Chapter 26 OS/400
The OS/400 resource adapter is defined in the com.waveset.adapter.OS400ResourceAdapter class.
Adapter Details
None.
Resource Configuration Details
None.
Identity Manager Installation Notes
The OS/400 resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
Installing the OS400 Resource Adapter
-
Download version 2.03 of the JTOpen product from the following URL: http://jt400.sourceforge.net
-
Unzip the JTOpen file and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.
You must contact IBM to obtain the jt400.jar file.
-
Copy the jt400.jar file to the InstallDir\WEB-INF\lib directory.
-
To add an OS/400 resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.OS400ResourceAdapter
Usage Notes
Identity Manager supports three options for handling OS/400 objects that are associated with an account on an OS/400 resource. To enable this specialized support, you must use the OS400Deprovision form that is located in the Identity Manager sample directory. You must also edit the system configuration object. Instructions for editing this object are included in comments in the OS400Deprovision form. Once enabled, these options appear on the Delete Resource Accounts page when you choose to delete a user’s OS/400 resource account.
Available delete options are:
-
DLT. The user’s resource account and associated OS/400 objects are deleted.
-
NODLT. If the user has associated objects, his account is not deleted and associated OS/400 objects are not affected.
-
CHGOWN. The user’s resource account is deleted and associated OS/400 objects are assigned to a designated owner. CHGOWN is the default option. By default, OS/400 objects are assigned to the QDFTOWN profile.
Security Notes
This section provides information about supported connections and privilege requirements
Supported Connections
Identity Manager may use Secure Sockets Layer (SSL) to communicate with the OS/400 adapter. If so, the following product must be implemented:
-
SSL objects delivered in a V5R1 or later version of IBM iSeries Client Encryption licensed program 5722-CE2 or 5722-CE3.
This program contains the SSLight package, which is necessary for SSL connections from Identity Manager through the Java Toolbox installation on the OS/400 resource.
Required Administrative Privileges
The following administrative privileges are required for this adapter:
-
CRT: To add an OS/400 user, the administrator must have (1) *SECADM special authority, (2) *USE authority to the initial program, initial menu, job description, message queue, output queue, and attention-key-handling program if specified, and (3) *CHANGE and object management authorities to the group profile and supplemental group profiles, if specified.
-
CHG: You must have *SECADM special authority, and *OBJMGT and *USE authorities to the user profile being changed, can specify this command. *USE authority to the current library, program, menu, job description, message queue, print device, output queue, or ATTN key handling program is required to specify these parameters.
-
DLT: The user must have use (*USE) and object existence (*OBJEXIST) authority to the user profile. The user must have existence, use, and delete authorities to delete a message queue associated with and owned by the user profile. The user profile cannot be deleted if a user is currently running under the profile, or if it owns any objects and OWNOBJOPT(*NODLT) is specified. All objects in the user profile must first either be transferred to new owners by using the Change Object Owner (CHGOBJOWN) command or be deleted from the system. This can also be accomplished by specifying OWNOBJOPT(*DLT) to delete the objects or OWNOBJOPT(*CHGOWN user-profile-name) to change the ownership. Authority granted to the user does not have to be specifically revoked by the Revoke Object Authority (RVKOBJAUT) command; it is automatically revoked when the user profile is deleted.
-
DSP: The user name can be specified as USRPRF(*ALL) or USRPRF(generic*-user-name) only when TYPE(*BASIC) and OUTPUT(*OUTFILE) are specified.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
|
Feature |
Supported? |
|---|---|
|
Enable/disable account |
Yes |
|
Rename account |
No |
|
Pass-through authentication |
No |
|
Before/after actions |
Yes |
|
Data loading methods |
|
Account Attributes
The following table provides information about OS/400account attributes. All attributes are strings, unless indicated otherwise.
|
Resource User Attribute |
Description |
|---|---|
|
accountId |
Required. The user’s logon ID. |
|
password |
Required. The user’s password. This value is encrypted. |
|
ASTLVL |
Assistance level |
|
ATNPGM |
Attention-key-handling program |
|
CCSID |
Coded character set identifier |
|
CNTRYID |
Country identifier |
|
CURLIB |
Current library |
|
DAYS_UNTIL_PASSWORD_EXPIRES |
The number of days until the password expires. |
|
DLVRY |
Delivery mode |
|
GID |
Group identification number |
|
GRPPRF |
Group profile |
|
HIGHEST_SCHEDULING_PRIORITY | |
|
HOMEDIR |
Home directory |
|
INLMNU |
Initial menu |
|
INLPGM |
Initial program |
|
JOBD |
Job description |
|
KBDBUF |
Keyboard buffering |
|
LANGID |
Language identifier |
|
LMTCPB |
Limit capabilities |
|
LMTDEVSSN |
Limit device sessions |
|
MAXSTG |
Maximum storage |
|
MSGQ |
Message queue |
|
OUTQ |
Output queue |
|
OWNER |
Owner of new objects |
|
OWNOBJOPT |
Owned object option |
|
PRTDEV |
Print device |
|
PWDEXP |
Indicates whether to set an expiration on the password. |
|
SPCAUT |
Special authority |
|
SPCENV |
Special environment |
|
SRTSEQ |
Sort sequence |
|
STATUS |
Login status of a user profile |
|
TEXT |
User description |
|
UID |
User identification number |
|
USRCLS |
User class |
|
USROPT |
User options |
Resource Object Management
None.
Identity Template
$accountId$
Sample Forms
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.OS400ResourceAdapter
- © 2010, Oracle Corporation and/or its affiliates