Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 |
ACF2The ACF2 resource adapter supports management of user accounts and memberships on an OS/390 mainframe via the IBM Host Access Class Library APIs. The adapter manages ACF2 over a TN3270 emulator session.
The ACF2 adapter supports the following versions:
The ACF2 resource adapter is defined in the com.waveset.adapter.ACF2ResourceAdapter class.
Resource Configuration Notes
None
Identity Manager Installation Notes
The ACF2 resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
- To add the ACF2 resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.ACF2ResourceAdapter
- The Identity Manager mainframe adapters use the IBM Host Access Class Library (HACL) to connect to the mainframe. The HACL is available in IBM Websphere Host On-Demand (HOD). The recommended jar containing HACL is habeans.jar and is installed with the HOD Toolkit (or Host Access Toolkit) that comes with HOD. The supported versions of HACL are in HOD V7.0, V8.0, and V9.0.
However, if the toolkit installation is not available, the HOD installation contains the following jars that can be used in place of the habeans.jar:
Usage Notes
This section lists dependencies and limitations related to using the ACF2 resource adapter.
Administrators
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager ACF operations, you must create multiple administrators. Thus, if you create two administrators, two Identity Manager ACF operations can occur at the same time. We recommend that you create at least two (and preferably three) administrators.
If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).
Note Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.
Resource Actions
The ACF2 adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.
See the Usage Notes for the Top Secret adapter on page 1-376 for more information about creating login and logoff resource actions.
SSL Configuration
This section provides information about configuring SSL, including:
Connecting the Adapter to a Telnet/TN3270 Server using SSL or TLS
Use the following steps to connect ACF2 resource adapters to a Telnet/TN3270 server using SSL/TLS.
- Obtain the Telnet/TN3270 server's certificate in the PKCS #12 file format. Use hod as the password for this file. Consult your server's documentation on how to export the server’s certificate. The procedure “Generating a PKCS #12 File” below for some general guidelines.
- Create a CustomizedCAs.class file from the PKCS #12 file. If you are using a recent version of HOD, use the following command to do this.
..\hod_jre\jre\bin\java -cp ../lib/ssliteV2.zip;../lib/sm.zip com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT CustomizedCAs.p12 hod CustomizedCAs.class
- Place the CustomizedCAs.class file somewhere in the Identity Manager server's classpath, such as $WSHOME/WEB-INF/classes.
- If a resource attribute named Session Properties does not already exist for the resource, then use the BPE or debug pages to add the attribute to the resource object. Add the following definition in the <ResourceAttributes> section:
<ResourceAttribute name='Session Properties' displayName='Session Properties' description='Session Properties' multi='true'>
</ResourceAttribute>
- Go to the Resource Parameters page for the resource and add the following values to the Session Properties resource attribute:
SESSION_SSL
true
Generating a PKCS #12 File
The following procedure provides a general description of generating a PKCS #12 file when using the Host OnDemand (HOD) Redirector using SSL/TLS. Refer to the HOD documentation for detailed information about performing this task.
- Create a new HODServerKeyDb.kdb file using the IBM Certificate Management tool. As part of that file, create a new self-signed certificate as the default private certificate.
If you get a message that is similar to “error adding key to the certificate database” when you are creating the HODServerKeyDb.kdb file, one or more of the Trusted CA certificates may be expired. Check the IBM website to obtain up-to-date certificates.
- Export that private certificate as Base64 ASCII into a cert.arm file.
- Create a new PKCS #12 file named CustomizedCAs.p12 with the IBM Certificate Management tool by adding the exported certificate from the cert.arm file to the Signer Certificates. Use hod as the password for this file.
Troubleshooting the SSL Connection
You can enable tracing of the HACL by adding the following to the Session Properties resource attribute:
SESSION_TRACE
ECLSession=3 ECLPS=3 ECLCommEvent=3 ECLErr=3 DataStream=3 Transport=3 ECLPSEvent=3
Note The trace parameters should be listed without any new line characters. It is acceptable if the parameters wrap in the text box.
The Telnet/TN3270 server should have logs that may help as well.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses TN3270 connections to communicate with ACF2.
Required Administrative Privileges
The administrators that connect to ACF2 must be assigned sufficient privileges to create and manage ACF2 users.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes
Pass-through authentication
No
Before/after actions
Yes
Data loading methods
Import directly from resource
Reconciliation
Account Attributes
The following table provides information about ACF2 account attributes.
Resource Object Management
None
Sample Forms
ACF2UserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
See the Troubleshooting section for the Top Secret adapter on page 1-388 for more information about troubleshooting the HostAccess class.