Chapter 29 RACF
The RACF resource adapter supports management of user accounts and memberships on an OS/390 mainframe. The adapter manages RACF over a TN3270 emulator session.
The RACF resource adapter is defined in the com.waveset.adapter.RACFResourceAdapter class.
Adapter Details
Resource Configuration Notes
None
Identity Manager Installation Notes
The RACF resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
Installing the RACF Resource Adapter
-
To add the RACF resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.RACFResourceAdapter
-
Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager installation.
-
Add the following definitions to the Waveset.properties file to define which service manages the terminal session:
serverSettings.serverId.mainframeSessionType= ValueserverSettings.default.mainframeSessionType=Value
Value can be set as follows:
-
When the Attachmate libraries are installed into a WebSphere or WebLogic application server, add the property com.wrq.profile.dir=LibraryDirectory to the WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.
This allows the Attachmate code to find the licensing file.
-
Restart your application server so that the modifications to the Waveset.properties file can take effect.
-
See Chapter 53, Mainframe Connectivity for information about configuring SSL connections to the resource.
Usage Notes
This section provides information related to using the RACF resource adapter, which is organized into the following sections:
Administrators
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager RACF operations, you must create multiple administrators. Thus, if two administrators are created, two Identity Manager RACF operations can occur at the same time. You should create at least two (and preferably three) administrators.
If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).
Note –
Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.
Support for Additional Segments
The RACF adapter can be configured to support attributes that are not in the segments supported by default.
Configuring the RACF Adapter to Support Attributes
-
Create an AttrParse object that parses the segment. See Chapter 49, Implementing the AttrParse Object for information about defining custom AttrParse objects. Example AttrParse objects are defined in $WSHOME/web/sample/attrparse.xml.
-
Add a ResourceAttribute element to the RACF resource object. For example:
<ResourceAttribute name=’WORKATTR Segment AttrParse’ displayName=’WORKATTR Segment AttrParse’ description=’AttrParse for WORKATTR Segment’ value=’Default RACF WORKATTR Segment AttrParse’> </ResourceAttribute>
This example adds a field labeled WORKATTR Segment AttrParse to the Resource Parameters page. The value assigned to the name attribute must be of the form SegmentName Segment AttrParse.
-
Add an element to the RACF resource object that defines a custom account attribute.
<AccountAttributeType id=’32’ name=’WORKATTR Account’ syntax=’string’ mapName=’WORKATTR.WAACCNT’ mapType=’string’> </AccountAttributeType>
The value of the mapName attribute must be of the form SegmentName.AttributeName. When the adapter detects a mapName in this format, it asks RACF for the specified segment and uses the object specified in the SegmentName Segment AttrParse field to parse it.
Resource Actions
The RACF adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.
See Mainframe Examples for more information about creating login and logoff resource actions.
SSL Configuration
Identity Manager uses TN3270 connections to communicate with the resource.
See Chapter 53, Mainframe Connectivity for information about setting up an SSL connection to a RACF resource.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses TN3270 to communicate with the RACF adapter.
Required Administrative Privileges
To define or change information in a non-base segment of a user profile, including your own, you must have the SPECIAL attribute or at least UPDATE authority to the segment through field-level access checking.
To list the contents of a user profile or the contents of individual segments of the user profile, use the LISTUSER command.
To display the information in a non-base segment of a user profile, including your own, you must have the SPECIAL or AUDITOR attribute or at least READ authority to the segment through field-level access checking.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
|
Feature |
Supported? |
|---|---|
|
Enable/disable account |
Yes |
|
Rename account |
Yes |
|
Pass-through authentication |
No |
|
Before/after actions |
Yes |
|
Data loading methods |
|
Account Attributes
The following table provides information about RACF account attributes.
|
Resource User Attribute |
Data Type |
Description |
|---|---|---|
|
GROUPS |
String |
The groups assigned to the user |
|
GROUP-CONN-OWNERS |
String |
Group connection owners |
|
USERID |
String |
Required. The user’s name |
|
MASTER CATALOG |
String |
Master catalog |
|
USER CATALOG |
String |
User catalog |
|
CATALOG ALIAS |
String |
Catalog alias |
|
OWNER |
String |
The owner of the profile |
|
NAME |
String |
The user’s name |
|
DATA |
String |
Installation-defined data |
|
DFLTGRP |
String |
The user’s default group |
|
EXPIRED |
Boolean |
Indicates whether to expire the password |
|
PASSWORD INTERVAL |
String |
Password interval |
|
TSO.Delete Segment |
Boolean |
If this field is set to true, the TSO Segment will be deleted from the RACF user. |
|
TSO.ACCTNUM |
String |
The user’s default TSO account number at logon |
|
TSO.COMMAND |
String |
The default command at logon |
|
TSO.HOLDCLASS |
String |
The user’s default TSO hold class |
|
TSO.JOBCLASS |
String |
The user’s default TSO job class |
|
TSO.MAXSIZE |
Int |
The maximum TSO region size the user can request during logon |
|
TSO.MSGCLASS |
String |
The user’s default TSO message class |
|
TSO.PROC |
String |
The name of the user’s default TSO logon procedure |
|
TSO.SIZE |
Int |
The minimum TSO region size if the user does not request a region size during logon |
|
TSO.SYSOUTCLASS |
String |
The user’s default TSO SYSOUT class |
|
TSO.UNIT |
String |
The default name of a TSO device or group of devices that a procedure uses for allocations |
|
TSO.USERDATA |
String |
Installation-defined data |
|
OMVS.ASSIZEMAX |
Int |
User’s OMVS RLIMIT_AS (maximum address space size) |
|
OMVS.CPUTIMEMAX |
Int |
User’s OMVS RLIMIT_CPU (maximum CPU time) |
|
OMVS.FILEPROCMAX |
Int |
User’s OMVS maximum number of files per process |
|
OMVS.HOME |
String |
The user’s0 OMVS home directory path name |
|
OMVS.MMAPAREAMAX |
Int |
User’s OMVS maximum memory map size |
|
OMVS.PROCUSERMAX |
Int |
User’s OMVS maximum number of processes per UID |
|
OMVS.PROGRAM |
String |
The user’s initial OMVS shell program |
|
OMVS.THREADSMAX |
Int |
User’s OMVS maximum number of threads per process |
|
OMVS.UID |
String |
The user’s OMVS user identifier |
|
CICS.OPCLASS |
String |
The CICS operator classes for which the user will receive BMS (basic mapping support) messages |
|
CICS.OPIDENT |
String |
The user’s CICS operator identifier |
|
CICS.OPPRTY |
String |
The user’s CICS operator priority |
|
CICS.TIMEOUT |
String |
The amount of time that the user can be idle before being signed off by CICS |
|
CICS.XRFSOFF |
String |
A setting that indicates whether the user will be signed off by CICS when an XRF takeover occurs |
|
NETVIEW.CONSNAME |
String |
MCS console identifier |
|
NETVIEW.CTL |
String |
Specifies GLOBAL, GENERAL, or SPECIFIC control |
|
NETVIEW.DOMAINS |
String |
Domain identifier |
|
NETVIEW.IC |
String |
Initial command or list of commands to be executed by NetView when this NetView operator logs on |
|
NETVIEW.MSGRECVR |
String |
Indicates whether the operator will receive unsolicited messages (NO or YES) |
|
NETVIEW.NGMFADMN |
String |
Indicates whether this operator can use the NetView graphic monitor facility (NO or YES) |
|
NETVIEW.NGMFVSPN |
String | |
|
NETVIEW.OPCLASS |
String |
Class of the operator |
Identity Template
$accountId$
Sample Forms
Built-In
None
Also Available
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
-
com.waveset.adapter.RACFResourceAdapter
-
com.waveset.adapter.HostAccess
- © 2010, Oracle Corporation and/or its affiliates