| Oracle® Identity Manager Connector Guide for CA Top Secret Advanced Release 9.0.4 Part Number E10424-14 |
|
|
PDF · Mobi · ePub |
| Oracle® Identity Manager Connector Guide for CA Top Secret Advanced Release 9.0.4 Part Number E10424-14 |
|
|
PDF · Mobi · ePub |
You deploy the Reconciliation Agent and Provisioning Agent on the mainframe. These agents communicate with the LDAP Gateway during connector operations.
The following section summarizes the procedure to deploy the Reconciliation Agent and Provisioning Agent:
The following sections describe each deployment step in detail:
Section 3.3, "Deploying the Reconciliation Agent and Provisioning Agent"
Section 3.4, "Modifying the prclib.xmi and parmlib.xmi Files"
Section 3.7, "Installing or Integrating the Reconciliation Agent Exit"
Section 3.8, "Creating a CA Top Secret Account for Connector Operations"
Section 3.9, "Starting Up and Shutting Down the Reconciliation Agent and Provisioning Agent"
See the following section if you want to remove the Reconciliation Agent exit:
The following steps summarize the procedure to deploy the connector components on the target system:
Review and address the deployment requirements.
Deploy the Reconciliation Agent and Provisioning Agent.
Modify the prclib.xmi and parmlib.xmi files according to the settings of your target system installation.
Configure the started tasks.
Install or integrate the Reconciliation Agent exit.
Create a CA Top Secret account for reconciliation and provisioning operations.
Test the setup by starting up and shutting down the Reconciliation Agent and Provisioning Agent.
The following is a summary of the deployment requirements:
The Reconciliation Agent and Provisioning Agent need a surrogate CA Top Secret ACID. This ACID must have administrative privileges to runs functions such as Create, Change, List, and Replace.
Note:
The executable code (IBM z/OS loadlibs) of the Reconciliation Agent and Provisioning Agent must be APF authorized. This can be achieved by a dynamic set command (T PROG=) or by placing the installation loadlib containing the Reconciliation Agent and Provisioning Agent in the IBM z/OS link list.The Provisioning Agent and Reconciliation agent use memory subpools to manage peak load conditions. The subpool (231), which is allocated below the 16M line, requires 200 KB of memory for storage of CA Top Secret events.
The Reconciliation Agent operates by using exit technology, within the IBM z/OS operating system environment. Command execution is captured by an exit, just before full completion of the native mainframe command. If the exit fails, then the command fails and returns an error message. Maintaining a specific password format is an example of the objective for which you use custom exits, such as the one used by the Reconciliation Agent. The Reconciliation Agent exit is engineered to be the last exit called in sequence. This allows existing exits to function normally.
Note:
The systems programmer must perform an IPL after a system component is changed or modified.To deploy the Reconciliation Agent and Provisioning Agent:
Extract the contents of the following file from the installation media to a temporary directory on any computer:
etc/Provisioning and Reconciliation Connector/Mainframe_TS.zip
The following JES2 XMIT files are included in the Mainframe_TS.zip file:
linklib.xmi: Executable library for all modules
parmlib.xmi: PROG member for dynamically authorizing IDF.LINKLIB
prclib.xmi: Contains all the STC (Started Task Procedures)
clistlib.xmi containing LDAP search Rexx clists
jcllib.xmi contains Product installation JCL
If TSSINSTX exit source code is required please contact Oracle Support
Log in to the TSO environment of the mainframe.
Perform the following steps either from the TSO Ready prompt or by using ISPF Option #6 using a TN3270 or TN3270E emulator:
Upload each XMI file to the mainframe.
Note:
Each file must be uploaded without any file conversion and in binary.
You can also use FTP to upload the files.
Run the RECEIVE INDA(UPLOADED_FILE_NAME) command for each file.
When prompted for dataset names, use the following information:
linklib.xmi: IDF.LINKLIB
parmlib.xmi: IDF.PARMLIB
prclib.xmi: IDF.PROCLIB
clistlib.xmi: IDF.CLISTLIB
jcllib.xmi: IDF.JCLLIB
Add IDF.LINKLIB to the link list member of SYS1.PARMLIB or the installation parmlib used for the z/OS IPL.
Review the IDF.JCLLIB members: CREATDSN,LOADDSN,IEBCOPYL,IEBCOPYP,IEBCPYPR , REXXCL and IDCAMSC.
Changing the MVS jobcard to meet installation standards. Review the dataset names and change to meet installation standards.
After reviewing the above JCLLIB members, submit the following members to MVS for execution, each one MUST end with a MVS condition code of 0000.
CREATDSN - Creates Pioneer and Voyager datasets.
LOADDSN - Loads INJCLR - jobstream for ALIAS support and loads RECONJCL.
IEBCOPYL - Copies TSSINSTX and IDFCACHE modules to the CA Top-Secret load library.
IEBCOPYP - Copies PROG01 to installation Parmlib.
IEBCPYPR - Copies Products procs to installation Procedure library.
After you upload the prclib.xmi and parmlib.xmi files, set the values of parameters in the files to match the settings of your target system installation. These parameters are related to the following z/OS libraries used by the connector:
Library = IDF.LINKLIB
This library contains executable modules for the Reconciliation Agent and Provisioning Agent and various utility programs required for their operation.
Library = IDF.PROCLIB
This library contains STC procedures for the Reconciliation Agent and Provisioning Agent. It contains the following members:
Pioneer: Provisioning Agent
Voyager: Reconciliation Agent
Startup: Procedure to create Subpool 231 to capture events for the Reconciliation Agent
Wrapup: Procedure to delete the Startup-created subpool
Library = IDF.PARMLIB
This library contains the PROG01 member, which is the dynamic APF authorization member for IDF.LINKLIB.
The following are parameters of Pioneer:
TCPN: Enter the name of the TCP STC on the mainframe.
IPAD: Ensure that the value is always 0.0.0.0.
PORT: Ensure that the incoming connection port for the Provisioning Agent matches the value of the _port_ property in the TOPS.properties file and the port property in the beans.xml file. Both files are components of the LDAP Gateway. The gateway uses this port to connect to the mainframe and send provisioning data to the Provisioning Agent. See Section 2.9, "Installing and Configuring the LDAP Gateway" for information about these files. The default port is 5790.
DEBUG: Enter Y as the value if you want diagnostic information to be displayed when Pioneer is started. Otherwise, enter N.
The other parameters required for Pioneer Operation are contained in a Control or parameter file pointed to in the STC by the "DD" (data definition) stmt PARMFLE. This file is a QSAM file and can be either a RECFM=F , LRECL=80 format or RECFM=FB,LRECL=80,BLKSIZE=xxxxx, where xxxxx is the optimal blksize for this file determined by the System Programmer.
The following lines are from the STC (Started Task Procedure):
Note:
The BATJINFO, VSAMGETO, and VSAMGETU data definition (DD) statements are not required on CA Top Secret installations and can be commented out, as shown in this block of code, or removed.
//PIONEERX EXEC PGM=PIONEERX,REGION=0M,TIME=1440,
// PARM=('TCPN=TCPIP',
// 'IPAD=&SERVER',
// 'PORT=&PORT'
// 'DEBUG=Y',
//STEPLIB DD DISP=SHR,DSN=IDF.LINKLIB
// DD DISP=SHR,DSN=TCPIP.SEZATCP
//* BATJINFO DD DISP=SHR,DSN=hlq.BATJCARD
//* VSAMGETU DD DISP=SHR ,DSN=hlq.SWUSERS
//* VSAMGETO DD DISP=SHR,DSN=hlq.TOPSCOUT
//JCLOUTP DD SYSOUT=*
//PARMFLE DD DISP=SHR,hlq.CONTROL.FILE
//INJCLR DD DISP=SHR,PIONEER.INJCL.LIBRARY
//LISTINR DD DISP=SHR,DSN=hlq.ALIAS.LSTOUT,
// DCB=(RECFM=VB,LRECL=137)
//RECONJCL DD DISP=SHR,DSN.hlq.RECON.LIBRARY
//RECONOUT DD DISP=SHR,DSN=hlq.RECON.FILE
//SYSPUNCH DD SYSOUT=(*,INTRDR)
//SYSPRINT DD SYSOUT=X
//DEBUGOUT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=X
//
Note:
In the code,hlq stands for installation high-level qualifier. The value of the IPAD parameter must always be 0.0.0.0.Sample control file without post-processing:
* comment ESIZE=16 LPAR=xxxxxxxxxxxxxxx JWAIT=010 RWAIT=050 POST_PROCESS_ALIAS=F DEBUGOUT=SYSOUT,CLASS(X) IDLEMSG=N SPIN_CLASS=K QUEUE_DSN=PIONEER.QUEUE
Sample control file with post-processing:
* comment ESIZE=16 LPAR=xxxxxxxxxxxxxxx JWAIT=010 RWAIT=050 POST_PROCESS_ALIAS=F DEBUGOUT=SYSOUT,CLASS(X) IDLEMSG=N SPIN_CLASS=K QUEUE_DSN=PIONEER.QUEUE C=CREATE,M=membername,L=Libraryname C=ADDTO,M=membername,L=Libraryname C=REMOVE,M=membername,L=Libraryname
Pioneer Control File Parameter (DD:PARMFLE) Explanations
Table 3-1 describes parameters of Pioneer control file:
Table 3-1 Pioneer Control File Parameters
| Parameter | Description |
|---|---|
|
* |
Comment |
|
ESIZE= |
16 - must be 16, this value is AES128 encryption. |
|
LPAR= |
20 byte identifier |
|
JWAIT= |
Value of 001-099 in seconds. This is the time Pioneer will wait for a batch job to complete, in particular the ALIAS job submission. Sample value: 030 |
|
RWAIT= |
Value of 001-099 in seconds. This is the time Pioneer will wait for the batch job to wait, Searchall type submissions from the LDAP. Sample value: 060 |
|
POST_PROCESS_ALIAS= |
T or F (True or False). Enter "T" to process LDAP submitted ALIAS. Sample value: T |
|
DEBUGOUT= |
FILE or SYSOUT=CLASS(X), If you specify "FILE" then the File Lrecl,Blksize and size are fixed in this release. If you specify "SYSOUT,CLASS(x)", then class can be any valid JES2 or JES3 class. Either FILE or SYSOUT are valid when DEBUG=Y only. Sample value: DEBUG=Y |
|
IDLEMSG= |
The idle message for Pioneer. Enter "Y" for Pioneer to display an IDLE message every 60 minutes. Sample value: Y |
|
SPIN_CLASS= |
Spin class of JES2 output when the Operator turns off DEBUGGING. |
|
QUEUE_DSN= |
Pioneer and Batch Enqueue/Dequeue mechanism for all Searches submitted via LDAP. The name can be up to 44 characters long and is passed to the clists. |
*** Post-Processing Parameters ***
C=CREATE,M=TESTA,L=TEST.TESTA
C=ADDTO,M=TESTB,L=TEST.TESTB
C=REMOVE,M=TESTC,L=TEST.TESTC
By default the Post-Processing will submit member(M=) from PDS library(L=) for every CREATE,ADDTO,REMOVE done on TSS. The Post-Processing will take place for every command issued from the LDAP to the Pioneer. The L= and M= will be dynamically allocated opened and read and punched to the INTRDR. If no post-processing is required do not code the C= for the TSS cmd.
For example:
C=CREATE ……
C=ADDTO ….
Pioneer will Post-Process the TSS commands received from the LDAP for CREATE and ADDTO. IF no C=commands are found in the control file then no post-processing will occur. By default the following parameter is passed to a ONLY a clist:
CREATE - ACID
ADDTO - ACID
REMOVE - ACID
The Rexx clist should have the following line to accept the parameters:
/* rexx sample clist */
Arg p1 p2 p3
This is only support Rexx clist batch JCL stream format, the clist shown is a Recon clist that is shipped with the Product:
//REXXCLST JOB SYSTEMS,MSGLEVEL=(1,1),MSGCLASS=X,CLASS=A,PRTY=8, // NOTIFY=&SYSUID,REGION=0K //STEP0 EXEC PGM=IKJEFT01,DYNAMNBR=50 //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //FILEOUT DD DISP=SHR,DSN=PIONEER.ORACLE.RECON.FILE //SYSPROC DD DISP=SHR,DSN=PIONEER.CLIST.LIBRARY //SYSTERM DD DUMMY //SYSTSIN DD *
Pioneer will add:
%clistname P1 P2
/*
Note:
When Pioneer submits a batch process (primarily searches) from the LDAP, the submitted batch JCL/Rexx builds a "lock file" which is a enqueue/dequeue mechanism. While the batch JCL/rexx is executing this small 1 track file is empty and at the same time Pioneer is examining the file, if the file is empty Pioneer waits. Once the Batch/JCL is finished, it creates a record in the file, indicating it has finished. When Pioneer finds this "finished record", it continues execution and sends the output back to the LDAP. The dataset name "CLIST.DONE.FILE" cannot be changed in this release (9.0.4.14). Where clistname is the "M=" of the control file. The output of the clist will not route back to the LDAP.The following is the Voyager STC (Started Task procedure):
//VOYAGER PROC //STEP1 EXEC PGM=VOYAGERX,REGION=0M,TIME=1440 //PARMFLE DD DSN=VOYAGER.CONTROL.FILE,DISP=SHR //CACHESAV DD DSN=VOYAGER.CACHESAV,DISP=SHR //DEBUGOUT DD SYSOUT=* //PARMOUT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSMDUMP DD SYSOUT=*
Sample Voyager Control file:
* comment this is comment IPAD=100.100.100.100 LDAP address PORT=5190 LDAP listening port DEBUG=Y DEBUGGING is on ESIZE=16 AES128 encryption DELAY=10 Write delay to LDAP STARTDELAY=10 Open delay of socket for Voyager PRTNCODE=SHUTRC VOYAGER_ID=TESTVOY1 Voyager identifier
Voyager Control File Parameter (Configuring DD: PARMFLE) Explanations
Table 3-2 describes parameters of Voyager control file:
Table 3-2 Voyager Control FIle Parameters
| Parameter | Description |
|---|---|
|
* |
Comment |
|
TCPN= |
The Name of the TCPIP STC where Voyager is executing. |
|
IPAD= |
The IP address or hostname of the ldap gateway. Sample values: IPAD=192.168.1.102 or IPAD=myhost.work.com |
|
DEBUG= |
Turn on debugging, outputs to "DEBUGOUT" DD in Voyager. Sample value: Y |
|
ESIZE= |
16 - must be 16, this value is AES128 encryption. |
|
DELAY= |
Value of 01-99 seconds, delay of the write socket to the LDAP, the higher the value the longer Reconciliation messages will take to arrive at the LDAP. Sample value: 50 |
|
STARTDELAY= |
Value from 01-99, how long Voyager is to delay prior to opening its connection to the LDAP. Sample value: 90 |
|
PRTNCODE= |
PRTNCODE=TERMRC that shows an MVC condition code of 00 (signifying successful completion) after Voyager shuts down. PRTNCODE=SHUTRC that shows all MVS condition codes on Voyager shutdown. |
|
VOYAGER= |
VOYAGER_ID=xxxxxxxx, is an 8 character unique identifier that will be passed to the LDAP each time a Reconciliation event occurs. If 8 LPARS, for example, are sharing 1 Top-Secret Database, all 8 LPARS must have the same VOYAGER_ID. |
The operator interface for Voyager and Pioneer, Polloper has been enhanced. Table 3-3 lists the commands that are supported via the standard modify (F) interface:
Table 3-3 Pioneer and Voyager Operator Commands
| Command | Description |
|---|---|
|
F VOYAGER,SHUTDOWN |
Shuts down Voyager |
|
F VOYAGER,DEBUG=N |
Turns off DEBUG |
|
F VOYAGER,DEBUG=Y |
Turns on DEBUG |
|
F VOYAGER,STATUS |
Voyager Status |
|
F PIONEER,STATUS |
Pioneer Status |
|
F PIONEER,DEBUG=Y |
Turns DEBUG on |
|
F PIONEER,DEBUG=N |
Turns DEBUG off |
|
F PIONEER,RWAIT=999 |
Modify the RWAIT Value used for batch recon. |
|
F PIONEER,JWAIT=999 |
Modify the JWAIT Value used for batch Alias functions. |
Note:
For JWAIT=999 and RWAIT=999, the 999 is a value in seconds.Because the exit modules are in the z/OS Load Library, an IPL may or may not be required to complete installation or integration of the Reconciliation Agent exit. This depends on whether the z/OS Load Library is added to the link list, which is a z/OS storage area defined when an IPL is performed. To allow the LDAP Gateway to fully capture events, the Reconciliation Agent and its exit must be installed on each LPAR that shares the authentication repository.
The following are guidelines on using the Reconciliation Agent exit:
The Reconciliation Agent is installed in a z/OS Load Library for execution.
The exit (TSSINSTX) must be accessible by the operating system after the IPL is started.
The exit can be in the link list or steplib'ed to the STC (Reconciliation Agent).
The exit must be active and the subpool that contains TSS events must be active. If the exit is not active or if the subpool is not activated (by executing Startup), then CA Top Secret events are not captured and sent to the LDAP Gateway.
In a single-LPAR environment, the Reconciliation Agent is required for real-time reconciliation event capture and the Provisioning Agent is required for provisioning.
In a multiple-LPAR environment where the CA Top Secret database is shared, a master LPAR runs the Reconciliation Agent and Provisioning Agent. In addition, TSSINSTX must be installed and the subpool must be active.
All CA Top Secret events from other LPARs are sent through the CPF to the master.
If the CPF is not installed, then events are not captured and the Reconciliation Agent and Provisioning Agent are required on each LPAR.
Note:
After modifying exits within an LPAR, an initial program load (IPL) of the LPAR may be required.The procedure that you must perform depends on whether or not other exits have already been installed:
See Section 3.7.1, "Installing the Reconciliation Agent Exit" if there are no other exits installed on the mainframe.
See Section 3.7.2, "Integrating the Reconciliation Agent Exit" if there are other exits installed on the mainframe.
Note:
Perform the procedure described in this section only if there are no other exits installed on the mainframe. See Section 3.7.2, "Integrating the Reconciliation Agent Exit" if there are other exits installed on the mainframe.To install the Reconciliation Agent exit:
Copy the exit from IDF.LINKLIB to a user-defined CA loadlib, which is in the link list for the LPAR.
Add the user-defined CA loadlib to the SYS1.PARMLIB member PROG=.
Perform an IPL on IBM z/OS.
To activate the exit code, perform any one of the following steps:
Run the following command from the IBM z/OS operator's console:
F TSS,EXIT(ON)
Modify the parmlib member (for example, TSSPARM0) of CA Top Secret by changing EXIT(OFF) to EXIT(ON). After you change the parameter, run the P TSS z/OS command and then run the S TSS command.
Note:
There is only one exit within a CA Top Secret environment. Typically, a production deployment has its own custom changes already written into the exit. The exit supplied with the connector differs from the CA Top Secret supplied exit with the addition of three calls to external programs.To deactivate the exit, run the following command:
F TSS,EXIT(OFF)
Note:
Perform the procedure described in this section only if there are other exits installed on the mainframe. See Section 3.7.1, "Installing the Reconciliation Agent Exit" if there are no other exits installed on the mainframe.If one or more third-party modules have been installed with the CA Top Secret (TSSINSTX) exit, then integration is required. This integration can be accomplished through code modification of either the Reconciliation Agent exit or the third-party exit.
This section discusses the following topics:
Section 3.7.2.1, "Working with the Reconciliation Agent Exit Source"
Section 3.7.2.2, "Integrating the Reconciliation Agent Exit with Other Exits"
The Reconciliation Agent exit can be modified in a number of different ways to integrate it with existing Top-Secret exits. To facilitate this alteration, the source for the exit is provided in the maclib.xmi file.
Note:
This procedure should be undertaken only by experienced mainframe programmers. The exit runs in IBM z/OS supervisor mode, and appropriate precautions should be taken before modifying the exit.To work with the exit source:
Upload the maclib.xmi file in binary format to the mainframe using Option #6 on TSO.
After the upload is completed, run the following TSO command:
RECEIVE da('filename upload')
When prompted, specify the dataset name IDF.MACLIB.CNTL.
The maclib.xmi file contains TSSINSTX, which is the source and macros for the standard exit. These are used for assembly and linkedit of the installable binary. You must customize the TSSINSTX DD SYSLIB as follows:
// SYSLIB DD DISP=SHR,DSN=SYS1.MACLIB // DD DISP=SHR,DSN=SYS1.MODGEN // DD DISP=SHR,DSN=SYS1.AMODGEN // DD DISP=SHR,DSN=CAI.TSSOPMAT // DD DISP=SHR,DSN=IDF.MACLIB.CNTL
The SYS1 libraries are IBM z/OS libraries, and the CAI is the CA Top Secret maclib containing the exit macros. The IDF.MACLIB.CNTL is created by the RECEIVE command and contains the copybooks required for assembly.
Change the following Assemble and Linkedit parameter:
//AL PROC LMOD='IDF.LINKLIB',
This parameter in the predefined IBM z/OS procedure uses an LMOD parameter, which is the name of the loadlib for the destination of the exit module. During installation, you assemble and linkedit to this library, and then (optionally) APF authorize the library. Typically, the library resides in the link list. If this is true for your operating environment, then APF authorization is not required.
Note:
Modifications similar to the ones performed on the Reconciliation Agent exit can be performed on the third-party exit. However, the exact procedure depends on the content of the third-party exit.Only one module is called as the CA Top Secret exit (TSSINSTX). All other exits must either be integrated into a single unified TSSINSTX or renamed so that the modules do not conflict.
Integration of the Reconciliation Agent exit can be accomplished in one of the following ways:
Section 3.7.2.2.1, "Using the Reconciliation Agent Exit As First Executed with Another Exit"
Section 3.7.2.2.2, "Using the Reconciliation Agent Exit As Last Executed with Another Exit"
Note:
It is recommended that the Reconciliation Agent exit be called last, or be the only exit. This is because other exits might modify data. If this occurs after the Reconciliation Agent exit has been called, then the Oracle Identity Manager data repository is not completely synchronized with the CA Top Secret repository.Section 3.7.2.2.3, "Using the Reconciliation Agent Exit as the One Executed Between Other Exits"
Note:
Because the modification to the Reconciliation Agent exit code is in the exit section, the other exit code will be called after execution of the Reconciliation Agent exit code.To integrate the Reconciliation Agent exit as the first executed with another exit:
Deactivate the currently installed TSSINSTX by running the following command:
F TSS,EXIT(OFF)
Rename the installed TSSINSTX as TSSEXIT in the appropriate load library.
Modify the Reconciliation Agent exit as follows:
Insert the following instructions immediately after the exit label:
EXIT DS 0H LA R1,R9 Copy parmlist ptr to Reg1(R1) LR R11,R13 Save TSS's savearea PTR LA R13,WORKAREA L R15,=V(TSSEXIT) Load Reg15 with address of TSSEXIT BALR R14,R15 LTR R15,R15 LM R0,R14,0(R13) BR R14 End
Save the modified exit in the installation TSS Product library.
Customize and run the JCL provided in IDF.JCLLIB member ASMINSTX.
This will assemble and linkedit the customized TSSINSTX exit.
Verify that TSSINSTX is assembled with an MVS condition code of 0000.
If the TSS product library is in the link list, refresh it by running the following command:
F LLA,REFRESH
After the refresh is completed, activate the new exit by running the following command:
F TSS,EXIT(ON)
Note:
Because the modification to the Reconciliation Agent exit code is performed in the PREINIT section, the other exit code will be called before execution of the Reconciliation Agent exit code.To integrate the Reconciliation Agent exit as the last executed with another exit:
Deactivate the currently installed TSSINSTX by running the following command:
F TSS,EXIT(OFF)
Rename the installed TSSINSTX as TSSEXIT in the appropriate load library.
Modify the Reconciliation Agent exit as follows:
Change the ##MATRIX byte for PREINIT to a value of #####YES.
Insert the following instructions immediately after the PREINIT label:
LA R1,R9 Copy parmlist ptr to Reg1(R1) LR R11,R13 Save TSS's savearea PTR LA R13,WORKAREA L R15,=V(TSSEXIT) Load Reg15 with address of TSSEXIT BALR R14,R15 B PASSPASS Branch to continue
Save the modified exit into the installation TSS Product library.
Customize and run the JCL provided in the IDF.JCLLIB member ASMINSTX.
This will assemble and linkedit the customized TSSINSTX exit.
Verify that the TSSINSTX exit is assembled with an MVS condition code of 0000.
If the TSS product library is in the link list, refresh it by running the following command:
F LLA,REFRESH
After the refresh is completed, activate the new exit by running the following command:
F TSS,EXIT(ON)
By combining the changes described for the first executed and last executed exits, you can configure the Reconciliation Agent exit to be called in the middle of the execution stack.
The Reconciliation Agent and Provisioning Agent require a CA Top Secret ACID to which the permissions required for connector operations are applied. The following is an example of the commands to be run:
Note:
In these sample steps,VOYAGER and PIONEER are ACIDs. This ID must be an administrator ID and with the permissions required to perform operations such as Create, Add, Addto, Replaces, and Changes. The following definitions are only an example in a test type environment. The installation may have more or less restrictions depending on the overall security policy of the installation.For the Reconciliation Agent:
CREATE(VOYAGER) TYPE(USER) NAME('VOYAGER ACID') PASSWORD(NOPW,0) FAC(STC)
ADD(VOYAGER) GROUP(OMVSGRP)
ADD(VOYAGER) DFLTGRP(OMVSGRP)
ADD(VOYAGER) GID(1)
For the Provisioning Agent:
Note:
Pioneer, the Provisioning Agent, is a TYPE(SCA) CA Top Secret full function Admin ID.CREATE(PIONEER) TYPE(SCA) NAME('PIONVGR') PASSWORD(NOPW) FACILITY(BATCH,STC)
ADD(PIONEER) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP) HOME(/) OMVSPGM(/BIN/SH)
ADDTO(STC) PROCNAME(PIONEER) ACID(PIONEER)
PERMIT(PIONEER) IBMFAC(BPX.*) ACCESS(READ)
PERMIT(PIONEER) IBMFAC(IRR.RADMIN.*) ACCESS(READ)
ADMIN(PIONEER) DATA(ALL)
ADMIN(PIONEER) ACID(ALL)
ADMIN(PIONEER) MISC2(ALL)
ADMIN(PIONEER) MISC8(ALL)
ADMIN(PIONEER) MISC9(ALL)
ADMIN(PIONEER) FAC(ALL)
Startup Process for Voyager Agent
Apply the following guidelines while working with the Voyager Agent:
The subpool (proc=startup)) must be started before starting the Voyager Agent. The subpool is used as an in-memory storage for message creation.
Because you are using TCP/IP, the LDAP Gateway must be started first. If the Voyager Agent is started first, then it will throw an error with RETCODE=-01 and ERRORNO=61 because the LDAP Gateway will not be available.
To start the Voyager Agent:
Start the startup task by executing a S STARTUP from the console to create the subpool 231 area for message arriving via the exits or by adding the STC procedure for STARTUP inside a Job Scheduler.
The following steps needs to be performed only once, unless WRAPUP is run.
After STARTUP ends, start the Voyager Agent by running S VOYAGER from the console or inside a Job Scheduler.
To quiesce VOYAGER while leaving the subpool intact, stop VOYAGER by running F VOYAGER,SHUTDOWN from the console. To quiesce Voyager Agent and destroy the subpool, start WRAPUP by running S WRAPUP from the console. Use of WRAPUP will cause any messages stored in the subpool to be lost.
Note:
Events detected by the Voyager Agent through exit technology are transformed into messages and passed to the LDAP Gateway.
If the TCP/IP message transport layer is used, then the messages are securely sent to the LDAP Gateway. If the LDAP Gateway is not running, then messages are held until the Gateway is returned to service and also secured in an AES-encrypted file on the mainframe. The messages are sent when the Gateway resumes running.
If the subpool is stopped by an administrator, it shuts down the Pioneer Agent, thereby destroying any messages that are not transmitted. However, the messages in the secured AES-encrypted file are not affected and can be recovered.
The STARTUP procedure or proc creates the subpool using z/OS's subpool 231. The size of the subpool is dependent on two conditions:
Amount of real-time reconciliation messages or events.
What is coded on the PARM= on the STARTUP procedure.
The values are 200k to 1000k. The cache or subpool created is transient and used for a very short duration. The subpool is create using standard z/OS STORAGE OBTAIN macros. The amount of storage is allocated in the ECSA. If the exit is active and the subpool has not been created, then messages destined for the subpool will fail. To ensure the subpool is processed, Voyager must be connected to the LDAP. If it is not then messages will stack up in the subpool, if the LDAP is down for a long period of time then, it is recommended to shutdown normally. This will offload the messages to the dataset CACHESAV.
To remove the TSSINSTX exit, run the following command from the IBM z/OS operator's console:
F TSS,EXIT(OFF)
|
 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|