of the subject.

Review the related information section for resources you can refer to when configuring PAM in your environment.

Note: ClearCase versions 4.x did not support PAM for ClearCase Web (CCWeb) authentication as it was not compiled to be PAM aware. ClearCase versions 4.x still relies on local user authentication via either NIS, NIS+ or local /etc/passwd file.

[{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Operating System Configurations","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF015","label":"IRIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"7.0;7.0.1;7.1;7.1.2;8.0;8.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21146281