Sun Identity Manager 8.1 Resources Reference

Usage Notes

This section provides information related to using the RACF resource adapter, which is organized into the following sections:


TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager RACF operations, you must create multiple administrators. Thus, if two administrators are created, two Identity Manager RACF operations can occur at the same time. You should create at least two (and preferably three) administrators.

If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.

If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).

Note –

Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.

If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.

Support for Additional Segments

The RACF adapter can be configured to support attributes that are not in the segments supported by default.

ProcedureConfiguring the RACF Adapter to Support Attributes

  1. Create an AttrParse object that parses the segment. See Chapter 49, Implementing the AttrParse Object for information about defining custom AttrParse objects. Example AttrParse objects are defined in $WSHOME/web/sample/attrparse.xml.

  2. Add a ResourceAttribute element to the RACF resource object. For example:

    <ResourceAttribute name=’WORKATTR Segment AttrParse’ 
       displayName=’WORKATTR Segment AttrParse’ 
       description=’AttrParse for WORKATTR Segment’ 
       value=’Default RACF WORKATTR Segment AttrParse’>

    This example adds a field labeled WORKATTR Segment AttrParse to the Resource Parameters page. The value assigned to the name attribute must be of the form SegmentName Segment AttrParse.

  3. Add an element to the RACF resource object that defines a custom account attribute.

    <AccountAttributeType id=’32’ name=’WORKATTR Account’ syntax=’string’ 
      mapName=’WORKATTR.WAACCNT’ mapType=’string’>

    The value of the mapName attribute must be of the form SegmentName.AttributeName. When the adapter detects a mapName in this format, it asks RACF for the specified segment and uses the object specified in the SegmentName Segment AttrParse field to parse it.

Resource Actions

The RACF adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.

See Mainframe Examples for more information about creating login and logoff resource actions.

SSL Configuration

Identity Manager uses TN3270 connections to communicate with the resource.

See Chapter 53, Mainframe Connectivity for information about setting up an SSL connection to a RACF resource.