IBM Support

Support Policy for PAM and ClearCase

Preventive Service Planning


This technote outlines the support policy for IBM Rational ClearCase authentication use through PAM (Pluggable Authentication Modules) as it relates to the ClearCase Web (CCWeb) interface on UNIX and Linux.



All that is needed to configure PAM for use with ClearCase is the service name. The name of the service for ClearCase to add a block in the PAM configuration file(s) is 'clearcase'.

For your benefit, here is a clearcase service 'block' from a sample pam.conf file from a SolarisĀ® system, just so you can see what it looks like. The data content is fabricated, but the pattern is valid:

clearcase   auth requisite
clearcase   auth required 
clearcase   auth required 
Clearcase   auth required 

For Linux:

If you have not modified the default login, you can copy it:
#cd /etc/pam.d
#cp login clearcase

Or get a default copy of the login from the applicable linux kernel.

Sample contents of login (this is from Red Hat 6.0)
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
auth       include      system-auth
account    required
account    include      system-auth
password   include      system-auth
# close should be the first session rule
session    required close
session    required
session    optional
# open should only be followed by sessions to be executed in the user context
session    required open
session    required
session    optional force revoke
session    include      system-auth
-session   optional

For AIX add the following lines to /etc/pam.conf:


# Authentication
clearcase       auth    required        /usr/lib/security/pam_aix

# Account Management
clearcase       account required        /usr/lib/security/pam_aix

# Password Management
clearcase       password  required      /usr/lib/security/pam_aix

# Session Management
clearcase       session required        /usr/lib/security/pam_aix

You can define entries in your PAM configuration file(s) for the clearcase service, informing it what libraries to authenticate against. This needs to be done on the machine where the authentication will take place, for example your web server if configuring PAM to work with CCRC or CCWeb in the context of using Rational Web Platform (RWP).

With this set up enabled, provided you have properly configured your PAM and authentication methods, ClearCase will look to see if the clearcase service is enabled in your PAM configuration file(s) and thus authentication through PAM should work.

Note: IBM Rational does not provide documentation, guidelines or recommendations concerning the configuration of PAM due to the secure (and liable) nature of the subject.

Review the related information section for resources you can refer to when configuring PAM in your environment.

Note: ClearCase versions 4.x did not support PAM for ClearCase Web (CCWeb) authentication as it was not compiled to be PAM aware. ClearCase versions 4.x still relies on local user authentication via either NIS, NIS+ or local /etc/passwd file.

[{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Operating System Configurations","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF015","label":"IRIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"7.0;7.0.1;7.1;7.1.2;8.0;8.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018