Sun Java logo     Previous      Contents      Next     

Sun logo
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 

RACF

The RACF resource adapter supports management of user accounts and memberships on an OS/390 mainframe via the IBM Host Access Class Library APIs. The adapter manages RACF over a TN3270 emulator session.

The RACF resource adapter is defined in the com.waveset.adapter.RACFResourceAdapter class.

Resource Configuration Notes

None

Identity Manager Installation Notes

The RACF resource adapter is a custom adapter. You must perform the following steps to complete the installation process:

  1. To add the RACF resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

    2. com.waveset.adapter.RACFResourceAdapter

  2. The Identity Manager mainframe adapters use the IBM Host Access Class Library (HACL) to connect to the mainframe. The HACL is available in IBM Websphere Host On-Demand (HOD). The recommended jar containing HACL is habeans.jar and is installed with the HOD Toolkit (or Host Access Toolkit) that comes with HOD. The supported versions of HACL are in HOD V7.0, V8.0, and V9.0.

    3. However, if the toolkit installation is not available, the HOD installation contains the following jars that can be used in place of the habeans.jar:

    • habase.jar
    • hacp.jar
    • ha3270.jar
    • hassl.jar
    • hodbase.jar

      • Copy the habeans.jar file or all of its substitutes into the WEB-INF/lib directory of your Identity Manager installation. See http://www.ibm.com/software/webservers/hostondemand/ for more information.

Usage Notes

This section provides information related to using the RACF resource adapter, which is organized into the following sections:

Administrators

TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for Identity Manager RACF operations, you must create multiple administrators. Thus, if two administrators are created, two Identity Manager RACF operations can occur at the same time. We recommend that you create at least two (and preferably three) administrators.

If you are running in a clustered environment, you must define an admin for each server in the cluster. This applies even if it is the same admin. For TSO, there must be a different admin for each server in the cluster.

If clustering is not being used, the server name should be the same for each row (the name of the Identity Manager host machine).

Note  Host resource adapters do not enforce maximum connections for an affinity administrator across multiple host resources connecting to the same host. Instead, the adapter enforces maximum connections for affinity administrators within each host resource.

If you have multiple host resources managing the same system, and they are currently configured to use the same administrator accounts, you might have to update those resources to ensure that the same administrator is not trying to perform multiple actions on the resource simultaneously.

Resource Actions

The RACF adapter requires login and logoff resource actions. The login action negotiates an authenticated session with the mainframe. The logoff action disconnects when that session is no longer required.

See the Usage Notes for the Top Secret adapter on page 1-376 for more information about creating login and logoff resource actions.

SSL Configuration

This section describes how to configure SSL for this adapter, including:

Connecting the Adapter to a Telnet/TN3270 Server using SSL or TLS

Use the following steps to connect RACF resource adapters to a Telnet/TN3270 server using SSL/TLS.

  1. Obtain the Telnet/TN3270 server's certificate in the PKCS #12 file format. Use hod as the password for this file. Consult your server's documentation on how to export the server’s certificate. The procedure “Generating a PKCS #12 File” below for some general guidelines.
  2. Create a CustomizedCAs.class file from the PKCS #12 file. If you are using a recent version of HOD, use the following command to do this.

    3. ..\hod_jre\jre\bin\java -cp ../lib/ssliteV2.zip;../lib/sm.zip com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT CustomizedCAs.p12 hod CustomizedCAs.class

  3. Place the CustomizedCAs.class file somewhere in the Identity Manager server's classpath, such as $WSHOME/WEB-INF/classes.
  4. If a resource attribute named Session Properties does not already exist for the resource, then use the BPE or debug pages to add the attribute to the resource object. Add the following definition in the <ResourceAttributes> section:

    5. <ResourceAttribute name='Session Properties' displayName='Session Properties' description='Session Properties' multi='true'>

    </ResourceAttribute>

  5. Go to the Resource Parameters page for the resource and add the following values to the Session Properties resource attribute:

    6. SESSION_SSL

    true

Generating a PKCS #12 File

The following procedure provides a general description of generating a PKCS #12 file when using the Host OnDemand (HOD) Redirector using SSL/TLS. Refer to the HOD documentation for detailed information about performing this task.

  1. Create a new HODServerKeyDb.kdb file using the IBM Certificate Management tool. As part of that file, create a new self-signed certificate as the default private certificate.

    2. If you get a message that is similar to “error adding key to the certificate database” when you are creating the HODServerKeyDb.kdb file, one or more of the Trusted CA certificates may be expired. Check the IBM website to obtain up-to-date certificates.

  2. Export that private certificate as Base64 ASCII into a cert.arm file.
  3. Create a new PKCS #12 file named CustomizedCAs.p12 with the IBM Certificate Management tool by adding the exported certificate from the cert.arm file to the Signer Certificates. Use hod as the password for this file.
Troubleshooting

You can enable tracing of the HACL by adding the following to the Session Properties resource attribute:

SESSION_TRACE

ECLSession=3 ECLPS=3 ECLCommEvent=3 ECLErr=3 DataStream=3 Transport=3 ECLPSEvent=3

Note  The trace parameters should be listed without any new line characters. It is acceptable if the parameters wrap in the text box.

The Telnet/TN3270 server should have logs that may help as well.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses TN3270 to communicate with the RACF adapter.

Required Administrative Privileges

To define or change information in a non-base segment of a user profile, including your own, you must have the SPECIAL attribute or at least UPDATE authority to the segment through field-level access checking.

To list the contents of a user profile or the contents of individual segments of the user profile, use the LISTUSER command.

To display the information in a non-base segment of a user profile, including your own, you must have the SPECIAL or AUDITOR attribute or at least READ authority to the segment through field-level access checking.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature

Supported?

Enable/disable account

Yes

Rename account

Yes

Pass-through authentication

No

Before/after actions

Yes

Data loading methods

  Import directly from resource

  Reconciliation

Account Attributes

The following table provides information about RACF account attributes.

Resource User Attribute

Data Type

Description

GROUPS

String

The groups assigned to the user

GROUP-CONN-OWNERS

String

Group connection owners

USERID. Required

String

Required. The user’s name

MASTER CATALOG

String

Master catalog

USER CATALOG

String

User catalog

CATALOG ALIAS

String

Catalog alias

OWNER

String

The owner of the profile

NAME

String

The user’s name

DATA

String

Installation-defined data

DFLTGRP

String

The user’s default group

EXPIRED

Boolean

Indicates whether to expire the password

PASSWORD INTERVAL

String

Password interval

TSO.ACCTNUM

String

The user’s default TSO account number at logon

TSO.COMMAND

String

The default command at logon

TSO.HOLDCLASS

String

The user’s default TSO hold class

TSO.JOBCLASS

String

The user’s default TSO job class

TSO.MAXSIZE

Int

The maximum TSO region size the user can request during logon

TSO.MSGCLASS

String

The user’s default TSO message class

TSO.PROC

String

The name of the user’s default TSO logon procedure

TSO.SIZE

Int

The minimum TSO region size if the user does not request a region size during logon

TSO.SYSOUTCLASS

String

The user’s default TSO SYSOUT class

TSO.UNIT

String

The default name of a TSO device or group of devices that a procedure uses for allocations

TSO.USERDATA

String

Installation-defined data

OMVS.ASSIZEMAX

Int

User’s OMVS RLIMIT_AS (maximum address space size)

OMVS.CPUTIMEMAX

Int

User’s OMVS RLIMIT_CPU (maximum CPU time)

OMVS.FILEPROCMAX

Int

User’s OMVS maximum number of files per process

OMVS.HOME

String

The user’s0 OMVS home directory path name

OMVS.MMAPAREAMAX

Int

User’s OMVS maximum memory map size

OMVS.PROCUSERMAX

Int

User’s OMVS maximum number of processes per UID

OMVS.PROGRAM

String

The user’s initial OMVS shell program

OMVS.THREADSMAX

Int

User’s OMVS maximum number of threads per process

OMVS.UID

String

The user’s OMVS user identifier

CICS.OPCLASS

String

The CICS operator classes for which the user will receive BMS (basic mapping support) messages

CICS.OPIDENT

String

The user’s CICS operator identifier

CICS.OPPRTY

String

The user’s CICS operator priority

CICS.TIMEOUT

String

The amount of time that the user can be idle before being signed off by CICS

CICS.XRFSOFF

String

A setting that indicates whether the user will be signed off by CICS when an XRF takeover occurs

NETVIEW.CONSNAME

String

MCS console identifier

NETVIEW.CTL

String

Specifies GLOBAL, GENERAL, or SPECIFIC control

NETVIEW.DOMAINS

String

Domain identifier

NETVIEW.IC

String

Initial command or list of commands to be executed by NetView when this NetView operator logs on

NETVIEW.MSGRECVR

String

Indicates whether the operator will receive unsolicited messages (NO or YES)

NETVIEW.NGMFADMN

String

Indicates whether this operator can use the NetView graphic monitor facility (NO or YES)

NETVIEW.NGMFVSPN

String

 

NETVIEW.OPCLASS

String

Class of the operator

Identity Template

$accountId$

Sample Forms

Built-In

None

Also Available

RACFUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

See the Troubleshooting section for the Top Secret adapter on page 1-388 for more information about troubleshooting the HostAccess class.



Previous      Contents      Next     

Copyright 2006 Sun Microsystems, Inc. All rights reserved.