Chapter 30 RACF LDAP

The RACF LDAP resource adapter supports management of user accounts and memberships on an OS/390 mainframe. Whenever possible, the adapter connects to the LDAP server included within the z/OS Security Server to manage user accounts. All other functions are handled by standard calls to the RACF system.

The RACF LDAP resource adapter is defined in the com.waveset.adapter.RACF_LDAPResourceAdapter class.

This adapter extends the LDAP resource adapter. See the documentation for the LDAP adapter for information about implementing LDAP features.

Adapter Details

Identity Manager Installation Notes

The RACF resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

Installing the RACF Resource Adapter

1. To add the RACF LDAP resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

   com.waveset.adapter.RACF_LDAPResourceAdapter

2. Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager installation.

   Connection Manager	JAR Files
   Host On Demand	The IBM Host Access Class Library (HACL) manages connections to the mainframe. The recommended JAR file containing HACL is habeans.jar. It is installed with the HOD Toolkit (or Host Access Toolkit) that comes with HOD. The supported versions of HACL are in HOD V7.0, V8.0, V9.0, and V10. However, if the toolkit installation is not available, the HOD installation contains the following JAR files that can be used in place of the habeans.jar: habase.jar hacp.jar ha3270.jar hassl.jar hodbase.jar See http://www.ibm.com/software/webservers/hostondemand/ for more information.
   Attachmate WRQ	The Attachmate 3270 Mainframe Adapter for Sun product contains the files needed to manage connections to the mainframe.  RWebSDK.jar wrqtls12.jar profile.jaw Contact Sun Professional Services about getting this product.

3. Add the following definitions to the Waveset.properties file to define which service manages the terminal session:

   serverSettings.serverId.mainframeSessionType= ValueserverSettings.default.mainframeSessionType=Value

   Value can be set as follows:

   • 1 indicates IBM Host On--Demand (HOD)

     • 3 indicates Attachmate WRQ

       If these properties are not explicitly set, then Identity Manager attempts to use WRQ, then HOD.

4. When the Attachmate libraries are installed into a WebSphere or WebLogic application server, add the property com.wrq.profile.dir=LibraryDirectory to the WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.

   This allows the Attachmate code to find the licensing file.

5. Restart your application server so that the modifications to the Waveset.properties file can take effect.

6. See Chapter 53, Mainframe Connectivity for information about configuring SSL connections to the resource.

Usage Notes

Administrators

TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager RACF operations, you must create multiple administrators. Thus, if two administrators are created, two Identity Manager RACF operations can occur at the same time. You should create at least two (and preferably three) administrators.

If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.

If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).

---

Note –

Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.

If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.

---

Support for Additional Segments

The RACF LDAP adapter can be configured to support attributes that are not in the segments supported by default.

Configuring the RACF LDAP Resource Adapter to Support Attributes

1. Create an AttrParse object that parses the segment. See Chapter 49, Implementing the AttrParse Object for information about defining custom AttrParse objects. Example AttrParse objects are defined in $WSHOME/web/sample/attrparse.xml.

2. Add a ResourceAttribute element to the RACF LDAP resource object. For example:

   <ResourceAttribute name=’OMVS Segment AttrParse’ displayName=’OMVS Segment AttrParse’ description=’AttrParse for OMVS Segment’ value=’Default RACF OMVS Segment AttrParse’> </ResourceAttribute>

   This example adds a field labeled OMVS Segment AttrParse to the Resource Parameters page. The value assigned to the name attribute must be of the form SegmentName Segment AttrParse.

3. Add an element to the RACF LDAP resource object that defines a custom account attribute.

   <AccountAttributeType id=’32’ name=’OMVS Mem Max Area Size’ syntax=’int’ mapName=’OMVS.MMAPAREAMAX’ mapType=’int’> </AccountAttributeType>

   The value of the mapName attribute must be of the form SegmentName.AttributeName. When the adapter detects a mapName in this format, it asks the resource for the specified segment and uses the object specified in the SegmentName Segment AttrParse field to parse it.

Resource Actions

The RACF LDAP adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.

See Mainframe Examples for more information about creating login and logoff resource actions.

Resource Configuration Notes

The Z/OS Security Server must be installed on the same machine that serves as the source of RACF accounts.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses TN3270 connections to communicate with the resource.

See Chapter 53, Mainframe Connectivity for information about setting up an SSL connection to a RACF LDAP resource.

Required Administrative Privileges

The administrators that connect to the RACF LDAP resource must be assigned sufficient privileges to create and manage RACF users.

The user specified in the User DN resource parameter field must have the ability to read, write, delete, and add users.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature	Supported?
Enable/disable account	Yes
Rename account	Yes
Pass-through authentication	No
Before/after actions	Yes
Data loading methods	Import directly from resource Reconcile with resource

Account Attributes

The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports Boolean, string, integer, and binary syntaxes. A binary attribute is an attribute that can be safely expressed only as a byte array.

The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be supported, as long as it is Boolean, string, or integer in nature. Octet strings are NOT supported.

LDAP Syntax	Attribute Type	Object ID
Audio	Binary	1.3.6.1.4.1.1466.115.121.1.4
Binary	Binary	1.3.6.1.4.1.1466.115.121.1.5
Boolean	Boolean	1.3.6.1.4.1.1466.115.121.1.7
Country String	String	1.3.6.1.4.1.1466.115.121.1.11
DN	String	1.3.6.1.4.1.1466.115.121.1.12
Directory String	String	1.3.6.1.4.1.1466.115.121.1.15
Generalized Time	String	1.3.6.1.4.1.1466.115.121.1.24
IA5 String	String	1.3.6.1.4.1.1466.115.121.1.26
Integer	Int	1.3.6.1.4.1.1466.115.121.1.27
Postal Address	String	1.3.6.1.4.1.1466.115.121.1.41
Printable String	String	1.3.6.1.4.1.1466.115.121.1.44
Telephone Number	String	1.3.6.1.4.1.1466.115.121.1.50

Default Account Attributes

The following attributes are displayed on the Account Attributes page for the RACF LDAP resource adapters.

Resource User Attribute	Data Type	Description
racfPassword	Encrypted	The user’s password on the resource
RACF.GROUPS	String	The groups assigned to the user
RACF.GROUP-CONN-OWNERS	String	Group connection owners
RACF.USERID	String	Required. The user’s name
RACF.MASTER CATALOG	String	Master catalog
RACF.USER CATALOG	String	User catalog
RACF.CATALOG ALIAS	String	Catalog alias
racfOwner	String	The owner of the profile
racfProgrammerName	String	The user’s name
racfInstallationData	String	Installation-defined data
racfDefaultGroup	String	The user’s default group
RACF.EXPIRED	Boolean	Indicates whether to expire the password
RACF.PASSWORD INTERVAL	String	Password interval
TSO.Delete Segment	Boolean	If this field is set to true, the TSO Segment will be deleted from the RACF user.
SAFAccountNumber	String	The user’s default TSO account number at logon
SAFDefaultCommand	String	The default command at logon
SAFHoldClass	String	The user’s default TSO hold class
SAFJobClass	String	The user’s default TSO job class
SAFMessageClass	String	The user’s default TSO message class
SAFDefaultLoginProc	String	The name of the user’s default TSO logon procedure
SAFLogonSize	Int	The minimum TSO region size if the user does not request a region size during logon
SAFMaximumRegionSize	Int	The maximum TSO region size the user can request during logon
SAFDefaultSysoutClass	String	The user’s default TSO SYSOUT class
SAFDefaultUnit	String	The default name of a TSO device or group of devices that a procedure uses for allocations
SAFUserdata	String	Installation-defined data
SAFDefaultCommand	String	The TSO default command.
racfOmvsUid	String	The user’s OMVS user identifier
racfOmvsHome	String	The user’s OMVS home directory path name
racfOmvsInitialProgram	String	The user’s initial OMVS shell program
racfOmvsMaximumCPUTime	Int	User’s OMVS RLIMIT_CPU (maximum CPU time)
racfOmvsMaximumAddressSpaceSize	Int	User’s OMVS RLIMIT_AS (maximum address space size)
racfOmvsMaximumFilesPerProcess	Int	User’s OMVS maximum number of files per process
racfOmvsMaximumProcessesPerUID	Int	User’s OMVS maximum number of processes per UID
racfOmvsMaximumThreadsPerProcess	Int	User’s OMVS maximum number of threads per process
racfOmvsMaximumMemoryMapArea	Int	User’s OMVS maximum memory map size
racfTerminalTimeout	String	The amount of time that the user can be idle before being signed off by CICS
racfOperatorPriority	String	The user’s CICS operator priority
racfOperatorIdentification	String	The user’s CICS operator identifier
racfOperatorClass	String	The CICS operator classes for which the user will receive BMS (basic mapping support) messages
racfOperatorReSignon	String	A setting that indicates whether the user will be signed off by CICS when an XRF takeover occurs
racfNetviewOperatorClass	String	Class of the operator
NETVIEW.NGMFVSPN	String	Defines the operator’s authority to display NetView Graphic Monitor Facility views and resources within views.
racfNGMFADMKeyword	String	Indicates whether this operator can use the NetView graphic monitor facility (NO or YES)
racfMessageReceiverKeyword	String	Indicates whether the operator will receive unsolicited messages (NO or YES)
racfNetviewInitialCommand	String	Initial command or list of commands to be executed by NetView when this NetView operator logs on
racfDomains	String	Domain identifier
racfCTLKeyword	String	Specifies GLOBAL, GENERAL, or SPECIFIC control
racfDefaultConsoleName	String	MCS console identifier

Default Supported Object Classes

By default, the RACF LDAP resource adapter uses the following object classes when creating new user objects in the LDAP tree. Other object classes may be added.

• racfuser

• racfUserOmvsSegment

• racfCicsSegment

• SAFTsoSegment

• racfNetviewSegment

Resource Object Management

None

Identity Template

$accountId$

Sample Forms

None

Troubleshooting

Use the Identity Manager debug pages to set trace options on one or more of the following classes:

• com.waveset.adapter.RACF_LDAPResourceAdapter

• com.waveset.adapter.LDAPResourceAdapter

• com.waveset.adapter.LDAPResourceAdapterBase