4 Installing and Configuring the Agents of the CA Top Secret Connector on the Mainframe

Install the Provisioning Agent - Pioneer and Reconciliation Agent - Voyager of the CA Top Secret connector on the mainframe. These agents communicate with the LDAP Gateway during connector operations.

• Installation Requirements for Agents

• Installing the Mainframe Agents

• Configuring the Mainframe Agents

• Configuring Logging

• Customizing the Reconciliation Exit (TSSINSTX)

• Activating and Deactivating Reconciliation Exits

• Operator Interface for Mainframe Agents

Installation Requirements for Agents

These are the software and environmental setting requirements for installing the Provisioning Agent - Pioneer and Reconciliation Agent - Voyager.

Verifying Installation Requirement

Ensure that the mainframe system on which you intend to install Pioneer and Voyager meet the following requirements:

Table 4-1 Installation Requirements for Agents

Item	Requirement
Operating System	IBM z/OS 2.2, 2.3
Message Transport Layer	TCP/IP
CA Top Secret Identity Repository	Verify that the current patch for z/OS is installed.
Target system user account for the Provisioning Agent - Pioneer and Reconciliation Agent - Voyager	CA Top Secret-authorized user account with System Administrators privileges.

Note:

Both the Voyager and Pioneer Agents must have CA Top Secret ACIDs defined on the CA Top Secret database. These ACIDs must have at least the permissions of the System Administrators group on the mainframe. These user accounts have permissions above those of ordinary administrators on the mainframe, which include Read, Write, Execute, and Modify privileges. Voyager and Pioneer use Language Environment. The following are the recommended Language Environment runtime options that avoid issues when installing Voyager and Pioneer:

• ALL31(ON)
• HEAP(32768,32768,ANYWHERE,KEEP,8192,4096)
• STACK(131072,131072,ANYWHERE,KEEP,524288,524288)

Environmental Settings and Other Requirements

Ensure that the following requirements are met on the mainframe:

• Voyager and Pioneer each require approximately a 2-megabyte region to work. In addition, a subpool is created to contain the reconciliation changes for Voyager to access and send to the LDAP gateway. The subpool is in ECSA and is generally a small, temporary staging area for reconciliation requests. If there is an outage, Voyager saves the encryped messages from the subpool to the //CACHESAV ddname in the Voyager STC. When Voyager is restarted and the subpool is rebuilt, the CACHESAV file is read and the messages are reloaded into the subpool. Once the LDAP gateway connects, the subpool data is sent to the LDAP.
• A CA Top Secret ACID profile is required to start both Voyager and Pioneer. An IBM type userid such as START2 or START2 can be used to perform this function. The Voyager Agent operates by using the Installation Exit, TSSINSTX, CA Top Secret. The IDF – TSSINSTX is passive. It does not change any z/OS storage. The storage area for collected CA Top Secret events is created by using STARTUP and only referenced by the TSSINSTX exit and is fully re-entrant.
• Once the TSSINSTX module is enabled either by using the TSS control file or Operator command, the TSS events are queued into the subpool. If STARTUP has not been executed, then these TSS events or messages will be lost. You can recover these TSS events ot messages by performing a full import reconciliation process.
• The TSSINSTX caching mechanism uses Storage Tokens and is safe. No operating system integrity can or will be lost with its usage. The storage is obtained by using the STORAGE OBTAIN macros and is in the ECSA. After storage is obtained, the storage token anchors are inserted. These are checked for by Voyager. If they are not present, then Voyager issues a message and shuts down.

Maintaining a specific password format is an example of the objective for which you use custom exits.

The IDF modified TSSINSTX has multiple exit points to capture CA Top Secret events. The exit points are:

• Pre-Init
• TSS command
• Post-Init
• New Password Verification
• Action (exit)
• Site Via RACHECK

When the exit is enabled, it will collect TSS events and cache them in a storage subpool. In addition, TSSINSTX calls IDFCACHE, which is the CA Top Secret caching module.

Note:

As the systems programmer, you must do an IPL after a system component is changed or modified.

Installing the Mainframe Agents

The CA Top Secret connector is shipped with a pair of agents, one for provisioning (Pioneer) and one for real-time reconciliation (Vogayer). If real-time reconciliation is not required, then install and start only the provisioning agent.

1. On the computer hosting the mainframe, extract the contents of the TOPSECRET-<TIMESTAMP>-<VERSION>.zip file located in the connector installation media.
   The following XMIT files are extracted:

   • CLISTLIB.XMIT
   • JCLLIB.XMIT
   • LINKLIB.XMIT
   • PARMLIB.XMIT
   • PROCLIB.XMIT
2. Transmit the extracted XMIT files to z/OS by using the following specifications:
   • RECFM=FB
   • LRECL=80
   • BLKSIZE=3120
   • DSORG=PS
   For example, you can use 3270 or FTP to transfer the files.
   The following datasets will exist on z/OS:

   • <HLQ>.CLISTLIB.XMIT
   • <HLQ>.JCLLIB.XMIT
   • <HLQ>.LINKLIB.XMIT
   • <HLQ>.PARMLIB.XMIT
   • <HLQ>.PROCLIB.XMIT

   Note:

   In the preceding list, <HLQ> is the high-level-qualifier used when transmitting the files to z/OS.
3. For each of the XMIT files that have been transmitted, execute the following command at the TSO prompt: TSO RECEIVE INDA('<HLQ>.<FILE>.XMIT') .
   When prompted to specify restore parameters, enter DA('<HLQ>.<FILE>') .

   For example, if the high-level qualifier is IDF and the file is CLISTLIB.XMIT, then execute the following command:

   TSO RECEIVE INDA('IDF.CLISTLIB.XMIT')

   When prompted, respond with: DA('IDF.CLISTLIB')

   The following datasets will exist on z/OS:

   • <HLQ>.CLISTLIB
   • <HLQ>.JCLLIB
   • <HLQ>.LINKLIB
   • <HLQ>.PARMLIB
   • <HLQ>.PROCLIB

   Note:

   In the preceding list, <HLQ> is the high-level-qualifier used when receiving the previously transmitted files.
4. Edit each of the following installed job streams to replace any placeholders in them with actual values.
   • <HLQ>.CLISTLIB.ENVINFO
   • <HLQ>.JCLLIB.CREATDSN
   • <HLQ>.JCLLIB.IEBCOPYL
   • <HLQ>.JCLLIB.IEBCOPYP
   • <HLQ>.JCLLIB.IEBCPYPR
   • <HLQ>.JCLLIB.KEYMODR
   • <HLQ>.PARMLIB.PROGID

     Note:

     In the preceding job stream, update the ++vol++ placeholder with the VOLUME from where you have received LINKLIB.
   • <HLQ>.PROCLIB.PIONEER
   • <HLQ>.PROCLIB.STARTUP
   • <HLQ>.PROCLIB.STARTUP
   • <HLQ>.PROCLIB.VOYAGER
   • <HLQ>.PROCLIB.WRAPUP
   • <HLQ>.JCLLIB.IEBCPYCL
   • <HLQ>.JCLLIB.LOADDSN
   • <HLQ>.JCLLIB.CREATEXP
   • <HLQ>.JCLLIB.IDCAMSC
   • <HLQ>.JCLLIB.IEBCPYRX
   • <HLQ>.JCLLIB.PSAMCTL1
   • <HLQ>.JCLLIB.REXXCL
   • <HLQ>.JCLLIB.TOPSDEF
   • <HLQ>.JCLLIB.TSSCFLE

   Note:

   In the preceding list, <HLQ> is the high-level-qualifier used when receiving the previously transmitted files.

   The following table lists the installation placeholders found in job streams, their description, and example.

   Table 4-2 Installation Placeholders

   Placeholder	Description	Example
   ++hlq++	The high-level qualifier where the mainframe agent is to be installed. You must include all the multiple segments, if any.	IDF.PROD
   ++hlq1++	The top-most segment of the high-level qualifier where the mainframe agent is to be installed	IDF
   ++vol++	The volume where the mainframe agent is to be installed.	SDWRK1
   ++lpalib++	The DSN of the data set that contains customized lpalibs. Customize based on the z/OS environment.	USER.LPALIB
   ++parmdtr++	The name of the PARMLIB XMIT that was trasmitted to z/OS (without the .XMIT).	<HLQ>.PARMLIB
   ++parmlib++	The DSN of the data set that contains customized parmlibs. Customize based on z/OS environment.	USER.PARMLIB
   ++procdtr++	The name of the PROCLIB XMIT that was trasmitted to z/OS (without the .XMIT).	<HLQ>.PROCLIB
   ++proclib++	The DSN of the data set that contains customized proclibs. Customize based on z/OS environment.	USER.PROCLIB
   ++linkdtr++	The name of the LINKLIB XMIT that was trasmitted to z/OS (without the .XMIT).	<HLQ>.LINKLIB
   ++linklib++	The DSN where the LINKLIB XMIT that was received.	<HLQ>.LINKLIB
   ++rexxdtr++	The name of the CLISTLIB XMIT that was trasmitted to z/OS (without the .XMIT).	<HLQ>.CLISTLIB
   ++rexxlib++	The DSN where the CLISTLIB XMIT that was received.	<HLQ>.CLISTLIB
   ++pionprms++	The DSN of the control (configuration) file for the provisioning agent.	PIONEER.CONTROL.FILE
   ++voyprms++	The DSN of the control (configuration) file for the reconciliation agent.	VOYAGER.CONTROL.FILE
   ++pionlog++	The DSN of the control log (configuration) file for the LOGGERX feature of provisioning agent.	PIONEER.CONTROL.LOG
   ++voyglog++	The DSN of the control log (configuration) file for the LOGGERX feature of reconciliation agent.	VOYAGER.CONTROL.LOG
   ++pstcuserid++	The ACID of the user to be created for running the provisioning agent STC.	PIONEER
   ++vstcuserid++	The ACID of the user to be created for running the reconciliation agent STC.	VOYAGER
   ++pstcnm++	The name / description for the provisioning agent STC.	'PIONEER STARTED TASK'
   ++vstcnm++	The name / description for the reconciliation agent STC.	'VOYAGER STARTED TASK'
   ++pstcuid++	The OMVS UID assigned to the provisioning agent STC. Customize based on z/OS environment.	80
   ++vstcuid++	The OMVS UID assigned to the reconciliation agent STC. Customize based on z/OS environment.	90
   ++stcgrp++	The group assigned to the provisioning and reconciliation agent STCs. Ensure the group has UID(0) or BPX.SUPERUSER assigned. Customize based on z/OS environment.	OMVSGRP
   ++secgrp++	The Secure ID user default group.	IDFSGRP
   ++secuid++	The Secure ID user ACID.	IDFAGNT
   ++secidnm++	The Secure ID name.	SECURE_ID
   ++cailink++	The CA Linklist Library DSN. Customize based on Top Secret environment.	CAI.CAKOLINK

   For example, in the following snippet from CREATEDSN, replace the placeholders ++hlq++ and ++vol++ with values such as IDF.PROD and SDWRK1:

   //*
   //S1       SET  PHLQ=++hlq++.PIONEER
   //S2       SET  VHLQ=++hlq++.VOYAGER
   //S3       SET  PVOL=++vol++
   //S4       SET  VVOL=++vol++
   //*

   The following snippet displays the placeholders replaced with values:

   //*
   //S1       SET  PHLQ=IDF.PROD.PIONEER
   //S2       SET  VHLQ=IDF.PROD.VOYAGER
   //S3       SET  PVOL=SDWRK1
   //S4       SET  VVOL=SDWRK1
   //S5       SET THLQ=IDF.PROD
   //*

5. Execute each of the following job streams in the order as shown in the following table to complete installation.

   Table 4-3 Job Streams to Execute

   Job Stream	Description
   <HLQ>.JCLLIB.IEBCOPYP	Copies PARMLIB members to user PARMLIB.
   <HLQ>.JCLLIB.IEBCPYPR	Copies PROCLIB members to user PROCLIB.
   <HLQ>.JCLLIB.IEBCPYCL	Copies Rexx execs to user Rexx library.
   <HLQ>.JCLLIB.IEBCOPYL	Copies exit routines to use LPA library.
   <HLQ>.JCLLIB.CREATDSN	Allocates run time data sets, deleting the data sets first if they already exist.
   <HLQ>.JCLLIB.CREATEXP	Allocates run time EXPORTIN data set.
   <HLQ>.JCLLIB.LOADDSN	Copies PIONEER & VOYAGER configuration (control) files.
   <HLQ>.JCLLIB.TOPSDEL	Deletes pre-existing users accounts and privileges on these user accounts required to execute agent STCs.
   <HLQ>.JCLLIB.TOPSDEF	Defines users and permissions required to run the mainframe agent STCs.

The installation of the provisioning and reconciliation agents, Pioneer and Voyager, is complete. At this point, you can optionally remove the XMIT datasets that were originally transmitted to z/OS.

Configuring the Mainframe Agents

After installing Pioneer and Voyager, you must configure the mainframe agents to receive requests from and send responses to the LDAP gateway.

This section discusses the following topics:

• Configuring the Provisioning Agent

• Configuring the Reconciliation Agent

Configuring the Provisioning Agent

You must configure the provisioning agent to receive requests from the LDAP gateway, which originates from Oracle Identity Manager.

Edit the <HLQ>.PIONEER.CONTROL.FILE file to configure the behavior of the provisioning agent. Here, <HLQ> is the high-level-qualifier that you specified while installing the agents.

Table 4-4 Parameters of the Pioneer Control File

Parameter	Value	Description
TCPN	TCPIP	The name of the TCP/IP STC where the agent is executing.
IPAD	0.0.0.0	Do not change.
PORT	9999	The TCP/IP port that the agent will listen on.
CRLF	Y or N	If this flag is set to Y, then mainframe sends a response with carriage line feed. You must set the value of this parameter to Y for version 6+ of the LDAP Gateway. Set to N for version 5.
ESIZE	16	This is the only valid value. This parameter is for the AES128 encryption and decryption.
POST_PROC_ALIAS	T or F	If you set the value of this parameter to T, then all LDAP Alias requests are processed. If you set it to F, then all LDAP Alias requests are rejected.
RWAIT	0 or 999 (in seconds)	Enter the number of seconds the agent must wait before executing the jobs submitted by the batch recon.
JWAIT	0 or 999 (in seconds)	Enter the number of seconds the agent must wait before executing the IDCAMS jobs.
QUEUE_DSN	IDF.SEARCH	Max 44 character DSN used with RWAIT for recons. This DSN does not need allocated or deleted.
EXPORT_MON	NO or YES, REC=X	Monitor XML imports displaying a message every X ACIDS.
IP	V4 or V6	IP version to be used for communication between LDAP gateway and PIONEER agent. Value V4 would be used as an IPv4 based IP address or hostname for communication. (e.g. In tops.properties value for host=192.168.100.0) Value V6 would be used as an IPv6 based IP address or hostname for communication. (e.g. In tops.properties value for host=FE80::A0:A001:A0:A0A0%tap0) Default value is V4, when not specified in <HLQ>.PIONEER.CONTROL.FILE.
DEBUG	Y or N	This parameter is deprecated.
IDLEMSG	Y or N	This parameter is deprecated.
DEBUGOUT	SYSOUT, CLASS(X)	This parameter is deprecated.
SPIN_CLASS	X	This parameter is deprecated.
AUDIT_LOG	YES or NO	This parameter is deprecated.

Postprocessing Procedure for the Provisioning Agent

If the provisioning agent requires post processing for it to run, then you must add additional statements to the Pioneer control file as follows:

C=CREATE,M=TESTA,L=TEST.TESTA
C=ADDTO,M=TESTB,L=TEST.TESTB
C=REMOVE,M=TESTC,L=TEST.TESTC
Control file ( //PARMFLE ) explanations:

By default, the post-processing submits member (M=) from PDS library (L=) for every CREATE, ADDTO, REMOVE done on TSS. The post-processing takes place on every command added to the Pioneer control file. This library is dynamically allocated to Pioneer and later freed. If no post-processing is required, then do not code the C= for the TSS command. For example, C=CREATE …… C=ADDTO ….

Pioneer post-processes the TSS commands received from the LDAP for CREATE and ADDTO. By default, the following parameters are passed to only a clist:

• CREATE - ACID
• ADDTO - ACID and KEYWORD
• REMOVE - ACID and KEYWORD

The REXX clist should have the following line to accept the parameters:

/* rexx sample clist */
Arg p1 p2

The Library specified with L= parameter and the member with M= parameter should contain batch JCL to execute REXX Clist.

The following is a sample job using the high-level qualifier of Pioneer:

//REXXCLST JOB SYSTEMS,MSGLEVEL=(1,1),MSGCLASS=X,CLASS=A,PRTY=8,
// NOTIFY=&SYSUID,REGION=0K
//STEP0 EXEC PGM=IKJEFT01,DYNAMNBR=50
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSPROC DD DISP=SHR,DSN=PIONEER.CLIST.LIBRARY
//SYSTERM DD DUMMY
//SYSTSIN DD *
/*

For postprocessing the commands (CREATE/ADDTO/REMOVE etc ) mentioned in the control file, Pioneer adds: %clistname P1 P2

Where clistname is the value specified with M= parameter in the control file for the corresponding command.

Note:

The JCL member name specified with the M= parameter in the control file and the corresponding REXX/Clist member name needs to be the same.

Configuring the Reconciliation Agent

You must configure the reconciliation agent to send incremental responses to the LDAP gateway.

Edit the <HLQ>.VOYAGER.CONTROL.FILE file to configure the behavior of the reconciliation agent. <HLQ> is the high-level qualifier that you specified while installing the agents.

Note:

Voyager keeps reading supbool 231 for any reconciliation events and processes them. Therefore, for efficient use of allocated subpool 231, it is recommended to have Voyager up and running, failing which condition of event loss may occur.

Table 4-5 Parameters of the Voyager Control File

Parameter	Value	Description
TCPN	TCPIP	The name of the TCP/IP STC where the agent is executing.
IPAD	999.999.999.999 or ldap.example.com	LDAP destination IP address or hostname (up to 40 characters).
PORT	9999	LDAP destination port that is listening to the incoming agent messages.
CRLF	Y or N	If this flag is set to Y, then mainframe sends a response with carriage line feed. You must set the value of this parameter to Y for version 6+ of the LDAP Gateway. Set to N for version 5.
ESIZE	16	This is the only valid value. This parameter is for the AES128 encryption and decryption.
CACHE_DELAY	0 to 999	This is the number of seconds that Voyager waits before issuing a write socket to the LDAP Gateway.
VOYAGER_ID	VOYAGER	This value will be included in the LDAP logs for diagnostic
CONNECT_RETRY	999	The number of times to retry when the LDAP connection is down.
CONNECT_INTV	10	The number of seconds between retries when the LDAP connection is down.
FAST_SHUTDOWN_NUM	Any 3-digit numeric value	A 3-digit numeric value representing a batch. Note: If you enter 0 or 1 as the value of this parameter, then this value is automatically defaulted to 100. Voyager uses this 3-digit numeric value to process the records prior to checking operator’s shutdown command. An explicit check for the shutdown command (/F VOYAGER,SHUTDOWN) is made only after processing each batch (of FAST_SHUTDOWN_NUM number of events). Whenever you enter the shutdown command, Voyager saves any remaining events (including events from subpool 231) to the disk (“cache save file”) file for processing them later and shuts the process down. If there is no shutdown command, then Voyager processes the next ‘batch’ of events. Re-polling (reading from subpool 231) will continue to happen after all events are processed (when events are less than 100 or after processing 100 events each).
IP	V4 or V6	IP version to be used for communication between LDAP gateway and VOYAGER agent. Value V4 would be used as an IPv4 based IP address or hostname for communication. (e.g. IPAD entry in VOYAGER.CONTROL.FILE = 192.168.100.10) Value V6 would be used as an IPv6 based IP address or hostname for communication. (e.g. IPAD entry in VOYAGER.CONTROL.FILE = fe80::74c3:eeff:fe1e:60fd) Default value is V4, when not specified in <HLQ>.VOYAGER.CONTROL.FILE.
PIONEER_DELETE_MSGS	Not applicable	The parameter is deprecated.
RECOVERY_INTERVAL	Not applicable	The parameter is deprecated.
DNS_RECOVERY_INTERVAL	Not applicable	The parameter is deprecated.
DEBUG	Y or N	This parameter is deprecated.
DEBUGOUT	SYSOUT, CLASS (X)	This parameter is deprecated.
CONNECT_MSGS	Y or N	This parameter is deprecated.
MSGID01	NO or YES,IDMV602E,X	This parameter is deprecated.

Configuring Logging

You can configure logging for both Pioneer and Voyager by editing the <HLQ>.PIONEER.CONTROL.LOG and <HLQ>.VOYAGER.CONTROL.LOG files, respectively, and setting values for various log parameters based on your requirement. For example, you can have complete control over the messages that you want to print or suppress and also the device over which the message must be printed. A separate control file is designed and used to control the functionality of logging through LOGGERX.

Logging Parameters

LOGGERX requires initial parameters setup for operating. This is achieved by using a control file (different from the control file for Pioneer). The parameters of this control file described in the following table.

Table 4-6 Logging Parameters

Parameter	Accepted Value	Description
LOGGERX_MSGID01	NO or YES,IDMV602E,X	If you want to suppress the IDMV602E recovery message, then set the value of this parameter to NO. If you want to display the IDMV602E recovery message, then set the value of the parameter to YES in the following format: YES,IDMV602E,X In this format, replace X with any number between 0 through 99, which specifies the number of times the recovery message IDMV602E must be displayed. For example, YES,IDMV602E,6. Note: This parameter is applicable only to the <HLQ>.VOYAGER.CONTROL.LOG file.
LOGGERX_SYSOUT_CLASS	A through Z	The value in this parameter determines the class where the SYSOUT messages must be rolled to. For example, if you set the value of this parameter to A, then all SYSOUT messages will be directed to class A. If you do not specify a value for this parameter, then by default, all SYSOUT messages are rolled to class A.
LOGGERX_LEVEL_ROUTING	MSG_TYPE:DEVICE In this format, replace: MSG_TYPE with types of messages such as INFO, WARN, ERR, or DBG. DEVICE with any combination of SYSOUT, CONSOLE, FILE, or NONE by using a vertical bar (|) as the delimiter.	This parameter controls the message logging based on message type. The value of this parameter must contain the message type and the devices on which it is to be printed. For example, if you set the value of this parameter to INFO:SYSOUT|CONSOLE, then it means that all Informational messages will be written on to SPOOL/SYSOUT and the mainframe operator console. The same is applicable for message types – WARN(Warning), EROR(Error) and DEBG(DEBUGOUT).
LOGGERX_XXXX where XXXX can be either INFO, WARN, EROR, DEBG, AUDT, or PARM	SYSOUT	Use this parameter to specify SYSOUT when the value of DEVICE in the LOGGERX_LEVEL_ROUTING parameter is FILE. When the value is passed as SYSOUT, the file is created in the SPOOL as part of job output. For example, consider that the value of the LOGGERX_LEVEL_ROUTING parameter is set to WARN:FILE. In such a case, the entry LOGFILE_WARN=SYSOUT means that the job output will contain a file by the name WARNOUT that will contain warning messages.
LOGGERX_MSG_ROUTING	MSGID:DEVICE In this format, replace: MSGID with the message ID corresponding to a message text. DEVICE with any combination of SYSOUT, CONSOLE, FILE, or NONE by using the vertical bar (|) as the delimiter.	Use this parameter to redirect messages to a different device or suppress individual message based on message IDs. This parameter overrides the message levels set in the LOGGERX_LEVEL_ROUTING parameter. For example, the entries LOGGERX_MSG_ROUTING=IDFRPI001:NONE and LOGGERX_MSG_ROUTING=IDFRPI002:FILE combined with LOGGERX_LEVEL_ROUTING=INFO:CONSOLE mean that all Informational messages will go out on CONSOLE except, IDFRPI001(suppressed) and IDFRPI002(written on a file). You can provide 999 message IDs for each agent. In other words, you can choose to override, suppress, or redirect any number of messages. For a comprehensive list of message IDs and the corresponding message text, see Pioneer and Voyager Messages.
LOGGERX_FILE_MSG	SYSOUT	This parameter is used when FILE is specified as the Device type in the LOGGERX_MSG_ROUTING parameter to route all message ID- specific messages to MSGOUT in the spool. This parameter accepts a value of SYSOUT. When the value is passed as SYSOUT, the file is (MSGOUT) created in the SPOOL as part of job output. For example, the entry LOGFILE_MSG=SYSOUT means that the job output will contain a file by the name MSGOUT that contains messages corresponding to the message ID provided in the value of the LOGGERX_MSG_ROUTING parameter with the destination device as FILE.
LOGGERX_DEBUG	Y or N	This parameter is deprecated in v6.0.0 and later versions of the Mainframe agents.
LOGGERX_SPIN_CLASS	X	This parameter is deprecated in v6.0.0 and later versions of the Mainframe agents.
LOGGERX_AUDIT_LOG	YES or NO	This parameter is deprecated in v6.0.0 and later versions of the Mainframe agents.
LOGGERX_CONNECT_MSGS	Y or N	This parameter is deprecated in v6.0.0 and later versions of the Mainframe agents.

Important Use Case of the Log File

1. LOGGERX_LEVEL_ROUTING=INFO:FILE

   • LOGGERX_LEVEL_ROUTING=AUDT:FILE
   • LOGGERX_LEVEL_ROUTING=WARN:FILE
   • LOGGERX_LEVEL_ROUTING=ERR:FILE
   • LOGGERX_LEVEL_ROUTING=DBG:FILE
   • LOGGGERX_FILE_WARN=SYSOUT
   • LOGGGERX_FILE_INFO=SYSOUT
   • LOGGGERX_FILE_AUDT=SYSOUT
   • LOGGGERX_FILE_DEBG=SYSOUT
   • LOGGGERX_FILE_EROR=SYSOUT

   The above combination results in all INFO, AUDT, WARN, ERR, and DBG messages written onto INFOOUT, AUDOUT, WARNOUT, ERROROUT and DEBUGOUT, respectively, in spool/Sysout.

2. LOGGERX_LEVEL_ROUTING=INFO:FILE|SYSOUT
   • LOGGERX_LEVEL_ROUTING=AUDT:FILE|SYSOUT
   • LOGGERX_LEVEL_ROUTING=WARN:FILE|SYSOUT
   • LOGGERX_LEVEL_ROUTING=ERR:FILE|SYSOUT
   • LOGGERX_LEVEL_ROUTING=DBG:FILE|SYSOUT
   • LOGGGERX_FILE_WARN=SYSOUT
   • LOGGGERX_FILE_INFO= SYSOUT
   • LOGGGERX_FILE_AUDT=SYSOUT
   • LOGGGERX_FILE_DEBG= SYSOUT
   • LOGGGERX_FILE_EROR= SYSOUT

   The above combination results in all INFO, AUDT, WARN, ERR, DBG messages written onto INFOOUT, AUDOUT, WARNOUT, ERROROUT, and DEBUGOUT, respectively, in spool and all the messages will also be written onto SYSOUT file in job output.

3. LOGGERX_LEVEL_ROUTING=INFO:FILE|SYSOUT|CONSOLE

   • LOGGERX_LEVEL_ROUTING=AUDT:FILE|SYSOUT|CONSOLE
   • LOGGERX_LEVEL_ROUTING=WARN:FILE|SYSOUT|CONSOLE
   • LOGGERX_LEVEL_ROUTING=ERR:FILE|SYSOUT|CONSOLE
   • LOGGERX_LEVEL_ROUTING=DBG:FILE|SYSOUT|CONSOLE
   • LOGGGERX_FILE_WARN=SYSOUT
   • LOGGGERX_FILE_INFO= SYSOUT
   • LOGGGERX_FILE_AUDT= SYSOUT
   • LOGGGERX_FILE_DEBG= SYSOUT
   • LOGGGERX_FILE_EROR= SYSOUT

   The above combination results in all INFO, AUDT, WARN, ERR, and DBG messages written onto INFOOUT, AUDOUT, WARNOUT, ERROROUT and DEBUGOUT, respectively, in spool and all the messages will also be written onto SYSOUT file in job output and on the mainframe operator console.

4. LOGGERX_LEVEL_ROUTING=INFO:NONE|SYSOUT|CONSOLE

   • LOGGERX_LEVEL_ROUTING=AUDT:NONE
   • LOGGERX_LEVEL_ROUTING=WARN:NONE|SYSOUT|CONSOLE
   • LOGGERX_LEVEL_ROUTING=ERR:NONE|SYSOUT|CONSOLE
   • LOGGERX_LEVEL_ROUTING=DBG:NONE|SYSOUT|CONSOLE
   • LOGGGERX_FILE_WARN=SYSOUT
   • LOGGGERX_FILE_INFO= SYSOUT
   • LOGGGERX_FILE_AUDT=SYSOUT
   • LOGGGERX_FILE_DEBG= SYSOUT
   • LOGGGERX_FILE_EROR= SYSOUT
   • LOGGERX_MSG_ROUTING=IDMP000I :CONSOLE
   • LOGGERX_MSG_ROUTING=IDMP010I :CONSOLE
   • LOGGERX_MSG_ROUTING=IDMP300I :CONSOLE
   • LOGGERX_MSG_ROUTING=IDMP001E:CONSOLE

   The above combinations results in all INFO, AUDT, WARN, ERR, and DBG messages being suppressed. Since NONE is specified it does not matter if other devices are specified too, the messages will be suppressed. However, as LOGGERX_MSG_ROUTING is also specified, the messages IDs IDMP000I, IDMP010I, IDMP300I, and IDMP001E are not suppressed and are displayed on the CONSOLE. This establishes that at any point of time, the LOGGERX_MSG_ROUTING parameter has a higher priority in deciding the message’s output device, than its corresponding LEVEL ROUTING

   Note:

   In the sample control log files, for Parm message output, logging is routed based on message IDs IDMP400I, IDMP401E, and IDMV400I. These are set to route to 'SYSOUT' device and needs to maintain to get the PARMOUT dataset created in SPOOL.

Customizing the Reconciliation Exit (TSSINSTX)

Learn about working with custom reconciliation exit routines.

Note:

If you have made changes to the standard TSSINSTX exit routine provided by CA Top Secret, then you must perform the procedure described in this topic. Skip this topic if you are using the default TSSINSTX exit.

• Understanding the Sample Exit

• Calling Custom Exits

Understanding the Sample Exit

You can customize the default TSSINSTX exit to meet any special requirements in your environment.

The <HLQ>.JCLLIB dataset includes several sample files such as a sample reconciliation exit (TSSINSTX) and a custom exit (CUSTINSX). Use the CUSTINSX file to include your custom logic for the reconciliation exit. Use the sample reconciliation exit (TSSINSTX) to call the CUSTINSX file that includes your custom logic.

The source in the sample reconciliation exit (TSSINSTX) includes a call to IDMWORKS' modified version of TSSINSTX (IDFINSTX) in EXIT0 (before exiting from the TSSINSTX exit).

The following is the sample source as seen under the label 'EXIT0':

* IDMWORKS Modification to call Real-time exit
* Starts at Label EXIT0 for 9 lines
*
EXIT0 DS 0H COMMON EXIT POINT
*** CODE BELOW ADDED TO CALL IDFINSTX (IDMWORKS' TSSINSTX) ***
SLR R15,R15
LR R1,R9 COPY PARMLIST ADDR TO R1
LR R11,R13 COPY WORKAREA ADDR TO R11
LA R13,WORKAREA
L R15,=V(IDFINSTX) LOAD ADDR OF CUSTOMER EXIT
BALR R14,R15 CALL IT
LR R13,R11
*** CODE ABOVE ADDED TO CALL IDFINSTX (IDMWORKS' TSSINSTX) ***

In addition, the sample reconciliation exit (TSSINSTX) source contains the label CUSTEXIT, which calls the module CUSTINSX (your custom version of TSSINSTX). The call part of the sample code is commented by specifying * in column 1 on each row as shown below:

*** CODE BELOW ADDED TO CALL CUSTOMER'S MODIFIED EXIT ***
**** UNCOMMENT BELOW CODE TO CALL CUSTOMIZED EXIT(CUSTINSX) ****
*CUSTEXIT DS 0H
* LR R1,R9
* LR R11,R13
* LA R13,WORKAREA
* L R15,=V(CUSTINSX)
* BALR R14,R15
* LR R13,R11
* B EXIT0
**** UNCOMMENT ABOVE CODE TO CALL CUSTOMIZED EXIT(CUSTINSX) ****
*** CODE ABOVE ADDED TO CALL CUSTOMER'S MODIFIED EXIT ***

Uncomment the code to update it as per your requirements.

Calling Custom Exits

You can call a custom TSSINSTX exit, for example CUSTINSX, from an IDF supplied TSSINSTX exit.

To do so:

1. In a text editor, open the sample reconciliation exit (TSSINSTX) file for editing. This file is located in the <HLQ>.JCLLIB dataset.
2. Locate the CUSTEXIT section and remove * from column 1 to uncomment the code block as specified in the comments. Ensure that the CUSTEXIT label is starting at column 1.
3. Add or uncomment (by removing * from column 1) the branch instruction to label CUSTEXIT (B CUSTEXIT) from the EXIT entry points where you have your changes.
   For example, in the sample TSSINSTX exit, the "B CUSTEXIT" exit is commented under the PREINIT, POSTINIT, PASSWORD, and COMMAND exit entry-points as shown in below snippet for the PREINIT entry point:

   PREINIT DS 0H
   *---------------------------------------------------------------------*
   * Customer user code here
   *---------------------------------------------------------------------*
   * USER CODE GOES HERE TO INTERPRET INITIATION
   * THIS IS INVOKED PRIOR TO OBTAINING ACID SECURITY RECORD FROM TSS
   * ONLY JOBNAME, ACID, TERMINAL, PASSWORD(S), INSTDATA, MODE,
   * MAY BE CHANGED
   *** CODE BELOW TO CALL CUSTOM CODE (UN-COMMENT TO DEMO IT) ***
   *** REFER TO PDF ADMIN GUIDE (Documentation) BEFORE MAKING CHANGES ***
   * WTO 'TSSINSTX PREINIT',ROUTCDE=11
   * B CUSTEXIT
   *** CODE ABOVE TO CALL CUSTOM CODE (UN-COMMENT TO DEMO IT) ***
   B EXIT0
   EJECT

4. Refer to the sample CUSTINSX source supplied in the <HLQ>.JCLLIB dataset.
5. Add the custom code in the CUSTINSX exit specific to the desired entry points. You can set return code to greater than zero for any undesired command or function so that in TSSINSTX, when checked for return code from CUSTINSX, further processing can be skipped. Use the general purpose register R15 for storing the return code and populate it with a value to set the return code value in CUSTINSX.

   For example, the following sample sets the return code to 8:

   EXIT8 LA R15,8 Set Return code to 8

6. Assemble and link-edit the CUSTINSX and TSSINSTX files (supplied in the <HLQ>.JCLLIB dataset and with a call to CUSTINSX uncommented). Thus, TSSINSTX calls CUSTINSX (your custom version of TSSINSTX) followed by IDMWORKS' TSSINSTX (IDFINSTX). A sample JCL (ASMJCL) file to assemble and link-edit CUSTINSX and TSSINSTX is also supplied in <HLQ>.JCLLIB. Change placeholders such as ++linklib++ and ++hlq++ with the site-specific Load library and Source dataset high-level qualifier, respectively and SUBMIT the job. Ensure the job completes with MAX-CC of 0 or 4.
7. Activate the reconciliation exit as described in Activating Reconciliation Exits. While doing so, ensure to copy the fresh version of TSSINSTX located in the CA Top Secret loadlib, usually CAI.CAKOLINK, from the site-specific Load library specified in ASMJCL.

Activating and Deactivating Reconciliation Exits

To make use of real-time reconciliation and the reconciliation agent, you must activate system exits for capturing and reacting to changes in the target system.

• Activating Reconciliation Exits

• Deactivating Reconciliation Exits

Activating Reconciliation Exits

Real-time reconciliation requires the activation of the TSSINSTX exit. The TSSINSTX exit captures commands passively and then passes them to a caching module.

The TSSINSTX exit that is available in the installation Loadlib library works by calling the IDFINSTX module. Before you activate the exit, you must copy the TSSINSTX and IDFCACHE modules into the Loadlib that is available in the installation Linklist. Then, refresh the Linklist ensuring caution during times of high system activity.

To activate the reconciliation exit:

1. Copy the TSSINSTX and IDFCACHE modules from the <HLQ>.LINKLIB dataset into the CA Top Secret loadlib, usually CAI.CAKOLINK, that is available in the installation Linklist.
2. Refresh the Linklist as follows:
   1. Verify that the TSSINSTX exit is inactive by running the F TSS,EXIT(OFF) command from the z/OS operator interface.
      The OKAY response is displayed on the master console.
   2. From the z/OS Master console, run the F LLA,REFRESH command.
      The LIBRARY LOOKASIDE REFRESHED message is displayed on the master console.
3. Run the F TSS,EXIT(ON) command and wait for the OKAY response to be displayed.

Deactivating Reconciliation Exits

Deactivate the system exits to disable the reconciliation of real-time changes to the target system.

To do so, run the following command from the z/OS operator interface:

F TSS,EXIT(OFF)

Operator Interface for Mainframe Agents

Both provisioning and reconciliation agents have an operator interface, and you can control the agents by passing commands through the interface.

The following topics are discussed in this section:

• Provisioning Agent Commands

• Reconciliation Agent Commands

Provisioning Agent Commands

Pass the Pioneer provisioning agent commands through the operator interface to control Pioneer.

Table 4-7 Provisioning Agent Commands

Command	Description
T PROG=ID	APF authorizes <HLQ>.LINKLIB - required to start the agent.
S PIONEER	Starts the agent.
F PIONEER,SHUTDOWN	Shuts down the agent.
F PIONEER,STATUS	Sends a status request to the agent.
F PIONEER,DEBUG=Y	Enables debug-level (detailed) log output.
F PIONEER,DEBUG=N	Disables debug-level (detailed) log output.

Note:

This interface through the z/OS modify command is a single-threaded system. Commands are queued and may take a few seconds before the agent acknowledges them.

Reconciliation Agent Commands

Pass the Voyager reconciliation agent through the operator interface to control Voyager.

Table 4-8 Reconciliation Agent Commands

Command	Description
T PROG=ID	APF authorizes <HLQ>.LINKLIB - required to start the agent.
S STARTUP	Allocates the subpool used to store reconciliation events - required for real-time reconciliation.
F TSS,EXIT(ON)	Activates system exits - required for real-time reconciliation as described in Activating Reconciliation Exits.
S VOYAGER	Starts the agent.
F VOYAGER,SHUTDOWN	Shuts down the agent.
F VOYAGER,STATUS	Sends a status request to the agent.
F VOYAGER,DEBUG=Y	Enables debug-level (detailed) log output.
F VOYAGER,DEBUG=N	Disables debug-level (detailed) log output.
F VOYAGER,IPAD=999.999.999.999,PORT=9999	Changes the IP address and port of the target LDAP Gateway.

Note:

The interface through the z/OS modify command is a single-threaded system. Commands are queued and take a few seconds before the agent acknowledges them.