Sun Java[TM] System Identity Manager 7.1 Resources Reference |
RACF LDAPThe RACF LDAP resource adapter supports management of user accounts and memberships on an OS/390 mainframe. Whenever possible, the adapter connects to the LDAP server included within the z/OS Security Server to manage user accounts. All other functions are handled by standard calls to the RACF system.
The RACF LDAP resource adapter is defined in the com.waveset.adapter.RACF_LDAPResourceAdapter class.
This adapter extends the LDAP resource adapter. See the documentation for the LDAP adapter for information about implementing LDAP features.
Resource Configuration Notes
The Z/OS Security Server must be installed on the same machine that serves as the source of RACF accounts.
Identity Manager Installation Notes
The RACF resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
- To add the RACF LDAP resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.RACF_LDAPResourceAdapter
- Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager installation.
Connection Manager
JAR Files
Host On Demand
The IBM Host Access Class Library (HACL) manages connections to the mainframe. The recommended JAR file containing HACL is habeans.jar. It is installed with the HOD Toolkit (or Host Access Toolkit) that comes with HOD. The supported versions of HACL are in HOD V7.0, V8.0, and V9.0.
However, if the toolkit installation is not available, the HOD installation contains the following JAR files that can be used in place of the habeans.jar:
See http://www.ibm.com/software/webservers/hostondemand/ for more information.
Attachmate WRQ
- Add the following definitions to the Waveset.properties file to define which service manages the terminal session:
serverSettings.serverId.mainframeSessionType=Value
serverSettings.default.mainframeSessionType=ValueValue can be set as follows:
- Restart your application server so that the modifications to the Waveset.properties file can take effect.
- See Mainframe Connectivity for information about configuring SSL connections to the resource.
Usage Notes
Administrators
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager RACF operations, you must create multiple administrators. Thus, if two administrators are created, two Identity Manager RACF operations can occur at the same time.You should create at least two (and preferably three) administrators.
If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).
Resource Actions
The RACF LDAP adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.
See Mainframe Examples for more information about creating login and logoff resource actions.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses TN3270 connections to communicate with the resource.
See Mainframe Connectivity for information about setting up an SSL connection to a RACF LDAP resource.
Required Administrative Privileges
The administrators that connect to the RACF LDAP resource must be assigned sufficient privileges to create and manage RACF users.
The user specified in the User DN resource parameter field must have the ability to read, write, delete, and add users.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
Yes
Pass-through authentication
No
Before/after actions
Yes
Data loading methods
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports boolean, string, integer, and binary syntaxes. A binary attribute is an attribute that can be safely expressed only as a byte array.
The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be supported, as long as it is boolean, string, or integer in nature. Octet strings are NOT supported.
Default Account Attributes
The following attributes are displayed on the Account Attributes page for the RACF LDAP resource adapters.
Default Supported Object Classes
By default, the RACF LDAP resource adapter uses the following object classes when creating new user objects in the LDAP tree. Other object classes may be added.
Resource Object Management
None
Identity Template
$accountId$
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on one or more of the following classes: