The RACF resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
To add the RACF LDAP resource to the Waveset resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.RACF_LDAPResourceAdapter |
Copy the appropriate JAR files to the WEB-INF/lib directory of your Waveset installation.
Add the following definitions to the Waveset.properties file to define which service manages the terminal session:
serverSettings.serverId.mainframeSessionType= ValueserverSettings.default.mainframeSessionType=Value |
Value can be set as follows:
1 indicates IBM Host On--Demand (HOD)
3 indicates Attachmate WRQ
If these properties are not explicitly set, then Waveset attempts to use WRQ, then HOD.
When the Attachmate libraries are installed into a WebSphere or WebLogic application server, add the property com.wrq.profile.dir=LibraryDirectory to the WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.
This allows the Attachmate code to find the licensing file.
Restart your application server so that the modifications to the Waveset.properties file can take effect.
See Chapter 54, Mainframe Connectivity for information about configuring SSL connections to the resource.
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Waveset RACF operations, you must create multiple administrators. Thus, if two administrators are created, two Waveset RACF operations can occur at the same time. You should create at least two (and preferably three) administrators.
If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the Waveset host machine).
Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.
The RACF LDAP adapter can be configured to support attributes that are not in the segments supported by default.
Create an AttrParse object that parses the segment. See Chapter 50, Implementing the AttrParse Object for information about defining custom AttrParse objects. Example AttrParse objects are defined in $WSHOME/web/sample/attrparse.xml.
Add a ResourceAttribute element to the RACF LDAP resource object. For example:
<ResourceAttribute name=’OMVS Segment AttrParse’ displayName=’OMVS Segment AttrParse’ description=’AttrParse for OMVS Segment’ value=’Default RACF OMVS Segment AttrParse’> </ResourceAttribute> |
This example adds a field labeled OMVS Segment AttrParse to the Resource Parameters page. The value assigned to the name attribute must be of the form SegmentName Segment AttrParse.
Add an element to the RACF LDAP resource object that defines a custom account attribute.
<AccountAttributeType id=’32’ name=’OMVS Mem Max Area Size’ syntax=’int’ mapName=’OMVS.MMAPAREAMAX’ mapType=’int’> </AccountAttributeType> |
The value of the mapName attribute must be of the form SegmentName.AttributeName. When the adapter detects a mapName in this format, it asks the resource for the specified segment and uses the object specified in the SegmentName Segment AttrParse field to parse it.
The RACF LDAP adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.
See Mainframe Examples for more information about creating login and logoff resource actions.
The Z/OS Security Server must be installed on the same machine that serves as the source of RACF accounts.
This section provides information about supported connections and privilege requirements.
Waveset uses TN3270 connections to communicate with the resource.
See Chapter 54, Mainframe Connectivity for information about setting up an SSL connection to a RACF LDAP resource.
The administrators that connect to the RACF LDAP resource must be assigned sufficient privileges to create and manage RACF users.
The user specified in the User DN resource parameter field must have the ability to read, write, delete, and add users.
The following table summarizes the provisioning capabilities of this adapter.
Feature |
Supported? |
---|---|
Enable/disable account |
Yes |
Rename account |
No |
Pass-through authentication |
No |
Before/after actions |
Yes |
Data loading methods |
|
The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Waveset supports Boolean, string, integer, and binary syntaxes. A binary attribute is an attribute that can be safely expressed only as a byte array.
The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be supported, as long as it is Boolean, string, or integer in nature. Octet strings are NOT supported.
LDAP Syntax |
Attribute Type |
Object ID |
---|---|---|
Audio |
Binary |
1.3.6.1.4.1.1466.115.121.1.4 |
Binary |
Binary |
1.3.6.1.4.1.1466.115.121.1.5 |
Boolean |
Boolean |
1.3.6.1.4.1.1466.115.121.1.7 |
Country String |
String |
1.3.6.1.4.1.1466.115.121.1.11 |
DN |
String |
1.3.6.1.4.1.1466.115.121.1.12 |
Directory String |
String |
1.3.6.1.4.1.1466.115.121.1.15 |
Generalized Time |
String |
1.3.6.1.4.1.1466.115.121.1.24 |
IA5 String |
String |
1.3.6.1.4.1.1466.115.121.1.26 |
Integer |
Int |
1.3.6.1.4.1.1466.115.121.1.27 |
Postal Address |
String |
1.3.6.1.4.1.1466.115.121.1.41 |
Printable String |
String |
1.3.6.1.4.1.1466.115.121.1.44 |
Telephone Number |
String |
1.3.6.1.4.1.1466.115.121.1.50 |
The following attributes are displayed on the Account Attributes page for the RACF LDAP resource adapters.
Resource User Attribute |
Data Type |
Description |
---|---|---|
racfPassword |
Encrypted |
The user’s password on the resource |
RACF.GROUPS |
String |
The groups assigned to the user |
RACF.GROUP-CONN-OWNERS |
String |
Group connection owners |
RACF.USERID |
String |
Required. The user’s name |
RACF.MASTER CATALOG |
String |
Master catalog |
RACF.USER CATALOG |
String |
User catalog |
RACF.CATALOG ALIAS |
String |
Catalog alias |
racfOwner |
String |
The owner of the profile |
racfProgrammerName |
String |
The user’s name |
racfInstallationData |
String |
Installation-defined data |
racfDefaultGroup |
String |
The user’s default group |
RACF.EXPIRED |
Boolean |
Indicates whether to expire the password |
RACF.PASSWORD INTERVAL |
String |
Password interval |
TSO.Delete Segment |
Boolean |
If this field is set to true, the TSO Segment will be deleted from the RACF user. |
SAFAccountNumber |
String |
The user’s default TSO account number at logon |
SAFDefaultCommand |
String |
The default command at logon |
SAFHoldClass |
String |
The user’s default TSO hold class |
SAFJobClass |
String |
The user’s default TSO job class |
SAFMessageClass |
String |
The user’s default TSO message class |
SAFDefaultLoginProc |
String |
The name of the user’s default TSO logon procedure |
SAFLogonSize |
Int |
The minimum TSO region size if the user does not request a region size during logon |
SAFMaximumRegionSize |
Int |
The maximum TSO region size the user can request during logon |
SAFDefaultSysoutClass |
String |
The user’s default TSO SYSOUT class |
SAFDefaultUnit |
String |
The default name of a TSO device or group of devices that a procedure uses for allocations |
SAFUserdata |
String |
Installation-defined data |
SAFDefaultCommand |
String |
The TSO default command. |
racfOmvsUid |
String |
The user’s OMVS user identifier |
racfOmvsHome |
String |
The user’s OMVS home directory path name |
racfOmvsInitialProgram |
String |
The user’s initial OMVS shell program |
racfOmvsMaximumCPUTime |
Int |
User’s OMVS RLIMIT_CPU (maximum CPU time) |
racfOmvsMaximumAddressSpaceSize |
Int |
User’s OMVS RLIMIT_AS (maximum address space size) |
racfOmvsMaximumFilesPerProcess |
Int |
User’s OMVS maximum number of files per process |
racfOmvsMaximumProcessesPerUID |
Int |
User’s OMVS maximum number of processes per UID |
racfOmvsMaximumThreadsPerProcess |
Int |
User’s OMVS maximum number of threads per process |
racfOmvsMaximumMemoryMapArea |
Int |
User’s OMVS maximum memory map size |
racfTerminalTimeout |
String |
The amount of time that the user can be idle before being signed off by CICS |
racfOperatorPriority |
String |
The user’s CICS operator priority |
racfOperatorIdentification |
String |
The user’s CICS operator identifier |
racfOperatorClass |
String |
The CICS operator classes for which the user will receive BMS (basic mapping support) messages |
racfOperatorReSignon |
String |
A setting that indicates whether the user will be signed off by CICS when an XRF takeover occurs |
racfNetviewOperatorClass |
String |
Class of the operator |
NETVIEW.NGMFVSPN |
String |
Defines the operator’s authority to display NetView Graphic Monitor Facility views and resources within views. |
racfNGMFADMKeyword |
String |
Indicates whether this operator can use the NetView graphic monitor facility (NO or YES) |
racfMessageReceiverKeyword |
String |
Indicates whether the operator will receive unsolicited messages (NO or YES) |
racfNetviewInitialCommand |
String |
Initial command or list of commands to be executed by NetView when this NetView operator logs on |
racfDomains |
String |
Domain identifier |
racfCTLKeyword |
String |
Specifies GLOBAL, GENERAL, or SPECIFIC control |
racfDefaultConsoleName |
String |
MCS console identifier |
By default, the RACF LDAP resource adapter uses the following object classes when creating new user objects in the LDAP tree. Other object classes may be added.
racfuser
racfUserOmvsSegment
racfCicsSegment
SAFTsoSegment
racfNetviewSegment
None
$accountId$
None
Use the Waveset debug pages to set trace options on one or more of the following classes:
com.waveset.adapter.RACF_LDAPResourceAdapter
com.waveset.adapter.LDAPResourceAdapter
com.waveset.adapter.LDAPResourceAdapterBase