The ACF2 resource adapter is defined in the com.waveset.adapter.ACF2ResourceAdapter class.
None
The ACF2 resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
To add the ACF2 resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.ACF2ResourceAdapter |
Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager installation.
Add the following definitions to the Waveset.properties file to define which service manages the terminal session:
serverSettings.serverId.mainframeSessionType=Value serverSettings.default.mainframeSessionType=Value |
Value can be set as follows:
When the Attachmate libraries are installed into a WebSphere or WebLogic application server, add the property com.wrq.profile.dir=LibraryDirectory to the WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.
This allows the Attachmate code to find the licensing file.
Restart your application server so that the modifications to the Waveset.properties file can take effect.
See Chapter 53, Mainframe Connectivity for information about configuring SSL connections to the resource.
This section lists dependencies and limitations related to using the ACF2 resource adapter.
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager ACF operations, you must create multiple administrators. Thus, if you create two administrators, two Identity Manager ACF operations can occur at the same time. You should create at least two (and preferably three) administrators.
If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).
Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.
The ACF2 adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.
See Mainframe Examples for more information about creating login and logoff resource actions.
Identity Manager uses TN3270 connections to communicate with the resource.
See Chapter 53, Mainframe Connectivity for information about setting up an SSL connection to an ACF2 resource.
This section provides information about supported connections and privilege requirements.
Identity Manager uses TN3270 connections to communicate with ACF2.
The administrators that connect to ACF2 must be assigned sufficient privileges to create and manage ACF2 users.
The following table summarizes the provisioning capabilities of this adapter.
Feature |
Supported? |
---|---|
Enable/disable account |
Yes |
Rename account |
Yes |
Pass-through authentication |
No |
Before/after actions |
Yes |
Data loading methods |
|
The following table provides information about ACF2 account attributes.
Data Type |
Description |
|
---|---|---|
NAME |
String |
The user name displayed on logging and security violation reports |
PHONE |
String |
The user’s telephone number |
ACCESS.ACC-CNT |
String |
The number of system accesses made by this logonid since it was created |
ACCESS.ACC-DATE |
String |
The date of this user’s last system access |
ACCESS.ACC-SRCE |
String |
The logical or physical input source name or source group name where this logonid last accessed the system |
ACCESS.ACC-TIME |
String |
The time of this user’s last system access |
CANCEL/SUSPEND.CANCEL |
Boolean |
The logonid is canceled and denied access to the system |
CANCEL/SUSPEND.CSDATE |
String |
The date when the CANCEL or SUSPEND field was set |
CANCEL/SUSPEND.CSWHO |
String |
The logonid that set the CANCEL, SUSPEND, or MONITOR field |
CANCEL/SUSPEND.MON-LOG |
Boolean |
ACF2 writes an SMF record each time this user enters the system |
CANCEL/SUSPEND.MONITOR |
Boolean |
CA-ACF2 sends a message to the security console and to a designated person (CSWHO) each time this user enters the system |
CANCEL/SUSPEND.SUSPEND |
Boolean |
The logonid is suspended and denied access to the system |
CANCEL/SUSPEND.TRACE |
Boolean |
All data references by this user are traced and logged |
CICS.ACF2CICS |
Boolean |
Indicates that CA-ACF2 CICS security is to be initialized in any CICS/ESA 4.1 or later region running with this address space logonid |
CICS.CICSCL |
String |
CICS operator class |
CICS.CICSID |
String |
CICS operator ID |
CICS.CICSKEY |
String |
The first three bytes of transaction security key values to support CICS Release 1.6 and later |
CICS.CICSKEYX |
String |
The last five bytes of transaction security key values to support CICS Release 1.6 and later |
CICS.CICSPRI |
String |
CICS operator priority |
CICS.CICSRSL |
String |
CICS resource access key |
CICS.IDLE |
String |
The maximum number of minutes permitted between terminal transactions for this user |
IMS.MUSDLID |
String |
The default logonid for a MUSASS address space. |
IDMS.IDMSPROF |
String |
The name of the sign-on profile CLIST executed when the user signs on to CA-IDMS |
IDMS.IDMSPRVS |
String |
The version of the sign-on profile CLIST executed when the user sign on to CA-IDMS |
MUSASS.MUSID |
String |
Groups IMS records in the Infostorage database to ensure that IMS records are associated with the proper control region |
MUSASS.MUSIDINF |
Boolean |
The MUSID field should be used to restrict access to a MUSASS region for CA-ACF2 Info type system entry calls. |
MUSASS.MUSOPT |
String |
The name of the CA-ACF2 CA-IDMS options module that controls the CAIDMS address space |
MUSASS.MUSPGM |
String |
The name of the CA-IDMS start up program |
MUSASS.MUSUPDT |
Boolean |
Allows the user to update the CA-ACF2 databases |
PRIVILEGES.ACCOUNT |
Boolean |
The user can insert, delete, and change logonids, as limited by a scope |
PRIVILEGES.ACTIVE |
String |
The logonid is automatically activated one minute after midnight on the date contained in this field |
PRIVILEGES.AUDIT |
Boolean |
With this privilege, a user can inspect, but not modify, the parameters of the CAACF2 system. |
PRIVILEGES.AUTODUMP |
Boolean |
Dump created when a data set or resource violation occurs |
PRIVILEGES.AUTONOPW |
Boolean |
This virtual machine can be autologged without specifying a password. |
PRIVILEGES.BDT |
Boolean |
This logonid’s address space belongs to the Bulk Data Transfer (BDT) product. |
PRIVILEGES.CICS |
Boolean |
The logonid has the authority to sign on to CICS. |
PRIVILEGES.CMD-PROP |
Boolean |
This indicates that the user can override the global CPF target list by using the SET TARGET command or the TARGET parameter. |
PRIVILEGES.CONSULT |
Boolean |
The user can display other logonids. |
PRIVILEGES.DUMPAUTH |
Boolean |
This user can generate a dump even when the address space is in an execute-only or path control environment. |
PRIVILEGES.EXPIRE |
String |
The date when temporary logonids expire. |
PRIVILEGES.IDMS |
Boolean |
The logonid has the authority to sign on to CA-IDMS. |
PRIVILEGES.JOB |
Boolean |
The user can enter batch and background Terminal Monitor Program (TMP) jobs. |
PRIVILEGES.JOBFROM |
Boolean |
The user can use the //*JOBFROM control statement. |
PRIVILEGES.LEADER |
Boolean |
The user can display and alter certain fields of other logonids for other users. |
PRIVILEGES.LOGSHIFT |
Boolean |
A user can access the system outside the time period specified in the SHIFT field of the logonid record. |
PRIVILEGES.MAINT |
Boolean |
A user can use a specified program executed from a specified library to access resources without loggings or validation. |
PRIVILEGES.MUSASS |
Boolean |
This logonid is a multiple user single address space system (MUSASS). |
PRIVILEGES.NO-INH |
Boolean |
A network job cannot inherit this logonid from its submitter. |
PRIVILEGES.NO-SMC |
Boolean |
Step-must-complete (SMC) controls are bypassed; a job is considered noncancelable for the duration of the sensitive VSAM update operation. |
PRIVILEGES.NO-STORE |
Boolean |
This user is unauthorized to store or delete rule sets. |
PRIVILEGES.NON-CNCL |
Boolean |
A user can access all data, even if a rule prohibits this access. |
PRIVILEGES.PGM |
String |
The specified APF-authorized program to submit jobs for this logonid. |
PRIVILEGES.PPGM |
Boolean |
The user can execute those protected programs specified in the GSO PPGM record. |
PRIVILEGES.PRIV-CTL |
Boolean |
Checks privilege control resource rules when the user accesses the system to see what additional privileges and authorities the user has. |
PRIVILEGES.PROGRAM |
String |
The specified APF-authorized program to submit jobs for this logonid. |
PRIVILEGES.READALL |
Boolean |
The logonid has only read access to all data at the site. |
PRIVILEGES.REFRESH |
Boolean |
This user is authorized to issue the F ACF2,REFRESH operator command from the operator.s console. |
PRIVILEGES.RESTRICT |
Boolean |
This restricted logonid is for production use and does not require a password for user verification. |
PRIVILEGES.RSRCVLD |
Boolean |
Specifies that a resource rule must authorize any accesses that a user makes. |
PRIVILEGES.RULEVLD |
Boolean |
An access rule must exist for all data this user accesses. |
PRIVILEGES.SCPLIST |
String |
The infostorage scope record that restricts accesses for this privileged user. |
PRIVILEGES.SECURITY |
Boolean |
This user is a security administrator who, in the limits of his scope, can create, maintain, and delete access rules, resource rules, and infostorage records. |
PRIVILEGES.STC |
Boolean |
Only started tasks use this logonid. |
PRIVILEGES.SUBAUTH |
Boolean |
Only an APF-authorized program can submit jobs specifying this logonid. |
PRIVILEGES.SYNCNODE |
String |
The node where the synchronized logonid for this logonid is found in the Logonid database |
PRIVILEGES.TAPE-BLP |
Boolean |
This user can use full bypass label processing (BLP) when accessing tape data sets |
PRIVILEGES.TAPE-LBL |
Boolean |
This user has limited BLP when accessing tape data sets. |
PRIVILEGES.TSO |
Boolean |
This user is authorized to sign on to TSO. |
PRIVILEGES.VAX |
Boolean |
This logonid has associated VAX (UAF) infostorage records. |
PRIVILEGES.VLDRSTCT |
Boolean |
Turning on this field for a RESTRICT logonid indicates that PROGRAM and SUBAUTH are to be validated even when the logonid is inherited. |
PASSWORD.MAXDAYS |
String |
The maximum number of days permitted between password changes before the password expires. If the value is zero, no limit is enforced. |
PASSWORD.MINDAYS |
String |
The minimum number of days that must elapse before the user can change the password |
PASSWORD.PSWD-DAT |
String |
The date of the last invalid password attempt |
PASSWORD.PSWD-EXP |
Boolean |
The user’s password was manually expired (forced to expire). |
PASSWORD.PSWD-INV |
String |
The number of password violations that occurred since the last successful logon |
PASSWORD.PSWD-SRCE |
String |
The logical or physical input source name or source group name where the last invalid password for this logonid was received |
PASSWORD.PSWD-TIM |
String |
The time when the last invalid password for this logonid was received |
PASSWORD.PSWD-TOD |
String |
The date and time the password was last changed |
PASSWORD.PSWD-VIO |
String |
The number of password violations occurring on PSWD-DAT |
PASSWORD.PSWD-XTR |
Boolean |
The password for this logonid is halfway-encrypted and can be extracted by an APF-authorized program. |
RESTRICTIONS.AUTHSUP1 through AUTHSUP8 |
Boolean |
These fields can activate extended user authentication (EUA) for each designated system user. |
RESTRICTIONS.GROUP |
String |
The group or project name associated with this user |
RESTRICTIONS.PREFIX |
String |
The high-level index of the data sets that this user owns and can access |
RESTRICTIONS.SHIFT |
String |
The shift record that defines when a user is permitted to log on to the system |
RESTRICTIONS.SOURCE |
String |
The logical or physical input source name or source group name where this logonid must access the system |
RESTRICTIONS.VMACCT |
String |
A loginid field that holds the default account number for a virtual machine |
RESTRICTIONS.VMIDLEMN |
String |
The number of minutes that this user can be idle on the system before idle terminal processing begins |
RESTRICTIONS.VMIDLEOP |
String |
The type of idle terminal processing to perform when the user exceeds the idle time limit |
RESTRICTIONS.ZONE |
String |
The name of the Infostorage Database zone record defining the time zone where this logonid normally accesses the system (that is, the user’s local time zone) |
STATISTICS.SEC-VIO |
String |
The total number of security violations for this user |
STATISTICS.UPD-TOD |
String |
The date and time that this logonid record was last updated |
TSO.ACCTPRIV |
Boolean |
Indicates whether the user has TSO accounting privileges |
TSO.ALLCMDS |
Boolean |
The user can enter a special prefix character to bypass the CA-ACF2 restricted command lists |
TSO.ATTR2 |
String |
The IBM program control facility (PCF) uses the PSCBATR2 field for command limiting and data set protection. |
TSO.CHAR |
String |
The TSO character-delete character for this user |
TSO.CMD-LONG |
Boolean |
Indicates that only the listed command and aliases are accepted when using TSO command lists. |
TSO.DFT-DEST |
String |
The default remote destination for TSO spun SYSOUT data sets |
TSO.DFT-PFX |
String |
The default TSO prefix that is set in the user’s profile at logon time. |
TSO.DFT-SOUT |
String |
The default TSO SYSOUT class |
TSO.DFT-SUBC |
string |
The default TSO submit class |
TSO.DFT-SUBH |
string |
The default TSO submit hold class |
TSO.DFT-SUBM |
string |
The default TSO submit message class |
TSO.INTERCOM |
Boolean |
This user is willing to accept messages from other users through the TSO SEND command. |
TSO.JCL |
Boolean |
This user can submit batch jobs from TSO and use the SUBMIT, STATUS, CANCEL, and OUTPUT commands |
TSO.LGN-ACCT |
Boolean |
This user can specify an account number at logon time. |
TSO.LGN-DEST |
Boolean |
The user can specify a remote output destination at TSO logon that overrides the value specified in the DFT-DEST field. |
TSO.LGN-MSG |
Boolean |
This user can specify message class at logon time. |
TSO.LGN-PERF |
Boolean |
This user can specify a performance group at logon time. |
TSO.LGN-PROC |
Boolean |
This user can specify the TSO procedure name at logon time. |
TSO.LGN-RCVR |
Boolean |
This user can use the recover option of the TSO or TSO/E command package. |
TSO.LGN-SIZE |
Boolean |
This user is authorized to specify any region size at logon time. |
TSO.LGN-TIME |
Boolean |
This user can specify the TSO session time limit at logon time. |
TSO.LGN-UNIT |
Boolean |
This user can specify the TSO unit name at logon time. |
TSO.LINE |
String |
The TSO line-delete character |
TSO.MAIL |
Boolean |
Receive mail messages from TSO at logon time |
TSO.MODE |
Boolean |
Receive modal messages from TSO |
TSO.MOUNT |
Boolean |
This user can issue mounts for devices. |
TSO.MSGID |
Boolean |
Prefix TSO message IDs |
TSO.NOTICES |
Boolean |
Receive TSO notices at logon time |
TSO.OPERATOR |
Boolean |
This user has TSO operator privileges |
TSO.PAUSE |
Boolean |
Causes a program to pause when a command executed in a CLIST issues a multilevel message |
TSO.PMT-ACCT |
Boolean |
Forces this user to specify an account number at logon time |
TSO.PMT-PROC |
Boolean |
Forces this user to specify a TSO procedure name at logon time |
TSO.PROMPT |
Boolean |
Prompt for missing or incorrect parameters |
TSO.RECOVER |
Boolean |
Use the recover option of the TSO or TSO/E command package |
TSO.TSOACCT |
String |
The user’s default TSO logon account |
TSO.TSOCMDS |
String |
The name of the TSO command list module that contains the list of the commands that this user is authorized to use. |
TSO.TSOFSCRN |
Boolean |
This user has the full-screen logon display. |
TSO.TSOPERF |
String |
The user’s default TSO performance group |
TSO.TSOPROC |
String |
The user’s default TSO procedure name |
TSO.TSORBA |
String |
The mail index record pointer (MIRP) for this user |
TSO.TSORGN |
String |
The user’s default TSO region size (in K bytes) if the user does not specify a size at logon time |
TSO.TSOSIZE |
String |
The user’s maximum TSO region size (in K bytes) unless the user has the LGS-SZE field specified |
TSO.TSOTIME |
String |
The user’s default TSO time parameter |
TSO.TSOUNIT |
String |
The user’s default TSO unit name |
TSO.VLD-ACCT |
Boolean |
Indicates CA-ACF2 is to validate the TSO account number |
TSO.VLD-PROC |
Boolean |
Indicates CA-ACF2 is to validate the TSO procedure name |
TSO.WTP |
Boolean |
Displays write-to-programmer (WTP) messages |
None
Use the Identity Manager debug pages to set trace options on the following classes:
com.waveset.adapter.HostAccess
com.waveset.adapter.ACF2ResourceAdapter