The RACF resource adapter supports management of user accounts and memberships on an OS/390 mainframe via the IBM Host Access Class Library APIs. The adapter manages RACF over a TN3270 emulator session.

The RACF resource adapter is defined in the com.waveset.adapter.RACFResourceAdapter class.

Resource Configuration Notes

Identity Manager Installation Notes

The RACF resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

To add the RACF resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

com.waveset.adapter.RACFResourceAdapter

Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager installation.


Connection Manager	JAR Files
Host On Demand	The IBM Host Access Class Library (HACL) manages connections to the mainframe. The recommended JAR file containing HACL is habeans.jar. It is installed with the HOD Toolkit (or Host Access Toolkit) that comes with HOD. The supported versions of HACL are in HOD V7.0, V8.0, and V9.0. However, if the toolkit installation is not available, the HOD installation contains the following JAR files that can be used in place of the habeans.jar: habase.jar hacp.jar ha3270.jar hassl.jar hodbase.jar See http://www.ibm.com/software/webservers/hostondemand/ for more information.
Attachmate WRQ	RWebSDK.jar wrqtls12.jar profile.jaw

Add the following definitions to the Waveset.properties file to define which service manages the terminal session:

serverSettings.serverId.mainframeSessionType=Value
serverSettings.default.mainframeSessionType=Value

Value can be set as follows:

1 — IBM Host On--Demand (HOD)

3 — Attachmate WRQ

If these properties are not explicitly set, then Identity Manager attempts to use WRQ first then HOD.

Restart your application server so that the modifications to the Waveset.properties file can take effect.

See Mainframe Connectivity for information about configuring SSL connections to the resource.

Usage Notes

This section provides information related to using the RACF resource adapter, which is organized into the following sections:

Administrators

TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager RACF operations, you must create multiple administrators. Thus, if two administrators are created, two Identity Manager RACF operations can occur at the same time.You should create at least two (and preferably three) administrators.

If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.

If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).

Resource Actions

The RACF adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.


Note	Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource. If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.

See Mainframe Examples for more information about creating login and logoff resource actions.

SSL Configuration

See Mainframe Connectivity for information about setting up an SSL connection to a RACF resource.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Required Administrative Privileges

To define or change information in a non-base segment of a user profile, including your own, you must have the SPECIAL attribute or at least UPDATE authority to the segment through field-level access checking.

To list the contents of a user profile or the contents of individual segments of the user profile, use the LISTUSER command.

To display the information in a non-base segment of a user profile, including your own, you must have the SPECIAL or AUDITOR attribute or at least READ authority to the segment through field-level access checking.

Provisioning Notes

Account Attributes

Feature	Supported?
Enable/disable account	Yes
Rename account	Yes
Pass-through authentication	No
Before/after actions	Yes
Data loading methods	Import directly from resource Reconciliation


Resource User Attribute	Data Type	Description
GROUPS	String	The groups assigned to the user
GROUP-CONN-OWNERS	String	Group connection owners
USERID. Required	String	Required. The user’s name
MASTER CATALOG	String	Master catalog
USER CATALOG	String	User catalog
CATALOG ALIAS	String	Catalog alias
OWNER	String	The owner of the profile
NAME	String	The user’s name
DATA	String	Installation-defined data
DFLTGRP	String	The user’s default group
EXPIRED	Boolean	Indicates whether to expire the password
PASSWORD INTERVAL	String	Password interval
TSO.ACCTNUM	String	The user’s default TSO account number at logon
TSO.COMMAND	String	The default command at logon
TSO.HOLDCLASS	String	The user’s default TSO hold class
TSO.JOBCLASS	String	The user’s default TSO job class
TSO.MAXSIZE	Int	The maximum TSO region size the user can request during logon
TSO.MSGCLASS	String	The user’s default TSO message class
TSO.PROC	String	The name of the user’s default TSO logon procedure
TSO.SIZE	Int	The minimum TSO region size if the user does not request a region size during logon
TSO.SYSOUTCLASS	String	The user’s default TSO SYSOUT class
TSO.UNIT	String	The default name of a TSO device or group of devices that a procedure uses for allocations
TSO.USERDATA	String	Installation-defined data
OMVS.ASSIZEMAX	Int	User’s OMVS RLIMIT_AS (maximum address space size)
OMVS.CPUTIMEMAX	Int	User’s OMVS RLIMIT_CPU (maximum CPU time)
OMVS.FILEPROCMAX	Int	User’s OMVS maximum number of files per process
OMVS.HOME	String	The user’s0 OMVS home directory path name
OMVS.MMAPAREAMAX	Int	User’s OMVS maximum memory map size
OMVS.PROCUSERMAX	Int	User’s OMVS maximum number of processes per UID
OMVS.PROGRAM	String	The user’s initial OMVS shell program
OMVS.THREADSMAX	Int	User’s OMVS maximum number of threads per process
OMVS.UID	String	The user’s OMVS user identifier
CICS.OPCLASS	String	The CICS operator classes for which the user will receive BMS (basic mapping support) messages
CICS.OPIDENT	String	The user’s CICS operator identifier
CICS.OPPRTY	String	The user’s CICS operator priority
CICS.TIMEOUT	String	The amount of time that the user can be idle before being signed off by CICS
CICS.XRFSOFF	String	A setting that indicates whether the user will be signed off by CICS when an XRF takeover occurs
NETVIEW.CONSNAME	String	MCS console identifier
NETVIEW.CTL	String	Specifies GLOBAL, GENERAL, or SPECIFIC control
NETVIEW.DOMAINS	String	Domain identifier
NETVIEW.IC	String	Initial command or list of commands to be executed by NetView when this NetView operator logs on
NETVIEW.MSGRECVR	String	Indicates whether the operator will receive unsolicited messages (NO or YES)
NETVIEW.NGMFADMN	String	Indicates whether this operator can use the NetView graphic monitor facility (NO or YES)
NETVIEW.NGMFVSPN	String
NETVIEW.OPCLASS	String	Class of the operator

Identity Template

Sample Forms

Built-In

Also Available

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

Previous Contents Index Next
Sun Java[TM] System Identity Manager 7.1 Resources Reference