Sun Identity Manager 8.1 Resources Reference

Chapter 5 ACF2

The ACF2 resource adapter supports management of user accounts and memberships on an OS/390 mainframe. The adapter manages ACF2 over a TN3270 emulator session.

Adapter Details

The ACF2 resource adapter is defined in the com.waveset.adapter.ACF2ResourceAdapter class.

Resource Configuration Notes

None

Identity Manager Installation Notes

The ACF2 resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

ProcedureInstalling the ACF2 Resource Adapter

  1. To add the ACF2 resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.


    com.waveset.adapter.ACF2ResourceAdapter
  2. Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager installation.

    Connection Manager  

    JAR Files  

    Host On Demand 

    The IBM Host Access Class Library (HACL) manages connections to the mainframe. The recommended JAR file containing HACL is habeans.jar. It is installed with the HOD Toolkit (or Host Access Toolkit) that comes with HOD. The supported versions of HACL are in HOD V7.0, V8.0, V9.0, and V10..

    However, if the toolkit installation is not available, the HOD installation contains the following JAR files that can be used in place of the habeans.jar:

    • habase.jar

    • hacp.jar

    • ha3270.jar

    • hassl.jar

    • hodbase.jar

      See http://www.ibm.com/software/webservers/hostondemand/ for more information.

    Attachmate WRQ 

    The Attachmate 3270 Mainframe Adapter for Sun product contains the files needed to manage connections to the mainframe. 

    • RWebSDK.jar

    • wrqtls12.jar

    • profile.jaw

      Contact Sun Professional Services about getting this product.

  3. Add the following definitions to the Waveset.properties file to define which service manages the terminal session:


    serverSettings.serverId.mainframeSessionType=Value
    serverSettings.default.mainframeSessionType=Value
    

    Value can be set as follows:

    • 1 indicates IBM Host On-Demand (HOD)

      • 3 indicates Attachmate WRQ

        If these properties are not explicitly set, then Identity Manager attempts to use WRQ, then HOD.

  4. When the Attachmate libraries are installed into a WebSphere or WebLogic application server, add the property com.wrq.profile.dir=LibraryDirectory to the WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.

    This allows the Attachmate code to find the licensing file.

  5. Restart your application server so that the modifications to the Waveset.properties file can take effect.

  6. See Chapter 53, Mainframe Connectivity for information about configuring SSL connections to the resource.

Usage Notes

This section lists dependencies and limitations related to using the ACF2 resource adapter.

Administrators

TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager ACF operations, you must create multiple administrators. Thus, if you create two administrators, two Identity Manager ACF operations can occur at the same time. You should create at least two (and preferably three) administrators.

If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.

If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).


Note –

Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.

If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.


Resource Actions

The ACF2 adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.

See Mainframe Examples for more information about creating login and logoff resource actions.

SSL Configuration

Identity Manager uses TN3270 connections to communicate with the resource.

See Chapter 53, Mainframe Connectivity for information about setting up an SSL connection to an ACF2 resource.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses TN3270 connections to communicate with ACF2.

Required Administrative Privileges

The administrators that connect to ACF2 must be assigned sufficient privileges to create and manage ACF2 users.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature  

Supported?  

Enable/disable account 

Yes 

Rename account 

Yes 

Pass-through authentication 

No 

Before/after actions 

Yes 

Data loading methods 

  • Import directly from resource

  • Reconciliation

Account Attributes

The following table provides information about ACF2 account attributes.

Resource User Attribute

Data Type

Description

NAME 

String 

The user name displayed on logging and security violation reports 

PHONE 

String 

The user’s telephone number 

ACCESS.ACC-CNT 

String 

The number of system accesses made by this logonid since it was created 

ACCESS.ACC-DATE 

String 

The date of this user’s last system access 

ACCESS.ACC-SRCE 

String 

The logical or physical input source name or source group name where this logonid last accessed the system 

ACCESS.ACC-TIME 

String 

The time of this user’s last system access 

CANCEL/SUSPEND.CANCEL 

Boolean 

The logonid is canceled and denied access to the system 

CANCEL/SUSPEND.CSDATE 

String 

The date when the CANCEL or SUSPEND field was set 

CANCEL/SUSPEND.CSWHO 

String 

The logonid that set the CANCEL, SUSPEND, or MONITOR field 

CANCEL/SUSPEND.MON-LOG 

Boolean 

ACF2 writes an SMF record each time this user enters the system 

CANCEL/SUSPEND.MONITOR 

Boolean 

CA-ACF2 sends a message to the security console and to a designated person (CSWHO) each time this user enters the system 

CANCEL/SUSPEND.SUSPEND 

Boolean 

The logonid is suspended and denied access to the system 

CANCEL/SUSPEND.TRACE 

Boolean 

All data references by this user are traced and logged 

CICS.ACF2CICS 

Boolean 

Indicates that CA-ACF2 CICS security is to be initialized in any CICS/ESA 4.1 or later region running with this address space logonid 

CICS.CICSCL 

String 

CICS operator class 

CICS.CICSID 

String 

CICS operator ID 

CICS.CICSKEY 

String 

The first three bytes of transaction security key values to support CICS Release 1.6 and later 

CICS.CICSKEYX 

String 

The last five bytes of transaction security key values to support CICS Release 1.6 and later 

CICS.CICSPRI 

String 

CICS operator priority 

CICS.CICSRSL 

String 

CICS resource access key 

CICS.IDLE 

String 

The maximum number of minutes permitted between terminal transactions for this user 

IMS.MUSDLID 

String 

The default logonid for a MUSASS address space. 

IDMS.IDMSPROF 

String 

The name of the sign-on profile CLIST executed when the user signs on to CA-IDMS 

IDMS.IDMSPRVS 

String 

The version of the sign-on profile CLIST executed when the user sign on to CA-IDMS 

MUSASS.MUSID 

String 

Groups IMS records in the Infostorage database to ensure that IMS records are associated with the proper control region 

MUSASS.MUSIDINF 

Boolean 

The MUSID field should be used to restrict access to a MUSASS region for CA-ACF2 Info type system entry calls. 

MUSASS.MUSOPT 

String 

The name of the CA-ACF2 CA-IDMS options module that controls the CAIDMS address space 

MUSASS.MUSPGM 

String 

The name of the CA-IDMS start up program 

MUSASS.MUSUPDT 

Boolean 

Allows the user to update the CA-ACF2 databases 

PRIVILEGES.ACCOUNT 

Boolean 

The user can insert, delete, and change logonids, as limited by a scope 

PRIVILEGES.ACTIVE 

String 

The logonid is automatically activated one minute after midnight on the date contained in this field 

PRIVILEGES.AUDIT 

Boolean 

With this privilege, a user can inspect, but not modify, the parameters of the CAACF2 system. 

PRIVILEGES.AUTODUMP 

Boolean 

Dump created when a data set or resource violation occurs 

PRIVILEGES.AUTONOPW 

Boolean 

This virtual machine can be autologged without specifying a password. 

PRIVILEGES.BDT 

Boolean 

This logonid’s address space belongs to the Bulk Data Transfer (BDT) product. 

PRIVILEGES.CICS 

Boolean 

The logonid has the authority to sign on to CICS. 

PRIVILEGES.CMD-PROP 

Boolean 

This indicates that the user can override the global CPF target list by using the SET TARGET command or the TARGET parameter. 

PRIVILEGES.CONSULT 

Boolean 

The user can display other logonids. 

PRIVILEGES.DUMPAUTH 

Boolean 

This user can generate a dump even when the address space is in an execute-only or path control environment. 

PRIVILEGES.EXPIRE 

String 

The date when temporary logonids expire. 

PRIVILEGES.IDMS 

Boolean 

The logonid has the authority to sign on to CA-IDMS. 

PRIVILEGES.JOB 

Boolean 

The user can enter batch and background Terminal Monitor Program (TMP) jobs. 

PRIVILEGES.JOBFROM 

Boolean 

The user can use the //*JOBFROM control statement. 

PRIVILEGES.LEADER 

Boolean 

The user can display and alter certain fields of other logonids for other users. 

PRIVILEGES.LOGSHIFT 

Boolean 

A user can access the system outside the time period specified in the SHIFT field of the logonid record. 

PRIVILEGES.MAINT 

Boolean 

A user can use a specified program executed from a specified library to access resources without loggings or validation. 

PRIVILEGES.MUSASS 

Boolean 

This logonid is a multiple user single address space system (MUSASS). 

PRIVILEGES.NO-INH 

Boolean 

A network job cannot inherit this logonid from its submitter. 

PRIVILEGES.NO-SMC 

Boolean 

Step-must-complete (SMC) controls are bypassed; a job is considered noncancelable for the duration of the sensitive VSAM update operation. 

PRIVILEGES.NO-STORE 

Boolean 

This user is unauthorized to store or delete rule sets. 

PRIVILEGES.NON-CNCL 

Boolean 

A user can access all data, even if a rule prohibits this access. 

PRIVILEGES.PGM 

String 

The specified APF-authorized program to submit jobs for this logonid. 

PRIVILEGES.PPGM 

Boolean 

The user can execute those protected programs specified in the GSO PPGM record. 

PRIVILEGES.PRIV-CTL 

Boolean 

Checks privilege control resource rules when the user accesses the system to see what additional privileges and authorities the user has. 

PRIVILEGES.PROGRAM 

String 

The specified APF-authorized program to submit jobs for this logonid. 

PRIVILEGES.READALL 

Boolean 

The logonid has only read access to all data at the site. 

PRIVILEGES.REFRESH 

Boolean 

This user is authorized to issue the F ACF2,REFRESH operator command from the operator.s console. 

PRIVILEGES.RESTRICT 

Boolean 

This restricted logonid is for production use and does not require a password for user verification. 

PRIVILEGES.RSRCVLD 

Boolean 

Specifies that a resource rule must authorize any accesses that a user makes. 

PRIVILEGES.RULEVLD 

Boolean 

An access rule must exist for all data this user accesses. 

PRIVILEGES.SCPLIST 

String 

The infostorage scope record that restricts accesses for this privileged user. 

PRIVILEGES.SECURITY 

Boolean 

This user is a security administrator who, in the limits of his scope, can create, maintain, and delete access rules, resource rules, and infostorage records. 

PRIVILEGES.STC 

Boolean 

Only started tasks use this logonid. 

PRIVILEGES.SUBAUTH 

Boolean 

Only an APF-authorized program can submit jobs specifying this logonid. 

PRIVILEGES.SYNCNODE 

String 

The node where the synchronized logonid for this logonid is found in the Logonid database 

PRIVILEGES.TAPE-BLP 

Boolean 

This user can use full bypass label processing (BLP) when accessing tape data sets 

PRIVILEGES.TAPE-LBL 

Boolean 

This user has limited BLP when accessing tape data sets. 

PRIVILEGES.TSO 

Boolean 

This user is authorized to sign on to TSO. 

PRIVILEGES.VAX 

Boolean 

This logonid has associated VAX (UAF) infostorage records. 

PRIVILEGES.VLDRSTCT 

Boolean 

Turning on this field for a RESTRICT logonid indicates that PROGRAM and SUBAUTH are to be validated even when the logonid is inherited. 

PASSWORD.MAXDAYS 

String 

The maximum number of days permitted between password changes before the password expires. If the value is zero, no limit is enforced. 

PASSWORD.MINDAYS 

String 

The minimum number of days that must elapse before the user can change the password 

PASSWORD.PSWD-DAT 

String 

The date of the last invalid password attempt 

PASSWORD.PSWD-EXP 

Boolean 

The user’s password was manually expired (forced to expire). 

PASSWORD.PSWD-INV 

String 

The number of password violations that occurred since the last successful logon 

PASSWORD.PSWD-SRCE 

String 

The logical or physical input source name or source group name where the last invalid password for this logonid was received 

PASSWORD.PSWD-TIM 

String 

The time when the last invalid password for this logonid was received 

PASSWORD.PSWD-TOD 

String 

The date and time the password was last changed 

PASSWORD.PSWD-VIO 

String 

The number of password violations occurring on PSWD-DAT 

PASSWORD.PSWD-XTR 

Boolean 

The password for this logonid is halfway-encrypted and can be extracted by an APF-authorized program. 

RESTRICTIONS.AUTHSUP1 through AUTHSUP8 

Boolean 

These fields can activate extended user authentication (EUA) for each designated system user. 

RESTRICTIONS.GROUP 

String 

The group or project name associated with this user 

RESTRICTIONS.PREFIX 

String 

The high-level index of the data sets that this user owns and can access 

RESTRICTIONS.SHIFT 

String 

The shift record that defines when a user is permitted to log on to the system 

RESTRICTIONS.SOURCE 

String 

The logical or physical input source name or source group name where this logonid must access the system 

RESTRICTIONS.VMACCT 

String 

A loginid field that holds the default account number for a virtual machine 

RESTRICTIONS.VMIDLEMN 

String 

The number of minutes that this user can be idle on the system before idle terminal processing begins 

RESTRICTIONS.VMIDLEOP 

String 

The type of idle terminal processing to perform when the user exceeds the idle time limit 

RESTRICTIONS.ZONE 

String 

The name of the Infostorage Database zone record defining the time zone where this logonid normally accesses the system (that is, the user’s local time zone) 

STATISTICS.SEC-VIO 

String 

The total number of security violations for this user 

STATISTICS.UPD-TOD 

String 

The date and time that this logonid record was last updated 

TSO.ACCTPRIV 

Boolean 

Indicates whether the user has TSO accounting privileges 

TSO.ALLCMDS 

Boolean 

The user can enter a special prefix character to bypass the CA-ACF2 restricted command lists 

TSO.ATTR2 

String 

The IBM program control facility (PCF) uses the PSCBATR2 field for command limiting and data set protection. 

TSO.CHAR 

String 

The TSO character-delete character for this user 

TSO.CMD-LONG 

Boolean 

Indicates that only the listed command and aliases are accepted when using TSO command lists. 

TSO.DFT-DEST 

String 

The default remote destination for TSO spun SYSOUT data sets 

TSO.DFT-PFX 

String 

The default TSO prefix that is set in the user’s profile at logon time. 

TSO.DFT-SOUT 

String 

The default TSO SYSOUT class 

TSO.DFT-SUBC 

string 

The default TSO submit class 

TSO.DFT-SUBH 

string 

The default TSO submit hold class 

TSO.DFT-SUBM 

string 

The default TSO submit message class 

TSO.INTERCOM 

Boolean 

This user is willing to accept messages from other users through the TSO SEND command. 

TSO.JCL 

Boolean 

This user can submit batch jobs from TSO and use the SUBMIT, STATUS, CANCEL, and OUTPUT commands 

TSO.LGN-ACCT 

Boolean 

This user can specify an account number at logon time. 

TSO.LGN-DEST 

Boolean 

The user can specify a remote output destination at TSO logon that overrides the value specified in the DFT-DEST field. 

TSO.LGN-MSG 

Boolean 

This user can specify message class at logon time. 

TSO.LGN-PERF 

Boolean 

This user can specify a performance group at logon time. 

TSO.LGN-PROC 

Boolean 

This user can specify the TSO procedure name at logon time. 

TSO.LGN-RCVR 

Boolean 

This user can use the recover option of the TSO or TSO/E command package. 

TSO.LGN-SIZE 

Boolean 

This user is authorized to specify any region size at logon time. 

TSO.LGN-TIME 

Boolean 

This user can specify the TSO session time limit at logon time. 

TSO.LGN-UNIT 

Boolean 

This user can specify the TSO unit name at logon time. 

TSO.LINE 

String 

The TSO line-delete character 

TSO.MAIL 

Boolean 

Receive mail messages from TSO at logon time 

TSO.MODE 

Boolean 

Receive modal messages from TSO 

TSO.MOUNT 

Boolean 

This user can issue mounts for devices. 

TSO.MSGID 

Boolean 

Prefix TSO message IDs 

TSO.NOTICES 

Boolean 

Receive TSO notices at logon time 

TSO.OPERATOR 

Boolean 

This user has TSO operator privileges 

TSO.PAUSE 

Boolean 

Causes a program to pause when a command executed in a CLIST issues a multilevel message 

TSO.PMT-ACCT 

Boolean 

Forces this user to specify an account number at logon time 

TSO.PMT-PROC 

Boolean 

Forces this user to specify a TSO procedure name at logon time 

TSO.PROMPT 

Boolean 

Prompt for missing or incorrect parameters 

TSO.RECOVER 

Boolean 

Use the recover option of the TSO or TSO/E command package 

TSO.TSOACCT 

String 

The user’s default TSO logon account 

TSO.TSOCMDS 

String 

The name of the TSO command list module that contains the list of the commands that this user is authorized to use. 

TSO.TSOFSCRN 

Boolean 

This user has the full-screen logon display. 

TSO.TSOPERF 

String 

The user’s default TSO performance group 

TSO.TSOPROC 

String 

The user’s default TSO procedure name 

TSO.TSORBA 

String 

The mail index record pointer (MIRP) for this user 

TSO.TSORGN 

String 

The user’s default TSO region size (in K bytes) if the user does not specify a size at logon time 

TSO.TSOSIZE 

String 

The user’s maximum TSO region size (in K bytes) unless the user has the LGS-SZE field specified 

TSO.TSOTIME 

String 

The user’s default TSO time parameter 

TSO.TSOUNIT 

String 

The user’s default TSO unit name 

TSO.VLD-ACCT 

Boolean 

Indicates CA-ACF2 is to validate the TSO account number 

TSO.VLD-PROC 

Boolean 

Indicates CA-ACF2 is to validate the TSO procedure name 

TSO.WTP 

Boolean 

Displays write-to-programmer (WTP) messages 

Resource Object Management

None

Sample Forms

ACF2UserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes: