Integrating CyberArk with Legacy Mainframe Systems

Most organizations have unique login sequences and elevation processes for their mainframe environment that don't integrate well with standard PAM integrations, forcing reliance on manual processes. This creates security vulnerabilities and operational inefficiencies for security engineers.

Executive Summary

Our government client had a CyberArk self-managed PAM solution with some generic Mainframe integrations (ACF2, RACF, OS390) in its publicly available marketplace.

Our client's goal was to improve security and operational efficiency for their mainframe admins by automating password management and session launch, eliminating manual processes, and improving audit trails.

To help our client achieve their goals, we developed custom scripts to seamlessly integrate the client's customized mainframe environment with CyberArk PAM. We applied CyberArk's development tools to create automated workflows for password and session management and maximized CyberArk's security features for improved access control.

Business Results

We successfully integrated the client's custom mainframe environment with their existing CyberArk PAM solution by developing automated password session login routines specifically designed for their unique setup and optimizing CyberArk's self-managed PAM capabilities.

This successful integration yielded significant benefits, including:

• Enhanced Security: The mainframe environment now enforces crucial security measures like frequent password rotation, multi-factor authentication, and isolated admin access. This significantly reduces the risk of unauthorized access to critical systems.

• Improved Efficiency for Admins: By automating password management and session launch, admins can now leverage account segmentation for better security without the burden of remembering multiple passwords. This frees up valuable time for IT staff to focus on other tasks.

• Stronger Compliance: Recording admin activities and keystrokes provides a detailed audit trail, simplifying compliance efforts for both the organization and itssecurity operations center (SOC) staff.

• Guaranteed Accuracy: Our innovative approach guaranteed 100% accuracy in all characters sent and received.

Implementation Summary

To automate password management and session management with recording, we leveraged CyberArk's existing development tools:Central Policy Manager (CPM) for automated password management and Privileged Session Manager (PSM) to launch and record privileged user sessions on the mainframe.

CyberArk's guidelines recommended a standard approach leveraging SSH access through a UNIX emulator on the mainframe. Unfortunately, this wasn't feasible due to the client's lack of SSH implementation.

As an alternative, we implemented automated logins using a publicly available 3270 emulator. This emulator could be launched through CyberArk's integration framework and programmed to handle various password management activities, including login, verification of the current password, and rotation of the current password.

In accordance with CyberArk's guidance, we:

• Documented the unique steps for logging into the mainframe, elevating user access, and rotating a user password

• Documented all variations of this process for different types of users and different levels of elevation.

• Documented common error states (wrong password, user disabled, network outage, etc.)

• Automated each of these using the CyberArk “prompts and process file” approach, which is based on the Inspect real-time automation scripting language.

These functions were fully automated, tested, and used to build various use cases for the client's PAM implementation.

PSM Integrations

MicroFocus Reflection is the preferred 3270 emulator for our client. To initiate session management and recording over a standard TN3270 interface managed by CyberArk, we automated the login process and handed over control to the CyberArk PSM processes using the “AutoIT” scripting language and the libraries and predefined templates dictated by CyberArk.

We authored an AutoIT module that could launch Reflections, log in to the mainframe under various conditions, and transfer control to the CyberArk session management process.

Lessons Learned

For CPM Implementation

• Understand how to troubleshoot your inspect script (CyberArk “prompts” and “process” files).Learn how to enable debugging and what the various debug log files are - you will need to refer to them frequently when developing.

• If debug logs show your script is timing out, experiment with longer timeouts.Timers are not always accurate on the default process file. If your debug logs show your script is timing out, you should experiment with longer timeouts. This includes the overall script timeouts and the rate of sending character timers.

• Use the publicly available 3270 emulator WC3270.exe. CyberArk no longer certifies this, so you will need to download it from public sources. Check with your organization on their policy for using public domain software. You may need to find a commercial character-based 3270 emulator.

For PSM Integration

• To simply launch the Reflections interface, create a default profile (RD3x file) with the organizational settings and use command-line switches to (-f).Normal input/output commands were not stable when sending and receiving characters through reflections. We developed an AutoIT technique for our client so the script would capture all screen data on the clipboard and input those characters instead.

About the Author

Brian Read, Chief Technology Officer
[email protected] | Connect on LinkedIn

Brian has over 25 years of extensive experience in the IT industry, focused on managing and growing digital security practices. He has led large identity projects in the federal sector, energy sector, and financial services sectors.