3 Installation and Configuration: Part 2

The Provisioning and Reconciliation Connector Components of the Oracle Identity Manager CA ACF2 Advanced connector are installed on the mainframe.

This chapter describes the installation and configuration of the Oracle Identity Manager Provisioning Connector and Reconciliation Connector in the following sections:

• Step1: Verifying Installation Requirements

• Step 2: Initiating Connector Installation

• Step 3: Installing the Exits for the Reconciliation Connector

• Step 4: Configuring the Message Transport Layer

Step1: Verifying Installation Requirements

The following table includes hardware, software, and authorization prerequisites for installing both Oracle Identity Manager Provisioning Connector and Oracle Identity Manager Reconciliation Connector.

Item	Requirement
Operating System	z/OS any version
Message Transport Layer	TCP/IP Network MQ Series v.5 or later
z/OS Patch Level	Verify that all current patches are in place.
CA ACF2 Identity Repository	CA ACF2 Release 6.1, genlevel 9611 or later Current patch level for z/OS

Both connectors require the installation of a started task and both require placement into an administrative APF authorized library.

Installation of the environment is from load libraries. However, if any environmental issues are encountered, assistance may be needed to quickly diagnose the problem. The following are the toolsets available in a typical mainframe shop to handle these issues:

• Cobol Compiler: The current version was compiled using IBM Enterprise COBOL for z/OS and OS/390 3.1.1

• Assembler: Oracle Identity Manager currently uses HLASM R4.0.

Environmental Settings and Requirements

The CA ACF2 Connectors have the following environment requirements:

• Each Connector uses memory subpools to manage peak load conditions. These subpools require 1.5 to 2.0 MB of mainframe memory for operations.

• The Provisioning Connector program user ID should be given authorization to access subpools on the host platform.

• If MQ Series is used in your environment and you plan for Oracle Identity Manager to use MQ series as a message transport layer, then a sample program that is an MQ-enabled program should be available. An MQ administrator needs to authorize the creation of MQ queues from an automated script.

  Oracle Identity Manager requires three queues: a send queue, a receive queue, and a Reconciliation Connector communication queue. The names of these queues will be inserted into the Provisioning Connector and Reconciliation Connector start up JCL.

• If TCP/IP is used in the message transport layer, an administrator must have authorization to create ports on the mainframe, as well as provide security authorizations for the data structures.

• The Reconciliation Connector operates at the Exit level, just outside the mainframe operating system. Typical mainframe shops install custom exits, for example to maintain a certain password format. If there are cusom exits already installed, an engineering effort is required to allow Reconciliation Connector exits to coexist with existing exits already deployed. The Oracle Identity Manager exits are engineered to be the last exits called in sequence, allowing existing exits to function normally.

• Installation of new exits within an LPAR may require an IPL of the LPAR.

Step 2: Initiating Connector Installation

These are the initial procedures for installing the components of the connectors on z/OS.

• Transmit or FTP JCL.XMIT and LINKLIB.XMIT to the z/OS server, each with the following specifications RECFM=FB, LRECL=80, BLKSIZE=3120, and DSORG=PS.

• Log in to the z/OS server's TSO environment.

• Expand the CNTL dataset dataset, issue the following command from the ISPF command line:

  TSO RECEIVE INDA('IDF.CNTL.XMIT')
  
  

• When prompted to specify restore parameters, enter:

  DA('IDF.CNTL')
  
  

• To expand the LINKLIB dataset, issue the following command from the ISPF command line:

  TSO RECEIVE INDA('IDF.LINKLIB.XMIT')
  
  

• When prompted to enter restore parameters, enter:

  DA('IDF.LINKLIB')
  
  

• To complete the installation, follow the procedures in IDF.CNTL member #INSTVOY for the Reconciliation Connector components, and member #INSTPIO for the Provisioning Connector component.

Step 3: Installing the Exits for the Reconciliation Connector

Because the exits reside in LPA, an IPL is required to complete the installation. To allow the LDAP Gateway to fully capture events, the Reconciliation Connector and its exits should be installed on each LPAR that shares the CA ACF2 authentication repository.

Note:

The following instructions assume you will install both Provisioning Connector and Reconciliation Connector Connectors.

It is recommended that you:

• Install and test the exits on a test system or partition first.

• Make a copy of your system volumes before applying any changes.

• Consider packaging the exits as SMP/E user mods.

• Assemble the exits into an authorized load library.

To install the Reconciliation Connector exits:

• Install LOGRIX02, LOGPWX01, and LOGEVX01, the Common Command exits, using the Dynamic Exit Facility.

• For testing, it is recommended that you set up one or more PROGxx members in SYS1.PARMLIB (or equivalent), to allow for easy removal of the exit if desired.

• Below are three commands that will compromise the PARMLIB list you create. The three commands can also be added via operator console commands. Below is a sample commad to append the Reconciliation Connector exits to the appropriate CA ACF2 exits.

  EXIT ADD EXITNAME(ICHRIX02) MODULE(LOGRIX02)
  EXIT ADD EXITNAME(ICHPWX01) MODULE(LOGPWX01)
  EXIT ADD EXITNAME( IRREVX01) MODULE(LOGEVX01)
  
  

• Copy these three members to your system PARMLIB data set. If you already have a PROGAD or PROGDL member, rename the LOG members to a PROGxx name that is not in use.

• When ready, use the console command SET PROG=XX to activate the following:

  • LOGPWX01 as an ICHPWX01 exit point

  • LOGRIX02 as an ICHRIX02 exit point

  • LOGEVX01 as an IRREVX01 exit point

For permanent installation, do one of the following:

• Add the EXIT ADD statement in PROGAD to your production PROGxx PARMLIB member.

• Add a SET PROG=XX command to CONSOL00 or an automation script, so that it is issued during your IPL procedure.

• Install ICHRIX02, the RACROUTE REQUEST=VERIFY(X) (RACINIT) post processing exit.

Note:

If you do not have an existing ICHRIX02 exit, run the job in the samples library member RIX0A. This job uses SMP/E to linkedit LDXRIX02 into SYS1.LPALIB as exit ICHRIX02.

To uninstall the LDX exit, enter SET PROG=XY as a console command or enter the following commands.

EXIT DELETE EXITNAME(ICHRIX02) MODULE(LOGRIX02)
EXIT DELETE EXITNAME(ICHPWX01) MODULE(LOGPWX01)
EXIT DELETE EXITNAME(IRREVX01) MODULE(LOGEVX01)

To load the exits:

• Command done from the Operator Log (ISPF menu option SDSF then option LOG)

  /F LLA,REFRESH
  /T PROG=XX Where XX is the Parmlib list name created EX. PROG75
  /T PROG=75
  
  

To look at the exits:

/D PROG,LPA,MODNAME=ICHPWX01
/D PROG,LPA,MODNAME=ICHRIX02
/D PROG,LPA,MODNAME=IRREVX01

Sample output of display command.

15:47:38 D PROG,LPA,MODNAME=ICHPWX01
15:47:38 CSV550I 15.47.38 LPA DISPLAY 321
15:47:38 FLAGS MODULE  ENTRY PT LOAD PT  LENGTH  DIAG
15:47:38  P  ICHPWX01 85024C68 05024C68 00000398 0DA015F8

15:47:38 D PROG,LPA,MODNAME=ICHPWX01
15:47:38 CSV550I 15.47.38 LPA DISPLAY 321
15:47:38 FLAGS MODULE  ENTRY PT LOAD PT  LENGTH  DIAG
15:47:38  P  ICHPWX01 85024C68 05024C68 00000398 0DA015F8

Step 4: Configuring the Message Transport Layer

This section describes the following Message Transport Layer configuration tasks for both TCP/IP and MQ Series:

• Configuring TCP/IP

• Using MQ Series

• Building and Operation of the Starter Tasks

• Batch Loading of ACIDS

Configuring TCP/IP

You will need the following IP addresses:

• IP address to be used by z/OS

• IP address for the router

• IP addresses for domain name servers

Using TCP/IP, an administrator will need to allow the creation of ports on the mainframe, as well as provide security authorizations for the data structures.

Edit the Provisioning Connector and VOYAGER JCL making the following changes:

1. Insert an installation-approved job card.

2. Change the value for PARM from TCPN=TCPIP to the name of the running TCP/IP started task.

3. Change the IP address to the address of the LPAR (z/OS System that Provisioning Connector will be started from).

4. Change the port number to the port assigned in the LPAR (z/OS System that Provisioning Connector will be started from).

5. If your installation requires batch feeds then insert the proper VSAMGETU statement. The following code illustrates batch loading of CA ACF2 ACIDs:

   //USR98S01 JOB (,xxxxxxxx,,'PIONEER UPLOAD PROCESS FOR ACIDS'),
   //       'UPLOAD CATS TO XELLTE',
   //       REGION=2M,CLASS=6,MSGCLASS=Q,
   //       USER=XXXXXXXX,TIME=1440,
   //       NOTIFY=&SYSUID,TYPRUN=HOLD
   //*
   /*ROUTE PRINT CLE
   //*
   //PIONEERX EXEC PGM=PIONEERX,REGION=0M,TIME=1440,
   //       PARM=('TCPN=TCPIP',
   //       'IPAD=148.141.7.113',
   //       'PORT=6500',
   //       'DEBUG=Y')
   //STEPLIB DD DISP=SHR,DSN=PPRD.IDF.LINKLIB
   //     DD DISP=SHR,DSN=SYS2.TCPACCES.V60.LINK
   //     DD DISP=SHR,DSN=TCPIP.SEZATCP
   //SYSOUT  DD SYSOUT=*
   //SYSPRINT DD SYSOUT=*
   //SYSDBOUT DD SYSOUT=*
   //SYSABOUT DD SYSOUT=*
   //ABENDAID DD SYSOUT=*
   //SYSUDUMP DD SYSOUT=*
   //VSAMGETU DD DISP=SHR,DSN=LXT99S.FEEDFILE.SORTED
   //*
   
   

If Provisioning Connector is a started task, start Provisioning Connector by issuing the S PIONEER from the console. If Provisioning Connector is a batch task, submit the PIONEER JCL.For the Reconciliation Connector, the Job Control is the same with the exception of the execute card, which is described below:

//RECONCILIATION CONNECTORX EXEC PGM=RECONCILIATION CONNECTORX,
//  PARM=('TCPN=TCPIP',
//     'IPAD=192.168.1.231',
//     'PORT=5791',
//     'DEBUG=Y')

For both the Reconciliation and Provisioning Connector, the following DEBUG parameter field equivalents can be used:

• N is for no debugging output.

• Y is for debugging output.

• Z is for debugging output, but the output is not written to MQ.

Note:

If you get the "dataset in use" message when attempting to edit a member, use the F1 key to see who is using the member you are trying to edit. You will have to press the F1 key twice. The second time will actually give the name of the job using the file that you are trying to edit. You can then go to the z/OS console and remove it by using the p or c command.

Using MQ Series

This section describes Provisioning and Reconciliation connector installation for MQ series.

Provisioning Connector Installation for MQ Series

The Provisioning Connector uses the following for MQ installation:

• PIONEER: Provisioning Connector start task job control

• PIOCOPY: Copies the Provisioning Connector-started task to your installation procedure library.

• PIOMQ: Provisioning Connector MQ definition input

• PIODEF: Defines the Provisioning Connector MQ definitions

To install the connector, do the following:

1. Edit Member PIONEER.

   1. Change QMGR in the QMGR Parm field to the name of your queue manager.

   2. Your Queue manager is the actual task name given to the MQ Queue manager in the installing system.

   3. If desired, enable the debug option by changing Debug=N (the default) to Y.

      Caution:

      This will generate a large amount of output. This should only be done for testing.

   4. Change IDF.LINKLIB to the name you have given the Oracle Identity Manager Authorized Load Module Library.

2. Edit Member Piocopy and submit.

   1. Insert your installation approved job card.

   2. Change IDF.CNTL to the name you have given the Oracle Identity Manager Control Library (the library downloaded in the previous install steps).

   3. Change SYS1.PROCLIB to the name of the JES PROCLIB you would like to use.

   4. Change the Reconciliation Connector started task to initiate as a started task.

   5. Submit PIOCOPY. Ensure that the member VOYAGER is present in your selected JES PROCLIB.

3. Edit Member PIOMQ.

   • Change all occurrences of QMGR to the name of your queue manager. Your Queue manager is the actual task name given to the MQ Queue manager in the installing system.

   • Change all occurrences of STGCLASS to the name of the storage class you have chosen for the two Provisioning Connector queues.

     Note:

     For performance reasons, your installation may want to define the two Provisioning Connector queues to different storage classes. If you are also using the Reconciliation Connector, you may want to use separate storage classes for the Reconciliation Connector queue.

4. Edit Member PIOMQ and submit.

   • Insert your jobcard.

   • Change QMGR in the parm to the name of your queue manager.

   • Change MQMHLQ to the high level qualifier of your MQ System datasets.

   • Change IDF.CNTL to the name you have given the Oracle Identity Manager control library.

   • Submit PIODEF. Ensure that the three objects are defined without errors.

     Note:

     Depending on your security environment, you may need to define Provisioning Connector as a started task and grant access to the dataset and MQ resources.

5. Provisioning Connector Is Ready To Start.

Note:

Provisioning Connector is dependent on MQ series, so ensure that the queue manager is active before starting PIONEER.

If Provisioning Connector is a started task, start Provisioning Connector by issuing S PIONEER from the console. If Provisioning Connector is a batch task, submit the PIONEER JCL.

Reconciliation Connector Installation for MQ Series

The Provisioning Connector installation members distributed in the control library are:

• Voyager: VOYAGER Reconciliation Connector-started task job control

• VOYINIT: Reconciliation Connector initialization started task

• VOYKILL: Reconciliation Connector subpool removal started task

• VOYSTOP: Reconciliation Connector stop started task

• VOYCOPY: Copies the VOYAGER Reconciliation Connector started tasks to the procedure library

• VOYMQ: Reconciliation Connector MQ definition input

• VOYDEF: Defines the Reconciliation Connector MQ definitions

To install the Reconciliation connector, follow these instructions:

1. Edit Member Voyager.

   • Change QMGR in the QMGR parm field to the name of your queue manager. Your queue manager is the actual task name given to the MQ Queue manager in the installing system.

   • If required, enable the debug option by changing Debug=N to Y.

     Caution:

     This will generate a large amount of output. This should only be performed for testing purposes.

   • Change IDF.LINKLIB to the name you have given the Oracle Identity Manager Authorized Load Module Library.

2. Edit Members VOYINIT, VOYKILL, and VOYSTOP.

   • Change IDF.LINKLIB to the name you have given the Oracle Identity Manager Authorized Load Module Library.

3. Edit Member VOYCOPY and submit.

   • Insert your installation approved job card.

   • Change IDF.CNTL to the name you have given the Oracle Identity Manager control library.

   • Change SYS1PROCLIB to the name of the JESPROCLIB proclib you would like Voyager to be started from as a started task.

   • Submit VOYCOPY.

   • Ensure that members VOYAGER, VOYINIT, VOYKILL, and VOYSTOP are present in selected JES PROCLIB.

4. Edit Member VOYMQ.

   • Change all occurrences of QMGR to the name of your queue manager. Your queue manager is the actual task name given to the MQ Queue manager in the installing system.

   • Change all occurrences of +STGCLASS+ to the name of the storage class you would like the queue for Reconciliation Connector defined.

     Note:

     You may want to assign the Reconciliation Connector to a different storage class than the one used by the Provisioning Connector queues.

5. Edit Member VOYDEF & Submit.

   • Insert your job card.

   • Change QMGR in the parameter to the name of your queue manager. Your queue manager is the actual task name given to the MQ Queue manager in the installing system.

   • Change +MQMHLQ+ to the high level qualifier of your MQ system datasets.

   • Change IDF.CNTL to the name you have given the Oracle Identity Manager Control Library.

   • Submit VOYDEF. Ensure that the three objects are defined without errors.

     Reconciliation Connector Is Ready To Start.

     Note:

     Depending on your security environment, you may need to define VOYAGER, VOYINIT, VOYKILL, and VOYSTOP as started tasks and grant access to the dataset and MQ resources.

   • Reconciliation Connector is dependent on MQ. Therefore, ensure that the queue manager is active before starting Voyager.

   • Start the VOYINIT task by issuing "S VOYINIT" from the console to create the subpool (This only needs to be done once, unless VOYKILL is run).

   • Once VOYINIT ends, then start Reconciliation Connector by issuing "S Voyager" from the console.

     Note:

     To quiesce VOYAGER while leaving the subpool intact, start VOYSTOP by issuing S VOYSTOP from the console. To quiesce Reconciliation Connector and destroy the subpool, start VOYKILL by issuing S VOYKILL from the console.

   Caution:

   Use of VOYKILL will cause any CA ACF2 messages stored in the subpool to be lost.

Configuration of APF Authorization

Create the Necessary Definitions

Note:

This step requires that you be appropriately authorized to issue CA ACF2 commands and to make alterations to the CA ACF2 database. If you do not have the required authority to perform such tasks, you should arrange to enlist the assistance of someone who is qualified to perform these tasks.

• Log on to TSO by using a user ID that has the requisite authority to execute CA ACF2 commands and modify the CA ACF2 database. For example, IBMUSER normally has such authority.

• From a TSO command line (or Option 6 of ISPF), issue the following CA ACF2 command:

  RDEFINE FACILITY IRR.RADMIN.* UACC(NONE)
  
  

  This command defines a CA ACF2 resource named IRR.RADMIN.* in the FACILITY class.

  Note:

  This resource may already be defined to your installation.

• From a TSO command line (or Option 6 of ISPF), issue the following CA ACF2 command:

  PERMIT IRR.RADMIN.* CLASS(FACILITY) ID(STARTER) ACCESS(READ)
  
  

  This command grants READ access to the IRR.RADMIN.* resource for the User ID STARTER (the User ID that the starter task runs under). This allows the starter task to issue CA ACF2 commands.

• From a TSO command line (or Option 6 of ISPF), issue the following CA ACF2 command:

  ALTUSER STARTER SPECIAL
  
  

  This command grants the SPECIAL attribute to User ID STARTER, which allows the started task to access and modify CA ACF2 User Profiles.

• Issue the following command from a TSO command line (or Option 6 of ISPF):

  SETROPTS RACLIST(FACILITY) REFRESH
  
  

  This command updates the in-storage tables of CA ACF2 to immediately activate the definitions that you create.

• Once the required CA ACF2 definitions are in place, exit from ISPF.

Building and Operation of the Starter Tasks

There are two different JCLs to setup and run Provisioning Connector and Reconciliation Connector. You can use these two JCL files for the basis of a starter task definition.

Note:

The JCLs have a time set of 1440 on the jobs.

The parameters for RUNPIONX.txt are:

• TCPN, the name of the TCP process

• IPAD, the IP address of machine that Provisioning Connector is running on

• PORT, the port that we are listening on

• DEBUG, the debug switch for showing the extra output

The parameters for RUNVOYAX.txt

• TCPN, the name of the TCP process

• IPAD, the IP address of machine that Reconciliation Connector is connection to

• PORT, the port that we are talking to

• DEBUG, the debug switch for showing the extra output

Source code for each program is:

RUNPIONX:
 
//ADCDMPPT JOB SYSTEMS,MSGLEVEL=(1,1),MSGCLASS=X,CLASS=A,PRTY=8, 
//  NOTIFY=&SYSUID,REGION=4096K          
//PIONEERX EXEC PGM=PIONEERX,REGION=0M,TIME=1440, 
//  PARM=('TCPN=TCPIP',           
//     'IPAD=192.168.1.231',  
//     'PORT=5790',
//     'DEBUG=Y')              
//STEPLIB DD DISP=SHR,DSN=IDF.LINKLIB       
//     DD DISP=SHR,DSN=TCPIP.SEZATCP
//SYSPRINT DD SYSOUT=X                 
//SYSUDUMP DD SYSOUT=X             
//                     
 
 
RUNVOYAx:
 
//ADCDMRVX JOB SYSTEMS,MSGLEVEL=(1,1),MSGCLASS=X,CLASS=A,PRTY=8,  
//  NOTIFY=&SYSUID,REGION=4096K          
//RECONCILIATION CONNECTORX EXEC PGM=RECONCILIATION CONNECTORX,REGION=0M,TIME=1440,     
//  PARM=('TCPN=TCPIP',                  
//     'IPAD=192.168.1.183',  
//     'PORT=5190',
//     'DEBUG=Y')                 
//STEPLIB DD DISP=SHR,DSN=IDF.LINKLIB        
//     DD DISP=SHR,DSN=TCPIP.SEZATCP
//SYSPRINT DD SYSOUT=X               
//SYSUDUMP DD SYSOUT=X             
// 

Batch Loading of ACIDS

The provisioning connector and the LDAP console have the ability to load ACIDs from a file into the conversion process and provision identity management product database records in a set of automated tasks. This facility is useful in loading the new identity management system from the existing CA ACF2 security database. This requires the JCL added to the start up task Job Control for the Provisioning Connector.

//VSAMGETU DD DISP=SHR,DSN=USR99S.FEEDFILE.SORTED

The data set name (USR99S) reflects the output of the sort in step 3 below. The LDAP console will then provide a list of ACIDS for which automated information can be obtained and the new database loaded.

In the IDF.CNTL library, you will find a task called UPLOAD. The current task is a three-step process. The first step utilizes an CA ACF2 utility to create sequential records from the CA ACF2 security database. These records do not contain passwords so as to protect the confidential nature of the information.

The second step utilizes an IBM utility to extract only the ACID from each record.

The third step sorts the ACIDs. This sort is done so that as the ACIDs are fed in and propagated across systems, they are processed sequentially and in proper order to aid the performance of the load process.