Sun Java logo     Previous      Contents      Next     

Sun logo
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 

ACF2

The ACF2 resource adapter supports management of user accounts and memberships on an OS/390 mainframe via the IBM Host Access Class Library APIs. The adapter manages ACF2 over a TN3270 emulator session.

The ACF2 adapter supports the following versions:

The ACF2 resource adapter is defined in the com.waveset.adapter.ACF2ResourceAdapter class.

Resource Configuration Notes

None

Identity Manager Installation Notes

The ACF2 resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

  1. To add the ACF2 resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

    2. com.waveset.adapter.ACF2ResourceAdapter

  2. The Identity Manager mainframe adapters use the IBM Host Access Class Library (HACL) to connect to the mainframe. The HACL is available in IBM Websphere Host On-Demand (HOD). The recommended jar containing HACL is habeans.jar and is installed with the HOD Toolkit (or Host Access Toolkit) that comes with HOD. The supported versions of HACL are in HOD V7.0, V8.0, and V9.0.

    3. However, if the toolkit installation is not available, the HOD installation contains the following jars that can be used in place of the habeans.jar:

    • habase.jar
    • hacp.jar
    • ha3270.jar
    • hassl.jar
    • hodbase.jar

      • Copy the habeans.jar file or all of its substitutes into the WEB-INF/lib directory of your Identity Manager installation. See http://www.ibm.com/software/webservers/hostondemand/ for more information.

Usage Notes

This section lists dependencies and limitations related to using the ACF2 resource adapter.

Administrators

TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager ACF operations, you must create multiple administrators. Thus, if you create two administrators, two Identity Manager ACF operations can occur at the same time. We recommend that you create at least two (and preferably three) administrators.

If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.

If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).

Note  Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.

If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.

Resource Actions

The ACF2 adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.

See the Usage Notes for the Top Secret adapter on page 1-376 for more information about creating login and logoff resource actions.

SSL Configuration

This section provides information about configuring SSL, including:

Connecting the Adapter to a Telnet/TN3270 Server using SSL or TLS

Use the following steps to connect ACF2 resource adapters to a Telnet/TN3270 server using SSL/TLS.

  1. Obtain the Telnet/TN3270 server's certificate in the PKCS #12 file format. Use hod as the password for this file. Consult your server's documentation on how to export the server’s certificate. The procedure “Generating a PKCS #12 File” below for some general guidelines.
  2. Create a CustomizedCAs.class file from the PKCS #12 file. If you are using a recent version of HOD, use the following command to do this.

    3. ..\hod_jre\jre\bin\java -cp ../lib/ssliteV2.zip;../lib/sm.zip com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT CustomizedCAs.p12 hod CustomizedCAs.class

  3. Place the CustomizedCAs.class file somewhere in the Identity Manager server's classpath, such as $WSHOME/WEB-INF/classes.
  4. If a resource attribute named Session Properties does not already exist for the resource, then use the BPE or debug pages to add the attribute to the resource object. Add the following definition in the <ResourceAttributes> section:

    5. <ResourceAttribute name='Session Properties' displayName='Session Properties' description='Session Properties' multi='true'>

    </ResourceAttribute>

  5. Go to the Resource Parameters page for the resource and add the following values to the Session Properties resource attribute:

    6. SESSION_SSL

    true

Generating a PKCS #12 File

The following procedure provides a general description of generating a PKCS #12 file when using the Host OnDemand (HOD) Redirector using SSL/TLS. Refer to the HOD documentation for detailed information about performing this task.

  1. Create a new HODServerKeyDb.kdb file using the IBM Certificate Management tool. As part of that file, create a new self-signed certificate as the default private certificate.

    2. If you get a message that is similar to “error adding key to the certificate database” when you are creating the HODServerKeyDb.kdb file, one or more of the Trusted CA certificates may be expired. Check the IBM website to obtain up-to-date certificates.

  2. Export that private certificate as Base64 ASCII into a cert.arm file.
  3. Create a new PKCS #12 file named CustomizedCAs.p12 with the IBM Certificate Management tool by adding the exported certificate from the cert.arm file to the Signer Certificates. Use hod as the password for this file.

Troubleshooting the SSL Connection

You can enable tracing of the HACL by adding the following to the Session Properties resource attribute:

SESSION_TRACE

ECLSession=3 ECLPS=3 ECLCommEvent=3 ECLErr=3 DataStream=3 Transport=3 ECLPSEvent=3

Note  The trace parameters should be listed without any new line characters. It is acceptable if the parameters wrap in the text box.

The Telnet/TN3270 server should have logs that may help as well.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses TN3270 connections to communicate with ACF2.

Required Administrative Privileges

The administrators that connect to ACF2 must be assigned sufficient privileges to create and manage ACF2 users.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature

Supported?

Enable/disable account

Yes

Rename account

Yes

Pass-through authentication

No

Before/after actions

Yes

Data loading methods

  Import directly from resource

  Reconciliation

Account Attributes

The following table provides information about ACF2 account attributes.

Resource User Attribute

Data Type

Description

NAME

string

The user name displayed on logging and security violation reports

PHONE

string

The user’s telephone number

ACCESS.ACC-CNT

string

The number of system accesses made by this logonid since it was created

ACCESS.ACC-DATE

string

The date of this user’s last system access

ACCESS.ACC-SRCE

string

The logical or physical input source name or source group name where this logonid last accessed the system

ACCESS.ACC-TIME

string

The time of this user’s last system access

CANCEL/SUSPEND.CANCEL

boolean

The logonid is canceled and denied access to the system

CANCEL/SUSPEND.CSDATE

string

The date when the CANCEL or SUSPEND field was set

CANCEL/SUSPEND.CSWHO

string

The logonid that set the CANCEL, SUSPEND, or MONITOR field

CANCEL/SUSPEND.MON-LOG

boolean

ACF2 writes an SMF record each time this user enters the system

CANCEL/SUSPEND.MONITOR

boolean

CA-ACF2 sends a message to the security console and to a designated person (CSWHO) each time this user enters the system

CANCEL/SUSPEND.SUSPEND

boolean

The logonid is suspended and denied access to the system

CANCEL/SUSPEND.TRACE

boolean

All data references by this user are traced and logged

CICS.ACF2CICS

boolean

Indicates that CA-ACF2 CICS security is to be initialized in any CICS/ESA 4.1 or later region running with this address space logonid

CICS.CICSCL

string

CICS operator class

CICS.CICSID

string

CICS operator ID

CICS.CICSKEY

string

The first three bytes of transaction security key values to support CICS Release 1.6 and later.

CICS.CICSKEYX

string

The last five bytes of transaction security key values to support CICS Release 1.6 and later.

CICS.CICSPRI

string

CICS operator priority

CICS.CICSRSL

string

CICS resource access key

CICS.IDLE

string

The maximum number of minutes permitted between terminal transactions for this user

IMS.MUSDLID

string

The default logonid for a MUSASS address space.

IDMS.IDMSPROF

string

The name of the sign-on profile CLIST executed when the user signs on to CA-IDMS

IDMS.IDMSPRVS

string

The version of the sign-on profile CLIST executed when the user sign on to CA-IDMS

MUSASS.MUSID

string

Groups IMS records in the Infostorage database to ensure that IMS records are associated with the proper control region.

MUSASS.MUSIDINF

boolean

The MUSID field should be used to restrict access to a MUSASS region for CA-ACF2 Info type system entry calls.

MUSASS.MUSOPT

string

The name of the CA-ACF2 CA-IDMS options module that controls the CAIDMS address space.

MUSASS.MUSPGM

string

The name of the CA-IDMS start up program

MUSASS.MUSUPDT

boolean

Allows the user to update the CA-ACF2 databases.

PRIVILEGES.ACCOUNT

boolean

The user can insert, delete, and change logonids, as limited by a scope

PRIVILEGES.ACTIVE

string

The logonid is automatically activated one minute after midnight on the date contained in this field

PRIVILEGES.AUDIT

boolean

With this privilege, a user can inspect, but not modify, the parameters of the CAACF2 system.

PRIVILEGES.AUTODUMP

boolean

Dump created when a data set or resource violation occurs.

PRIVILEGES.AUTONOPW

boolean

This virtual machine can be autologged without specifying a password.

PRIVILEGES.BDT

boolean

This logonid’s address space belongs to the Bulk Data Transfer (BDT) product.

PRIVILEGES.CICS

boolean

The logonid has the authority to sign on to CICS.

PRIVILEGES.CMD-PROP

boolean

This indicates that the user can override the global CPF target list by using the SET TARGET command or the TARGET parameter

PRIVILEGES.CONSULT

boolean

The user can display other logonids.

PRIVILEGES.DUMPAUTH

boolean

This user can generate a dump even when the address space is in an execute-only or path control environment

PRIVILEGES.EXPIRE

string

The date when .temporary. logonids expire

PRIVILEGES.IDMS

boolean

The logonid has the authority to sign on to CA-IDMS.

PRIVILEGES.JOB

boolean

The user can enter batch and background Terminal Monitor Program (TMP) jobs.

PRIVILEGES.JOBFROM

boolean

The user can use the //*JOBFROM control statement.

PRIVILEGES.LEADER

boolean

The user can display and alter certain fields of other logonids for other users.

PRIVILEGES.LOGSHIFT

boolean

A user can access the system outside the time period specified in the SHIFT field of the logonid record.

PRIVILEGES.MAINT

boolean

A user can use a specified program executed from a specified library to access resources without loggings or validation.

PRIVILEGES.MUSASS

boolean

This logonid is a multiple user single address space system (MUSASS).

PRIVILEGES.NO-INH

boolean

A network job cannot inherit this logonid from its submitter.

PRIVILEGES.NO-SMC

boolean

Step-must-complete (SMC) controls are bypassed; a job is considered noncancelable for the duration of the sensitive VSAM update operation.

PRIVILEGES.NO-STORE

boolean

This user is unauthorized to store or delete rule sets

PRIVILEGES.NON-CNCL

boolean

A user can access all data, even if a rule prohibits this access.

PRIVILEGES.PGM

string

The specified APF-authorized program to submit jobs for this logonid.

PRIVILEGES.PPGM

boolean

The user can execute those protected programs specified in the GSO PPGM record.

PRIVILEGES.PRIV-CTL

boolean

Checks privilege control resource rules when the user accesses the system to see what additional privileges and authorities the user has.

PRIVILEGES.PROGRAM

string

The specified APF-authorized program to submit jobs for this logonid.

PRIVILEGES.READALL

boolean

The logonid has only read access to all data at the site.

PRIVILEGES.REFRESH

boolean

This user is authorized to issue the F ACF2,REFRESH operator command from the operator.s console.

PRIVILEGES.RESTRICT

boolean

This restricted logonid is for production use and does not require a password for user verification

PRIVILEGES.RSRCVLD

boolean

Specifies that a resource rule must authorize any accesses that a user makes.

PRIVILEGES.RULEVLD

boolean

An access rule must exist for all data this user accesses.

PRIVILEGES.SCPLIST

string

The infostorage scope record that restricts accesses for this privileged user.

PRIVILEGES.SECURITY

boolean

This user is a security administrator who, in the limits of his scope, can create, maintain, and delete access rules, resource rules, and infostorage records.

PRIVILEGES.STC

boolean

Only started tasks use this logonid

PRIVILEGES.SUBAUTH

boolean

Only an APF-authorized program can submit jobs specifying this logonid.

PRIVILEGES.SYNCNODE

string

The node where the synchronized logonid for this logonid is found in the Logonid database

PRIVILEGES.TAPE-BLP

boolean

This user can use full bypass label processing (BLP) when accessing tape data sets

PRIVILEGES.TAPE-LBL

boolean

This user has limited BLP when accessing tape data sets.

PRIVILEGES.TSO

boolean

This user is authorized to sign on to TSO.

PRIVILEGES.VAX

boolean

This logonid has associated VAX (UAF) infostorage records.

PRIVILEGES.VLDRSTCT

boolean

Turning on this field for a RESTRICT logonid indicates that PROGRAM and SUBAUTH are to be validated even when the logonid is inherited

PASSWORD.MAXDAYS

string

The maximum number of days permitted between password changes before the password expires. If the value is zero, no limit is enforced

PASSWORD.MINDAYS

string

The minimum number of days that must elapse before the user can change the password

PASSWORD.PSWD-DAT

string

The date of the last invalid password attempt

PASSWORD.PSWD-EXP

boolean

The user’s password was manually expired (forced to expire).

PASSWORD.PSWD-INV

string

The number of password violations that occurred since the last successful logon

PASSWORD.PSWD-SRCE

string

The logical or physical input source name or source group name where the last invalid password for this logonid was received

PASSWORD.PSWD-TIM

string

The time when the last invalid password for this logonid was received

PASSWORD.PSWD-TOD

string

The date and time the password was last changed

PASSWORD.PSWD-VIO

string

The number of password violations occurring on PSWD-DAT.

PASSWORD.PSWD-XTR

boolean

The password for this logonid is halfway-encrypted and can be extracted by an APF-authorized program

RESTRICTIONS.AUTHSUP1 through AUTHSUP8

boolean

These fields can activate extended user authentication (EUA) for each designated system user

RESTRICTIONS.GROUP

string

The group or project name associated with this user.

RESTRICTIONS.PREFIX

string

The high-level index of the data sets that this user owns and can access.

RESTRICTIONS.SHIFT

string

The shift record that defines when a user is permitted to log on to the system.

RESTRICTIONS.SOURCE

string

The logical or physical input source name or source group name where this logonid must access the system

RESTRICTIONS.VMACCT

string

A loginid field that holds the default account number for a virtual machine.

RESTRICTIONS.VMIDLEMN

string

The number of minutes that this user can be idle on the system before idle terminal processing begins.

RESTRICTIONS.VMIDLEOP

string

The type of idle terminal processing to perform when the user exceeds the idle time limit.

RESTRICTIONS.ZONE

string

The name of the Infostorage Database zone record defining the time zone where this logonid normally accesses the system (that is, the user’s local time zone)

STATISTICS.SEC-VIO

string

The total number of security violations for this user.

STATISTICS.UPD-TOD

string

The date and time that this logonid record was last updated.

TSO.ACCTPRIV

boolean

Indicates the user has TSO accounting privileges

TSO.ALLCMDS

boolean

The user can enter a special prefix character to bypass the CA-ACF2 restricted command lists.

TSO.ATTR2

string

The IBM program control facility (PCF) uses the PSCBATR2 field for command limiting and data set protection.

TSO.CHAR

string

The TSO character-delete character for this user

TSO.CMD-LONG

boolean

Indicates that only the listed command and aliases are accepted when using TSO command lists.

TSO.DFT-DEST

string

The default remote destination for TSO spun SYSOUT data sets

TSO.DFT-PFX

string

The default TSO prefix that is set in the user’s profile at logon time.

TSO.DFT-SOUT

string

The default TSO SYSOUT class

TSO.DFT-SUBC

string

The default TSO submit class

TSO.DFT-SUBH

string

The default TSO submit hold class

TSO.DFT-SUBM

string

The default TSO submit message class

TSO.INTERCOM

boolean

This user is willing to accept messages from other users through the TSO SEND command.

TSO.JCL

boolean

This user can submit batch jobs from TSO and use the SUBMIT, STATUS, CANCEL, and OUTPUT commands

TSO.LGN-ACCT

boolean

This user can specify an account number at logon time.

TSO.LGN-DEST

boolean

The user can specify a remote output destination at TSO logon that overrides the value specified in the DFT-DEST field

TSO.LGN-MSG

boolean

This user can specify message class at logon time.

TSO.LGN-PERF

boolean

This user can specify a performance group at logon time.

TSO.LGN-PROC

boolean

This user can specify the TSO procedure name at logon time.

TSO.LGN-RCVR

boolean

This user can use the recover option of the TSO or TSO/E command package.

TSO.LGN-SIZE

boolean

This user is authorized to specify any region size at logon time.

TSO.LGN-TIME

boolean

This user can specify the TSO session time limit at logon time.

TSO.LGN-UNIT

boolean

This user can specify the TSO unit name at logon time.

TSO.LINE

string

The TSO line-delete character

TSO.MAIL

boolean

Receive mail messages from TSO at logon time.

TSO.MODE

boolean

Receive modal messages from TSO.

TSO.MOUNT

boolean

This user can issue mounts for devices.

TSO.MSGID

boolean

Prefix TSO message IDs.

TSO.NOTICES

boolean

Receive TSO notices at logon time.

TSO.OPERATOR

boolean

This user has TSO operator privileges.

TSO.PAUSE

boolean

Causes a program to pause when a command executed in a CLIST issues a multilevel message.

TSO.PMT-ACCT

boolean

Forces this user to specify an account number at logon time.

TSO.PMT-PROC

boolean

Forces this user to specify a TSO procedure name at logon time.

TSO.PROMPT

boolean

Prompt for missing or incorrect parameters.

TSO.RECOVER

boolean

Use the recover option of the TSO or TSO/E command package.

TSO.TSOACCT

string

The user’s default TSO logon account

TSO.TSOCMDS

string

The name of the TSO command list module that contains the list of the commands that this user is authorized to use.

TSO.TSOFSCRN

boolean

This user has the full-screen logon display.

TSO.TSOPERF

string

The user’s default TSO performance group

TSO.TSOPROC

string

The user’s default TSO procedure name

TSO.TSORBA

string

The mail index record pointer (MIRP) for this user

TSO.TSORGN

string

The user’s default TSO region size (in K bytes) if the user does not specify a size at logon time.

TSO.TSOSIZE

string

The user’s maximum TSO region size (in K bytes) unless the user has the LGS-SZE field specified

TSO.TSOTIME

string

The user’s default TSO time parameter

TSO.TSOUNIT

string

The user’s default TSO unit name

TSO.VLD-ACCT

boolean

Indicates CA-ACF2 is to validate the TSO account number.

TSO.VLD-PROC

boolean

Indicates CA-ACF2 is to validate the TSO procedure name.

TSO.WTP

boolean

Displays write-to-programmer (WTP) messages.

Resource Object Management

None

Sample Forms

ACF2UserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

See the Troubleshooting section for the Top Secret adapter on page 1-388 for more information about troubleshooting the HostAccess class.



Previous      Contents      Next     

Copyright 2006 Sun Microsystems, Inc. All rights reserved.