CAACF2 for z/OSAdapter Installation and Configuration Guide · language. By default, the...

IBM Security Identity ManagerVersion 6.0

CA ACF2 for z/OS Adapter Installationand Configuration Guide

SC27-4383-01

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 93.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012, 2014.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Overview of the CA ACF2Adapter . . . . . . . . . . . . . . . 1Adapter interactions with the IBM Security IdentityManager server . . . . . . . . . . . . . 2

Chapter 2. Installation planning . . . . 3Preinstallation roadmap . . . . . . . . . . 3Installation roadmap. . . . . . . . . . . . 3Prerequisites . . . . . . . . . . . . . . 3Software download . . . . . . . . . . . . 4

Chapter 3. Adapter installation andconfiguration . . . . . . . . . . . . 5Uploading the adapter package on z/OS . . . . . 5Installing the ISPF dialog . . . . . . . . . . 5Running the ISPF dialog . . . . . . . . . . 6Starting and stopping the adapter . . . . . . . 11CA ACF2 access configuration . . . . . . . . 12

CA ACF2 logonid . . . . . . . . . . . 12Surrogate user loginids . . . . . . . . . 12

Communication configuration . . . . . . . . 13Adapter profile creation . . . . . . . . . 13Adapter profile installation verification . . . . 15Creating a CA ACF2 Adapter service . . . . . 15

Verifying that the ACF2 adapter is working correctly 17

Chapter 4. Post-installation first steps 19Adapter configuration for IBM Security IdentityManager . . . . . . . . . . . . . . . 19

z/OS UNIX System Services considerations forz/OS Adapter . . . . . . . . . . . . 19Starting the adapter configuration tool . . . . 19Viewing configuration settings . . . . . . . 21Changing protocol configuration settings . . . 21Event notification configuration . . . . . . 25Changing the configuration key . . . . . . 35Changing activity logging settings . . . . . . 36Modifying registry settings . . . . . . . . 38Modifying non-encrypted registry settings . . . 39Changing advanced settings . . . . . . . . 40

Viewing statistics . . . . . . . . . . . 41Modifying code page settings . . . . . . . 41Accessing help and additional options . . . . 43

CA ACF2 Adapter customization . . . . . . . 45ISIMEXIT command usage . . . . . . . . 45ISIMEXEC command usage . . . . . . . . 47

z/OS adapter language pack installation . . . . 48SSL authentication configuration for the z/OSadapter . . . . . . . . . . . . . . . . 48

Overview of SSL and digital certificates for thez/OS adapter. . . . . . . . . . . . . 49DAML protocol for SSL authentication . . . . 51Configuring certificates for SSL authentication forthe z/OS adapter . . . . . . . . . . . 51

Chapter 5. Configuration notes . . . . 65

Chapter 6. Adapter errortroubleshooting . . . . . . . . . . . 67Troubleshooting techniques . . . . . . . . . 67Warning and error messages. . . . . . . . . 69Adapter log files. . . . . . . . . . . . . 70Adapter SSL information collection for supportrequests . . . . . . . . . . . . . . . 70Known issues and limitations . . . . . . . . 71

Chapter 7. Upgrading the adapter . . . 75

Chapter 8. Uninstalling the adapter . . 77

Chapter 9. Adapter reinstallation . . . 79

Appendix A. Adapter attributes . . . . 81

Appendix B. Registry settings. . . . . 83

Appendix C. Environment variables . . 85

Appendix D. Support information . . . 87Searching knowledge bases . . . . . . . . . 87Obtaining a product fix . . . . . . . . . . 88Contacting IBM Support . . . . . . . . . . 88

Appendix E. Accessibility features forIBM Security Identity Manager . . . . 91

Notices . . . . . . . . . . . . . . 93

Index . . . . . . . . . . . . . . . 97

© Copyright IBM Corp. 2012, 2014 iii

iv IBM Security Identity Manager: CA ACF2 for z/OS Adapter Installation and Configuration Guide

Figures

1. The CA ACF2 Adapter components . . . . . 12. One-way SSL authentication (server

authentication) . . . . . . . . . . . 523. Two-way SSL authentication (client

authentication) . . . . . . . . . . . 53

4. Adapter operating as an SSL server and anSSL client . . . . . . . . . . . . . 54

© Copyright IBM Corp. 2012, 2014 v

vi IBM Security Identity Manager: CA ACF2 for z/OS Adapter Installation and Configuration Guide

Tables

1. Preinstallation roadmap . . . . . . . . . 32. Installation roadmap . . . . . . . . . . 33. Prerequisites to install the adapter . . . . . 44. ISPF dialog data sets . . . . . . . . . . 65. Options for the main configuration menu 206. Options for the DAML protocol menu . . . 237. Options for the event notification menus 278. Options for the modify context menu . . . . 309. DN elements and definitions . . . . . . . 31

10. Attributes for search . . . . . . . . . 3211. Name values and their description . . . . . 3312. Organization chart example . . . . . . . 3313. Organization chart example . . . . . . . 3414. Options for the activity logging menu. . . . 37

15. Non-encrypted registry keys . . . . . . . 3916. Attribute configuration option description 3917. Options for the advanced settings menu 4018. Arguments and description for the agentCfg

help menu . . . . . . . . . . . . . 4419. ISIMEXIT processing information . . . . . 4620. ISIMEXEC processing information . . . . . 4721. Error messages, warnings, and corrective

actions . . . . . . . . . . . . . . 6922. Schema file format . . . . . . . . . . 8123. Example of a ACF2SCHM file . . . . . . 8124. Registry settings and additional information 8325. CA ACF2 Adapter environment variables 85

© Copyright IBM Corp. 2012, 2014 vii

viii IBM Security Identity Manager: CA ACF2 for z/OS Adapter Installation and Configuration Guide

Preface

About this publication

The CA ACF2 for z/OS Adapter Installation and Configuration Guide provides the basicinformation that you need to install and configure the IBM® Security IdentityManager CA ACF2 Security for z/OS® Adapter (CA ACF2 Adapter).

IBM Security Identity Manager was previously known as Tivoli® Identity Manager.The CA ACF2 Adapter enables connectivity between the IBM Security IdentityManager server and a network of systems that run the Multiple Virtual Storage(MVS™) operating system. After the adapter is installed and configured, IBMSecurity Identity Manager manages access to z/OS operating system resources.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website.”

IBM Security Identity Manager library

For a complete listing of the IBM Security Identity Manager and IBM SecurityIdentity Manager Adapter documentation, see the online library(http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome).

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager libraryThe product documentation site (http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome) displays the welcome page andnavigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe IBM Publications Center site ( http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss) offers customized search functionsto help you find all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

© Copyright IBM Corp. 2012, 2014 ix

http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome



https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

Appendix D, “Support information,” on page 87 provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

x IBM Security Identity Manager: CA ACF2 for z/OS Adapter Installation and Configuration Guide

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Chapter 1. Overview of the CA ACF2 Adapter

An adapter is a program that provides an interface between a managed resourceand the IBM Security Identity Manager server.

Adapters might reside on the managed resource. The IBM Security IdentityManager server manages access to the resource by using the security system.Adapters function as trusted virtual administrators on the target platform. Theadapter performs tasks, such as creating login IDs, suspending IDs, and otherfunctions that administrators run manually. The adapter runs as a service,independently of whether you are logged on to IBM Security Identity Manager.

IBM Security Identity Manager works with the CA ACF2 Security in an MVSenvironment. The adapter:v Receives provisioning requests from IBM Security Identity Manager.v Processes the requests to add, modify, suspend, restore, delete, and reconcile

user information from the CA ACF2 Security database.v Converts the Directory Access Markup Language (DAML) requests that are

received from IBM Security Identity Manager to corresponding CA ACF2Security for z/OS commands. The Enrole Resource Management API (ERMA)libraries are used for the conversion.

v Issues the commands to the CA ACF2 command executor and receives theresults.

v Returns the results of the command of a request to IBM Security IdentityManager. The returns include the success or failure message for the request.

The following figure describes the various components of the adapter.

AdapterReceives and processes requests from IBM Security Identity Manager. Theadapter can handle multiple requests simultaneously. The binary files ofthe adapter and related external files reside in the Unix System Servicesenvironment of z/OS (OS/390®).

Command ExecutorThe command executor is part of CA ACF2. It processes the commandsand returns relevant messages.

Reconciliation ProcessorThe Reconciliation Processor is a series of programs in the C programming

DAMLServiceProvider

DAMLprotocol

z/OS Host

Adaptercore (in

USS)

CommandExecutor,

ReconciliationProcessor

CA-ACF2Database

Figure 1. The CA ACF2 Adapter components

© Copyright IBM Corp. 2012, 2014 1

language. By default, the Reconciliation Processor runs two programs toobtain data from theCA ACF2 database. The data is sorted and mergedbefore it is sent back to the adapter.

Adapter interactions with the IBM Security Identity Manager serverThe CA ACF2 Adapter uses IBM Security Identity Manager to perform user taskson the CA ACF2 Security for z/OS.

The CA ACF2 Adapter uses IBM Security Identity Manager to perform user taskson the CA ACF2 Security for z/OS. The adapter can add, modify, suspend, restore,reconcile, or delete users from CA ACF2. The adapter uses the TCP/IP protocol tocommunicate with IBM Security Identity Manager.

The CA ACF2 Adapter does not use Secure Socket Layer (SSL) by default tocommunicate with IBM Security Identity Manager. To enable SSL you mustperform post configuration steps.

SSL requires digital certificates and private keys to establish communicationbetween the endpoints. Regarding SSL, the CA ACF2 Adapter is considered aserver. When the adapter uses the SSL protocol, the server endpoint must contain adigital certificate and a private key. The client endpoint (IBM Security IdentityManager) must contain the Certificate Authority or CA certificate.

To enable SSL communication by default, install a digital certificate and a privatekey on the adapter and install the CA certificate onIBM Security Identity Manager.

The default TCP/IP port on the z/OS host for the adapter and servercommunication is 45580. You can change this port to a different port. When youspecify the port number on the adapter service form on IBM Security IdentityManager, make sure that it references the same port number that is configured forthe adapter on the z/OS host.

Use the agentCfg utility to configure the adapter. The utility communicates withthe adapter through TCP/IP. The TCP/IP port number used is dynamicallyassigned and is in the range 44970 - 44994. The port number and the range of portnumbers cannot be configured.

You can restrict the use of these ports to the CA ACF2 Adapter. To protect theseports with the CA ACF2 protection, define the profiles in the CA ACF2SERVAUTH resource class. For more information, see the z/OS CommunicationsServer, IP Configuration Guide.

2 IBM Security Identity Manager: CA ACF2 for z/OS Adapter Installation and Configuration Guide

Chapter 2. Installation planning

Installing and configuring the adapter involves several steps that you mustcomplete in an appropriate sequence. Review the roadmaps before you begin theinstallation process.

Preinstallation roadmapYou must prepare the environment before you can install the adapter.

Perform the tasks that are listed in the following table.

Table 1. Preinstallation roadmap

Task For more information

Obtain the installation software. Download the software from the IBMPassport Advantage® website. See “Softwaredownload” on page 4.

Verify that your environment meets thesoftware and hardware requirements for theadapter.

See “Prerequisites.”

Installation roadmapYou must complete the necessary steps to install the adapter, including completingpost-installation configuration tasks and verifying the installation.

To install the adapter, complete the tasks that are listed in the following table.

Table 2. Installation roadmap

Task For more information

Install and configure the adapter. See Chapter 3, “Adapter installation andconfiguration,” on page 5.

Import the adapter profile. See “Importing the adapter profile into theIBM Security Identity Manager server” onpage 14.

Verify the profile installation. See “Adapter profile installationverification” on page 15.

Create a service. See “Creating a CA ACF2 Adapter service”on page 15.

Configure the adapter. See “Adapter configuration for IBM SecurityIdentity Manager” on page 19.

Customize the adapter. See “CA ACF2 Adapter customization” onpage 45.

PrerequisitesYou must verify the hardware, software, and authorization prerequisites beforeinstalling the adapter.


Verify that your environment meets all the prerequisites before installing theadapter.

Table 3. Prerequisites to install the adapter

Operating System v z/OS version 1.12

v z/OS version 1.13

v z/OSversion 2.10

Managed Resource v CA ACF2 R14

v CA ACF2 R15

Network Connectivity Internet Protocol network

Server Communication Communication must be tested with alow-level communications ping from theIBM Security Identity Manager server to theMVS Server. When you do so,troubleshooting becomes easier if youencounter installation problems.

IBM Security Identity Manager server Version 6.0

Required authority To complete the adapter installationprocedure, you must have systemadministrator authority.

Organizations with multiple CA ACF2 databases must have the adapter installedon a z/OS host that manages the database. You can manage a single CA ACF2database with a single instance of the CA ACF2 Adapter.

Note: Support for Sysplex failover is not implemented. When the participatingimage of the Sysplex running the adapter becomes inoperative:1. Restart the failed z/OS image.2. Restart the adapter.

You can also pre-configure alternate instance of the adapter for use on anotherimage. You must already have this type of environment setup and the necessaryresources available. The related service instance on the IBM Security IdentityManager server might require updates if the alternate image is known through adifferent IP address.

Software downloadDownload the software through your account at the IBM Passport Advantagewebsite.

Go to IBM Passport Advantage.

See the IBM Security Identity Manager Download Document for instructions.

Note:

You can also obtain additional adapter information from IBM Support.


http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Chapter 3. Adapter installation and configuration

Install and configure the CA ACF2 Adapter to enable the adapter to work in anon-secure environment.

Installing and configuring the CA ACF2 Adapter involves the following tasks:1. “Uploading the adapter package on z/OS”2. “Installing the ISPF dialog”3. “Running the ISPF dialog” on page 6

Note: The screens displayed in these tasks are examples; the actual screensdisplayed might differ.

Uploading the adapter package on z/OSYou must upload the adapter package to the operating system.

Before you begin

Obtain the software. See “Software download” on page 4.

Procedure1. Extract the installation package on your local workstation and ensure that a file

named ISIMACF2.UPLOAD.XMI exists. The file is in the z/OS Time Sharing Option(TSO) TRANSMIT/RECEIVE format.

2. Transfer the file. You can use any method for transferring the file provided thatthe resulting file is in FB 80 format. This example shows how to use FTP totransfer the file from your workstation to MVS.ftp hostuser/passwordcd HLQsite recfm=fb lrecl=80 blksize=0 tracks pri=500 sec=100binput ISIMACF2.UPLOAD.XMIquit

Note: If you cannot specify these characteristics with your method, you mustpre-allocate the dataset.

3. Receive the uploaded file with the TSO RECEIVE command:RECEIVE INDA(ISIMACF2.UPLOAD.XMI)

4. Press Enter to create a Partitioned Data Set (PDS) file with the nameuserid.ISIMACF2.UPLOAD where userid is your TSO User ID.

Installing the ISPF dialogInstall the ISPF dialog so you can install and configure the CA ACF2 Adapter.

Procedure1. Log on to a z/OS operating system.2. From ISPF 6 option, run the INSTALL1 exec:

EXEC 'userid.ISIMACF2.UPLOAD(INSTALL1)’


where userid is your TSO User ID.3. Specify a high-level qualifier (hlq) for the data sets that the INSTALL1 exec

creates. When you do not specify a high-level qualifier, the exec usesuserid.ISIMACF2 as the high-level qualifier. Specify another hlq to use the ISPFdialog in the future.

Results

When you run the exec, the exec creates the listed hlq data sets.

Table 4. ISPF dialog data sets

High-level qualifier Library

hlq.SAGACENU CLIST/EXEC library

hlq.SAGAMENU ISPF message library

hlq.SAGATPENU ISPF panel library

hlq.SAGATSENU ISPF skeleton library

Note: The AGACCFG exec allocates the libraries.

Running the ISPF dialogRun the ISPF dialog to customize the adapter for run time execution.

Before you begin

Before you perform this task, you must install the ISPF dialog.

About this task

The dialog presents the default values for the parameters, however, you can setyour own values. The ISPF dialog creates the Job Control Language (JCL) jobstreams with the installation parameters that you selected. The JCL job streams arerequired for adapter installation.

Procedure1. Log on to TSO on the z/OS operating system.2. From ISPF 6 option, run the following command to start the ISPF dialog:

EXEC 'hlq.SAGACENU(AGACCFG)’

When the ISPF dialog starts, ISPF 6 displays this screen.

------------------- ISIM CA ACF2 Adapter Customization -------------------Option ===> Location: 1

Security Identity Manager CA ACF2 Adapter

Initial Customization

1 Initial CustomizationIf this is a new installation, select this option.

X Exit

Note: As you run the dialog,


v You can return to the previous menu at any time by pressing F3 or selectingEND on the Menu selection screen.

v If you press F3 on a data entry screen, the values that you entered are notsaved.

v When you fill the data entry screen and if it is validated without errors, thesoftware returns to the previous screen.

3. Type 1 to select Initial Customization The Initial Customization page lists thehigh-level tasks that you must perform.

------------------- ISIM CA-ACF2 Adapter Customization -------------------Option ===> Location: 1-> 1

Initial Installation

1 Load Default or Saved Variables.You must load either the default variables, or your previouslysaved variables prior to defining or altering.

2 Display / Define / Alter Variables.Select or change specifications for this server or node.

3 Generate Job Streams.You must have performed choices 1 and 2 before performingthis choice.

4 Save All Variables.Save variable changes to an MVS data set.

5 View instructions for job execution and further tailoring.This displays customized instructions, based on your inputs.

4. Select Load Default or Saved Variables

------------------- ISIM CA-ACF2 Adapter Customization -------------------Option ===> Location: 1->1-> 1

Load Variables

The IBM supplied defaults are in IBMUSER.ISIMACF2.SAGACENU(AGACDFLT)If you remove the name specified below, the defaults will be loaded.

To load previously saved variables, specify the fully qualifieddata set name without quotes.

===>

5. Take one of the following actions:v Specify the fully qualified name of the data set that includes previously

saved variablesv If none exists, leave the fields blank to load the default variables.

6. Press PF3 (Cancel) or Enter after final input (Accept) to return to the InitialInstallation panel.

7. Select Display / Define / Alter Variables.

Chapter 3. Adapter installation and configuration 7

------------------- ISIM ACF2 Adapter Customization -------------------Option ===> Location: 1->1-> 2

Specify or Alter variables for this configuration.

1 Disk location paramaters.Define / alter data set and Unix System Services locations.

2 Adapter specific parameters.Define / alter ISIM server to adapter runtime parameters.

** Indicates option has been visited during this session.

Select an option, or press F3 to return to main menu selection.

a. Select Disk location parameters. The Disk location parameters pagedefines or alters data set and UNIX System Services (USS) locations.

------------------- ISIM ACF2 Adapter Customization -------------------Option ===>

Input Data Sets

Fully qualified data set name of the UPLOAD data set.===> IBMUSER.ISIMACF2.UPLOAD

Enter data sets names, volume ID, Storage Class and z/OS Unix directories.

USS Adapter read-only home===> /usr/lpp/isimcaacf2

USS Adapter read/write home===> /var/ibm/isimcaacf2

Storage Class ===> STORCLASand/or

Disk Volume ID ===> DSKVOL

Fully qualified data set name of Adapter Load Library===> IBMUSER.ISIMACf2.LOAD

Fully qualified data set name of Adapter EXEC Library===> IBMUSER.ISIMACF2.EXEC

b. Supply the following information:

Fully qualified data set name of the UPLOAD data setSpecifies the name of the data set that you received earlier. Forexample, IBMUSER.ISIMACF2.UPLOAD.

Unix System Services (USS) Adapter read-only homeSpecifies the location where the adapter USS binary files arestored. The adapter installer creates the directories and thesubordinate directories later.

USS Adapter read/write homeSpecifies the location where the adapter registry file, certificates,and log files are written. The adapter installer creates thedirectories and the subordinate directories later.

Note: The read-only home and the read/write home must be indifferent locations. If they are the same location, the installationmight fail.

Storage classSpecifies the storage class for the Load and EXEC libraries.


DASD (Disk) volume IDSpecifies the Disk ID for the Load and EXEC libraries.

Fully qualified data set name of Adapter Load Library and Fullyqualified data set name of Adapter EXEC Library

Specify the fully qualified data set name for the Load and EXEClibraries.

c. Press PF3 (Cancel) or Enter after final input (Accept) to return to theSpecify or Alter variables for this configuration panel.

d. Select Adapter specific parameters The Adapter specific parametersdefine or alter the IBM Security Identity Manager or adapter run timeparameters.

------------------- ISIM CA-ACF2 Adapter Customization -------------------Option ===>

Adapter specific parameters

Name of adapter instance ===> CAACF2AGENT

Name of Started Task JCL procedure name ===> ISIAGNT

IP Communications Port Number ===> 45580Note: The adapter will always require access to ports 44970 through 44994.

These ports are implicitly reserved.

Adapter authentication ID (internal) ===> agent

Adapter authentication password (internal) ===> agent

ACF2 Date Format (MDY, DMY, YMD) ===> MDY

PDU backlog limit ===> 2000

Do you want passwords set as expired? ===> TRUE (True, False)

Do you use SYS1.BRODCAST in the environment? ===> TRUE (True, False)

CA ACF2 OMVS Group for the ISIM Logon ID ===> STCUSS

OMVS UID to be assigned to LID (non-zero) ===> 123456789

e. Supply the following information:

Name of adapter instanceSpecifies the unique name assigned to the adapter instance. Whenmore than one adapter is active in the same Logical Partition(LPAR), use a different adapter name for each instance.

Name of the Started Task JCL procedure nameSpecifies the name of the JCL member that is created. You can usethe name of the JCL member as the ACF2 Login ID for the adapter.

IP Communications Port NumberSpecifies the default IP Communications Port Number which is45580. When more than one adapter is active in the same LPAR,use a different port number for each adapter instance.

Adapter authentication ID and Adapter authentication passwordSpecifies the adapter authentication ID and password that arestored in the adapter registry. The ID and password are used toauthenticate the IBM Security Identity Manager server to the CAACF2. These two parameters must also be specified on the adapterservice form that is created on IBM Security Identity Manager.


ACF2 date formatSpecifies the date format that must match with the configured dateformat in ACF2.

PDU backlog limitSpecifies the number of entries that can be in queue for sending tothe IBM Security Identity Manager server. The higher the number,the greater the throughput on reconciliations; however, this alsoresults in higher storage utilization.

Do you want passwords set as expiredSpecifies whether the passwords must be set as expired ornon-expired. The default value is set to TRUE; however, you mightchange it to FALSE if you want all the passwords set asnon-expired.

Do you use SYS1.BRODCAST in the environmentSpecifies if your TSO environment uses the SYS1.BRODCAST dataset for TSO logon messages and notifications. The default value isTRUE.

CA ACF2 OMVS Group for the ISIM Logon IDSpecifies a z/OS UNIX GROUP with a GID. A GID is a UNIX GroupID, which is a unique number assigned to a UNIX group name.The adapter operates as a z/OS UNIX process and requires thisinformation.

OMVS UID to be assigned to LID (non-zero)Specifies a unique UID number for the IBM Security IdentityManager logonid. Ensure that you specify a non-zero number asthe UID number.

f. Press PF3 (Cancel) or Enter after final input (Accept) to return to theSpecify or Alter variables for this configuration panel.

g. Press PF3 (Cancel) or Enter after final input (Accept) to return to theSpecify or Alter variables for this configuration panel.

h. Press PF3 to return to the Installation panel.8. Select Generate Job Streams. This screen displays the default data set names

that are generated to store the job streams and data. You might change thedefault names on this screen as per requirements of your organization. Thesedata sets are not used at the adapter run time.

------------------- ISIM CA ACF2 Adapter Customization -------------------Option ===>

Generate the job streams

Specify two fully qualified data set names. These data sets will bepopulated with the job streams and their input data elements.Specify the data set names, without quotes. If these data sets do notexist, they will be created.

Data set name for job streams to be stored.===> IBMUSER.ISIMACF2.CNTL

Data set name for data elements required by generated job streams.===> IBMUSER.ISIMACF2.DATA

Enter your installation job statement parameters here:

=> //JOBNAME JOB (ACCTNO,ROOM),’&SYSUID’,CLASS=A,MSGCLASS=X,=> // NOTIFY=&SYSUID=> //*


Specify valid parameters for installation JCL JOB statement and press Enter tocreate job streams (members) and data members. Control returns to the InitialInstallation panel.

9. Select Save All Variables to save all the changes that you made to the dataset. You can use the same data set when you select Load Default or SavedVariables. Specify a data set name to save all your settings for the adapterconfiguration as described in this screen.

------------------- ISIM CA ACF2 Adapter Customization -------------------Option ===>

Save variables to a data set.

Specify the data set where the variables specified in this session areto be saved. Specify a fully qualified data set name, without quotes.If the data set does not exist, a sequential data set will be created.

===> IBMUSER.ISIMACF2.CONFIG

10. Select View instructions for job execution and further tailoring. To view theadapter settings and instructions to run the generated job streams, see thehlq.ISIMACF2.CNTL(INSTRUCT) data set. Follow the instructions specified in thehlq.ISIMACF2.CNTL(INSTRUCT) data set to complete the configuration.

Results

After completing the steps for running the ISPF dialog, the adapter is configured ina non-secure mode. To configure the adapter in a secure mode, you must performadditional steps. For more information about Secure Socket Layer (SSL), see “SSLauthentication configuration for the z/OS adapter” on page 48.

Starting and stopping the adapterVarious installation and configuration task might require the adapter to berestarted to apply the changes.

Before you begin

Start the adapter as a started task, where the started task JCL is customized andinstalled in a system procedure library.

About this task

ISIAGNT is the name of the JCL procedure that represents the adapter.

The ISIAGNT task listens on two IP ports. These two ports are used for:v Communication between the IBM Security Identity Manager server and the

adapterv agentCfg utility

Note: You can define _BPX_SHAREAS=YES in the /etc/profile. This setting enables theadapter to run in a single address space, instead of multiple address spaces. Newerreleases of z/OS create two address spaces with this environment variable set. Formore information, see “z/OS UNIX System Services considerations for z/OSAdapter” on page 19.


Procedure1. To start the adapter, run the MVS console start command:

START ISIAGNT

2. To stop the adapter, perform one of the following steps:v If the USS environment is running with _BPX_SHAREAS=YES, then run one of

the following stop commands:STOP ISIAGNT

P ISIAGNT

v If the USS environment is running with the _BPX_SHAREAS=YES setting ina newer release of z/OS, run the following command:P ISIAGNT1

v If an MVS STOP command does not stop the adapter, run the followingcommand:CANCEL ISIAGNT

CA ACF2 access configurationDetermine your needs and configure how the adapter accesses CA ACF2information. The installation process configures most of the definitions that arenecessary for the adapter to function. For more information, see the job streamsthat are generated during the installation process.

CA ACF2 logonidThe adapter must run under a valid CA ACF2 loginid, with access to z/OS UNIXSystem Services, and a valid UID.

The group of this user must have a valid GID. Unless surrogate logonids are beingused, the adapter must have the authority to change, create, delete, and list therequired logonids. For example, for access to all logonids set ACCOUNT and SECURITYauthority with no scope list set. The adapter logonid must also have STC authority.It must have either SECURITY or AUDIT to perform a reconciliation as it readsinfostorage.

Example

The following commands are an example of how to define the CA ACF2 Adapterto manage all accounts on this CA ACF2 database:ACFSET ACF* The ISIM CAACF2 adapter requires administrator privileges* OMVS attributesINSERT ISIAGNT NAME(ISIM ACF2 ADAPTER') PASSWORD(GHTY)CHANGE * ACCOUNT DUMPAUTH JOB NOMAXVIO NON-CNCL REFRESH SECURITY STCCHANGE * GROUP(OMVSGRP) OPERATORSET PROFILE(USER) DIV(OMVS)INSERT ISIAGNT UID(12345) OMVSPGM(/bin/sh) -HOME(/u/isim/readwrite)* Refresh the OMVS tablesF ACF2,OMV

Surrogate user loginidsA surrogate user has the level of authority that is assigned to the other user. Theadapter task loginid runs as a surrogate user on behalf of the loginid that isdefined in the ACF2 service form.


You must use surrogate user loginids only if:v The installation uses 'business unit support'.v A single instance of the adapter supports a single CA ACF2 database.v The IBM Security Identity Manager has multiple service instances, and each

represents a different business unit in the organization.

Note: If a single IBM Security Identity Manager service instance supports all theCA ACF2 IDs in the CA ACF2 database, surrogate user authority is not needed.

For the adapter to perform requests on behalf of another user, you must define oneor more SURROGAT class rules.

Note: The infodir might need to be updated to define the type SUR.

Communication configurationImport then verify the adapter profile to create an adapter service. See the detailedsteps to configure the IBM Security Identity Manager server to communicate withthe adapter in the following section.

The following tasks establish communication between IBM Security IdentityManager and the adapter:1. “Importing the adapter profile into the IBM Security Identity Manager server”

on page 142. “Adapter profile installation verification” on page 153. “Creating a CA ACF2 Adapter service” on page 15

Adapter profile creationTo use the CA ACF2 database with IBM Security Identity Manager you must createan adapter profile.

You must perform the following tasks to enable communication between IBMSecurity Identity Manager and the managed resource.v Build the adapter profile. See “Building the adapter profile.”v Import the adapter profile. See “Importing the adapter profile into the IBM

Security Identity Manager server” on page 14.

Building the adapter profileThe adapter installation generates a schema file. This schema file must be mergedinto the distributed profile, CAACF2Profile.jar file.

Procedure1. Copy the CAACF2Profile.jar file that is packaged with the adapter to a

temporary directory.2. From the command prompt, run the following command to the create the

subdirectory, CAACF2Profile, in the temporary directory.:jar xvf CAACF2Profile.jar

3. Change the directory to the CAACF2Profile subdirectory. For example, run thefollowing command:cd CAACF2Profile

4. From the z/OS operating system, download the memberuserid.ISIMACF2.DATA(ISIMSCHM) to the CAACF2Profile subdirectory.


5. Rename the ISIMSCHM file to schema.dsml.

Note: The CAACF2Profile subdirectory already contains the following files:v resource.defv eracf2Account.xmlv eracf2Service.xmlv Customlabels.properties

6. Change the directory to the parent directory.7. Run the following command from the command prompt to create the

CAACF2Profile.jar file:jar cvf CAACF2Profile.jar CAACF2Profile

Results

The CAACF2Profile.jar file includes all the files that are required to define theadapter schema, account form, service form, and profile properties. You can extractthe files from the JAR file to modify the necessary files and then repackage the JARfile with the updated files. You can add site-defined fields to the account form. Seethe IBM Security Identity Manager Information Center for additional information.

Importing the adapter profile into the IBM Security IdentityManager serverAn adapter profile defines the types of resources that the IBM Security IdentityManager server can manage. Use the profile to create an adapter service on IBMSecurity Identity Manager and establish communication with the adapter.

Before you begin

Verify that your environment meets the following conditions:v The IBM Security Identity Manager server is installed and running.v You have root or Administrator authority on the IBM Security Identity Manager

server.

About this task

The IBM Security Identity Manager server, requires an adapter profile thatrecognizes the adapter as a service. The files that are packaged with the adapterinclude the adapter JAR file, CAACF2Profile.jar. You can import the adapterprofile as a service profile on the server with the Import feature of IBM SecurityIdentity Manager.

The CAACF2Profile.jar file includes all the files that are required to define theadapter schema, account form, service form, and profile properties. You can extractthe files from the JAR file to modify the necessary files and package the JAR filewith the updated files.

To import the adapter profile, perform the following steps:

Procedure1. Log on to the IBM Security Identity Manager server. Use an account that has

the authority to perform administrative tasks.2. In the My Work pane, expand Configure System.3. Click Manage Service Types.


4. On the Manage Service Types page, click Import to display the Import ServiceTypes page.

5. Specify the location of the CAACF2Profile.jar file in the Service Definition Filefield. Perform one of the following actions:a. Type the complete location of where the file is stored.b. Use Browse to navigate to the file.

6. Click OK.7. Restart the IBM Security Identity Manager for the change to take effect.

What to do next

If you receive a schema-related error, see the trace.log file for information about it.The trace.log file location is specified by the handler.file.fileDir property that isdefined in the IBM Security Identity Manager enRoleLogging.properties file. TheenRoleLogging.properties file is in the ISIM_HOME\data directory.

Adapter profile installation verificationAfter you install the adapter profile, verify that the installation was successful.

An unsuccessful installation:v Might cause the adapter to function incorrectly.v Prevents you from creating a service with the adapter profile.

To verify that the adapter profile is successfully installed, create a service with theadapter profile. For more information about creating a service, see “Creating a CAACF2 Adapter service.”

If you cannot create a service with the adapter profile or open an account on theservice, the adapter profile is not installed correctly. You must import the adapterprofile again. See “Importing the adapter profile into the IBM Security IdentityManager server” on page 14.

Creating a CA ACF2 Adapter serviceAfter the adapter profile is imported on IBM Security Identity Manager, you mustcreate a service so that IBM Security Identity Manager can communicate with theadapter.

Before you begin

Import the CA ACF2 Adapter profile into the IBM Security Identity Managerserver.

About this task

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.

Procedure1. Log on to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. In the My Work pane, click Manage Services and click Create.3. On the Select the Type of Service page, select CA ACF2 Profile.


4. Click Next to display the adapter service form.5. Complete the following fields on the service form:

On the General Information tab:

Service NameSpecify a name that identifies the CA ACF2 Adapter service onthe IBM Security Identity Manager server.

Service DescriptionOptional: Specify a description that identifies the service foryour environment. You can specify additional informationabout the service instance.

URL Specify the location and port number of the adapter. The portnumber is defined during installation, and can be viewed andmodified in the protocol configuration by using the agentCfgutility. For more information about protocol configurationsettings, see “Changing protocol configuration settings” onpage 21.

Note: If https is part of the URL, you must configure theadapter for SSL authentication. Do not configure the adapter forSSL authentication if http is part of the URL. For moreinformation, see “SSL authentication configuration for the z/OSadapter” on page 48.

User IDSpecify the name that you defined at installation as the Adapterauthentication ID. This name is in the registry. The defaultvalue is agent.

PasswordSpecify the password that you defined at installation for theAdapter authentication ID. The default value is agent.

CA ACF2 ID under which requests will be processedOptional: Specify a loginid other than the one that is used bythe adapter. This loginid might have administrative authorityover a subset of logonids within the CA ACF2 database.

OwnerOptional: Specify the service owner, if any

Service PrerequisiteOptional: Specify an existing IBM Security Identity Managerservice.

On the Status and information tabThis page contains read only information about the adapter andmanaged resource. These fields are examples. The actual fields varydepending on the type of adapter and how the service form isconfigured. The adapter must be running to obtain the information.Click Test Connection to populate the fields.

Last status update: DateSpecifies the most recent date when the Status and informationtab was updated.

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.


Managed resource statusSpecifies the status of the managed resource that the adapter isconnected to.

Adapter versionSpecifies the version of the adapter that the IBM SecurityIdentity Manager service uses to provision request to themanaged resource.

Profile versionSpecifies the version of the profile that is installed in the IBMSecurity Identity Manager server.

ADK versionSpecifies the version of the ADK that the adapter uses.

Installation platformSpecifies summary information about the operating systemwhere the adapter is installed.

Adapter accountSpecifies the account that running the adapter binary file.

Adapter up time: DateSpecifies the date when the adapter started.

Adapter up time: TimeSpecifies the time of the date when the adapter started.

Adapter memory usageSpecifies the memory usage for running the adapter.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the IBM Security Identity

Manager test request was successfully sent to the adapter.v Verify the adapter configuration information.v Verify IBM Security Identity Manager service parameters for the

adapter profile. For example, verify the work station name or the IPaddress of the managed resource and the port.

6. Click Finish.

Verifying that the ACF2 adapter is working correctlyAfter you install and configure the adapter, take steps to verify that the installationand configuration are correct.

Procedure1. Test the connection for the service that you created on IBM Security Identity

Manager.2. Run a full reconciliation from IBM Security Identity Manager.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the IBM Security Identity Manager log file trace.log to ensure that no

errors are reported when you run an adapter operation.


Chapter 4. Post-installation first steps

After you install the adapter, you must perform several other tasks. The tasksinclude configuring the adapter, setting up SSL, installing the language pack, andverifying the adapter works correctly.

Adapter configuration for IBM Security Identity ManagerUse the adapter configuration tool, agentCfg, to view or modify the adapterparameters.

All the changes that you make to the parameters with the agentCfg take effectimmediately. You can also use agentCfg to view or modify configuration settingsfrom a remote workstation. For more information about specific procedures to useadditional arguments, see Table 18 on page 44 in “Accessing help and additionaloptions” on page 43.

Note: The screens displayed in this section are examples, the actual screens mightdiffer.

z/OS UNIX System Services considerations for z/OS AdapterUNIX System Service creates a task for each child process. If you define_BPX_SHAREAS=YES in the /etc/profile, the adapter runs in a single address space,instead of multiple address spaces.

By defining this setting, you can use the same name to start and stop a task.Newer releases of z/OS create two address spaces with this environment variableset, for example ISIAGNT and ISIAGNT1. In this case, the task must be stopped byissuing the stop command to the task ISIAGNT1. This setting affects other areas ofUNIX System Services. See the z/OS UNIX System Services Planning, documentGA22-7800.

You must correctly define the time zone environment variable (TZ) in/etc/profile for your time zone. The messages in the adapter log then reflect thecorrect local time. See z/OS UNIX System Services Planning, document GA22-7800,for more details about this setting.

Starting the adapter configuration toolYou can use the adapter configuration program, agentCfg, to view or modify theadapter parameters. All the changes that you make to the parameters with theagentCfg utility take effect immediately.

About this task

You can also use agentCfg to view or modify configuration settings from a remoteworkstation. For more information about using additional arguments, see“Accessing help and additional options” on page 43.

To start the adapter configuration tool, agentCfg, for CA ACF2 Adapterparameters, perform the following steps:


Procedure1. Log on to the TSO on the z/OS operating system that hosts the adapter.2. Run the following command and press Enter to enter the USS shell

environment:omvs

Optional: You can also enter the USS shell environment through a telnetsession.

3. From the command prompt, change to the /bin subdirectory of the adapter inthe read/write directory.

Note: There is a /bin subdirectory in the adapter read-only directory too. Theread/write /bin subdirectory contains scripts that set up environmentvariables, then call the actual executables that reside in the read-only /bindirectory. You must start the adapter tools by running the scripts in theread/write directory, otherwise errors might occur.

4. If the adapter is installed in the default location for the read/write directory,run the following command.# cd /var/ibm/isimcaacf2/bin

5. Run the following command:agentCfg -agent CAACF2Agent

You specified the adapter name when you installed the adapter. You can findthe names of the active adapters by running the agentCfg as:agentCfg -list

6. At Enter configuration key for Agent ’CAACF2Agent’, type the configurationkey for the adapter.The default configuration key is agent.

Note: To prevent unauthorized access to the configuration of the adapter, youmust modify the configuration key after the adapter installation completes. Formore information, see “Changing protocol configuration settings” on page 21.

CAACF2Agent 6.0 Agent Main Configuration Menu-------------------------------------------A. Configuration Settings.B. Protocol Configuration.C. Event Notification.D. Change Configuration Key.E. Activity Logging.F. Registry Settings.G. Advanced Settings.H. Statistics.I. Codepage Support.

X. Done

Select menu option:

From the Agent Main Configuration Menu screen, you can configure theprotocol, view statistics, and modify settings, including configuration, registry,and advanced settings.

Table 5. Options for the main configuration menu

Option Configuration task For more information

A Viewing configurationsettings

See “Viewing configuration settings” onpage 21.


Table 5. Options for the main configuration menu (continued)


B Changing protocolconfiguration settings

See “Changing protocol configurationsettings.”

C Configuring eventnotification

See “Event notification configuration” onpage 25.

D Changing the configurationkey

See “Changing the configuration key” onpage 35.

E Changing activity loggingsettings

See “Changing activity logging settings”on page 36.

F Changing registry settings See “Modifying registry settings” on page38.

G Changing advanced settings See “Changing advanced settings” onpage 40.

H Viewing statistics See “Viewing statistics” on page 41.

I Changing code page settings See “Modifying code page settings” onpage 41.

Viewing configuration settingsYou might want to view the adapter configuration settings for information aboutthe adapter such as version, ADK version, adapter log file name.

Procedure1. Access the Agent Main Configuration Menu. See “Starting the adapter

configuration tool” on page 19.2. Type A to display the configuration settings for the adapter.

Configuration Settings-------------------------------------------Name : CAACF2AgentVersion : 6.0ADK Version : 6.0ERM Version : 6.0Adapter Events : FALSELicense : NONEAsynchronous ADD Requests : FALSE (Max.Threads:3)Asynchronous MOD Requests : FALSE (Max.Threads:3)Asynchronous DEL Requests : FALSE (Max.Threads:3)Asynchronous SEA Requests : FALSE (Max.Threads:3)Available Protocols : DAMLConfigured Protocols : DAMLLogging Enabled : TRUELogging Directory : /var/ibm/isimcaacf2/logLog File Name : adapter_name.logMax. log files : 3Max.log file size (Mbytes) : 1Debug Logging Enabled : TRUEDetail Logging Enabled : FALSEThread Logging Enabled : FALSE

3. Press any key to return to the Main Menu.

Changing protocol configuration settingsThe adapter uses the DAML protocol to communicate with the IBM SecurityIdentity Manager server. By default, when the adapter is installed, the DAML

Chapter 4. Post-installation first steps 21

protocol is configured for a nonsecure environment. To configure a secureenvironment, use Secure Shell Layer (SSL) and install a certificate.

About this task

For more information, see “Installing the certificate on a z/OS adapter” on page59.

The DAML protocol is the only supported protocol that you can use. Do not addor remove a protocol.


configuration tool” on page 19.2. Type B. The DAML protocol is configured and available by default for the

adapter.

Agent Protocol Configuration Menu-----------------------------------Available Protocols: DAMLConfigured Protocols: DAMLA. Add Protocol.B. Remove Protocol.C. Configure Protocol.

X. Done

Select menu option

3. At the Agent Protocol Configuration Menu, type C to display the ProtocolProperties Menu.

Configure Protocol Menu-----------------------------------A. DAMLX. DoneSelect menu option

4. Type A to display the Protocol Properties Menu for the configured protocolwith protocol properties. The following screen is an example of the DAMLprotocol properties.

DAML Protocol Properties--------------------------------------------------------------------A. USERNAME ****** ;Authorized user name.B. PASSWORD ****** ;Authorized user password.C. MAX_CONNECTIONS 100 ;Max Connections.D. PORTNUMBER 45580 ;Protocol Server port number.E. USE_SSL FALSE ;Use SSL secure connection.F. SRV_NODENAME 9.38.215.20 ;Event Notif. Server name.G. SRV_PORTNUMBER 9443 ;Event Notif. Server port number.H. HOSTADDR ANY;Listen on address (or "ANY")I. VALIDATE_CLIENT_CE FALSE ;Require client certificate.J. REQUIRE_CERT_REG FALSE ;Require registered certificate.K. READ_TIMEOUT 0 ;Socket read timeout (seconds)

X. Done

Select menu option:

5. Follow these steps to change a protocol value:a. Type the letter of the menu option for the protocol property to configure.

Table 6 on page 23 describes each property.


b. Take one of the following actions:v Change the property value and press Enter to display the Protocol

Properties Menu with the new value.v If you do not want to change the value, press Enter.

Table 6. Options for the DAML protocol menu

Option Configuration task

A Displays the following prompt:

Modify Property ’USERNAME’:

Type a User ID, for example, admin.

The IBM Security Identity Manager server uses this value to connect tothe adapter.

B Displays the following prompt

Modify Property ’PASSWORD’:

Type a password, for example, admin.

The IBM Security Identity Manager server uses this value to connect tothe adapter.

C Displays the following prompt:

Modify Property ’MAX_CONNECTIONS’:

Enter the maximum number of concurrent open connections that theadapter supports.

The default value is 100.Note: This setting is sufficient and does not require adjustment.

D Displays the following prompt:

Modify Property ’PORTNUMBER’:

Type a different port number.

The IBM Security Identity Manager server uses the port number toconnect to the adapter. The default port number is 45580.

E Displays the following prompt:

Modify Property ’USE_SSL’:

TRUE specifies to use a secure SSL connection to connect the adapter. Ifyou set USE_SSL to TRUE, you must install a certificate. For moreinformation, see “Installing the certificate on a z/OS adapter” on page59.

FALSE, the default value, specifies not to use a secure SSL connection.

F Displays the following prompt:

Modify Property ’SRV_NODENAME’:

Type a server name or an IP address of the workstation where youinstalled the IBM Security Identity Manager server.

This value is the DNS name or the IP address of the IBM SecurityIdentity Manager server that is used for event notification andasynchronous request processing.Note: If your platform supports Internet Protocol version 6 (IPv6)connections, you can specify an IPv6 server.


Table 6. Options for the DAML protocol menu (continued)


G Displays the following prompt:

Modify Property ’SRV_PORTNUMBER’:

Type a different port number to access the IBM Security IdentityManager server.

The adapter uses this port number to connect to the IBM SecurityIdentity Manager server. The default port number is 9443.

H The HOSTADDR option is useful when the system, where the adapter isrunning, has more than one network adapter. You can select which IPaddress to which the adapter must listen. The default value is ANY.

I Displays the following prompt:

Modify Property ’VALIDATE_CLIENT_CE’:

Specify TRUE for the IBM Security Identity Manager server to send acertificate when it communicates with the adapter. When you set thisoption to TRUE, you must configure options D through I.

Specify FALSE, the default value, so the IBM Security Identity Managerserver can communicate with the adapter without a certificate.Note:

v The property name is VALIDATE_CLIENT_CERT, however, it is truncatedby the agentCfg to fit in the screen.

v You must use certTool to install the appropriate CA certificates andoptionally register the IBM Security Identity Manager servercertificate. See “Using the certTool utility to manage SSL certificatesfor the z/OS adapter” on page 55.

J Displays the following prompt:

Modify Property ’REQUIRE_CERT_REG’:

This value applies when option I is set to TRUE.

Type TRUE to register the adapter with the client certificate from theIBM Security Identity Manager server before it accepts an SSLconnection.

Type FALSE to verify the client certificate against the list of CAcertificates. The default value is FALSE.

For more information about certificates, see “SSL authenticationconfiguration for the z/OS adapter” on page 48.

K Displays the following prompt:

Modify Property ’READ_TIMEOUT’:

Specify the timeout value in seconds. The default is 0 and means that noread timeout is set.Note: READ_TIMEOUT prevents threads from being left open in theadapter and causing 'hang' problems. The open threads might be causedby firewalls or network connection problems. They might be seen asTCP/IP ClosWait connections that remain on the adapter. If youencounter such problems, set the value of READ_TIMEOUT to longer thanthe IBM Security Identity Manager timeout but less than any firewalltimeout. The IBM Security Identity Manager timeout is specified by themaximum connection age DAML property.

6. Repeat step 5 to configure the other protocol properties.


7. At the Protocol Properties Menu, type X to exit.

Event notification configurationEvent notification detects changes that are made directly on the managed resourceand updates the IBM Security Identity Manager server with the changes.

You can enable event notification to obtain the updated information from themanaged resource.

When you enable event notification, the workstation on which the adapter isinstalled maintains a database of the reconciliation data. The adapter updates thedatabase with the changes that are requested from IBM Security Identity Managerand synchronizes with the server. You can specify an interval for the eventnotification process to compare the database to the data that currently exists on themanaged resource. When the interval elapses, the adapter forwards the differencesbetween the managed resource and the database to IBM Security Identity Managerand updates the local snapshot database.

To enable event notification, ensure that the adapter is deployed on the managedhost and is communicating successfully with IBM Security Identity Manager. Youmust also configure the host name, port number, and login information for theIBM Security Identity Manager server and SSL authentication.

Note: Event notification does not replace reconciliations on the IBM SecurityIdentity Manager server.

Identifying the server that uses the DAML protocol andconfiguring the adapter for SSLYou must identify the server that uses the DAML protocol and configure theadapter to use SSL authentication,


configuration tool” on page 19.2. At the Agent Protocol Configuration Menu, select Configure Protocol. See

“Changing protocol configuration settings” on page 21.3. Change the USE_SSL property to TRUE.4. Type the letter of the menu option for the SRV_PORTNUMBER property.5. Specify the IP address or server name that identifies the IBM Security Identity

Manager server. Press Enter to display the Protocol Properties Menu with newsettings.

6. Type the letter of the menu option for the SRV_PORTNUMBER property.7. Specify the port number that the adapter uses to connect to the IBM Security

Identity Manager server for event notification.8. Press Enter to display the Protocol Properties Menu with the new settings.9. Install certificate by using the certTool. See “Using the certTool utility to

manage SSL certificates for the z/OS adapter” on page 55.

Setting event notification on the IBM Security Identity ManagerYou must set event notification for the IBM Security Identity Manager server.


About this task

The example menu describes all the options that are displayed when you enableEvent Notification. If you disable Event Notification, none of the options aredisplayed.

Note: The CA ACF2 for z/OS does not support adapter-based event notification.


configuration tool” on page 19.2. At the Agent Main Configuration Menu, type C to display Event Notification

Menu.

Event Notification Menu--------------------------------------------------------------*Password attributes :* Reconciliation interval : 1 day(s)* Configured contexts : context1A. DisabledB. Time interval between reconciliations.C. Set processing cache size. (currently: 50 Mbytes)D. Add Event Notification Context.E. Modify Event Notification Context.F. Remove Event Notification Context.G. List Event Notification Contexts.H. Set password attribute names.X. DoneSelect menu option:

3. At the Agent Main Configuration Menu, type the letter of the menu option thatyou want to change.

Note:

v Enable option A for the values of the other options to take effect. Each timeyou select this option, the state of the option changes.

v Press Enter to return to the Agent Event Notification Menu without changingthe value.


Table 7. Options for the event notification menus


A If you select this option, the adapter updates the IBM Security Identity Managerserver with changes to the adapter at regular intervals. If Enabled - Adapter isselected, the adapter code processes event notification by monitoring a change logon the managed resource.

When the option is set to:

DisabledAll options except Start event notification now and Set attributesthat are to be reconciled are available. Pressing A changes the setting toEnabled - ADK.

Enabled - ADKAll options are available. Pressing A changes the setting to Disabled or ifyour adapter supports event notification, to Enabled - Adapter.

Enabled - AdapterAll options are available, except

Time interval between reconciliations

Set processing cache size

Start event notification now

Reconciliation process priority

Set attributes to be reconciled

Pressing A changes the setting to Disabled.Type A to toggle between the options.Note: The adapter does not support adapter-based event notification, Enabled -Adapter. Therefore, this option is not listed in the event notification menu.

B Displays the following prompt:

Enter new interval([ww:dd:hh:mm:ss])

Type a different reconciliation interval. For example, [00:01:00:00:00]

This value is the interval to wait after the event notification completes before it isrun again. The event notification process is resource intense, therefore, this valuemust not be set to run frequently. This option is not available if you select Enabled- Adapter.

C Displays the following prompt:

Enter new cache size[50]:

Type a different value to change the processing cache size. This option is notavailable if you select Enabled - Adapter.

D Displays the Event Notification Entry Types Menu. This option is not available ifyou select Disabled or Enabled - Adapter. For more information, see “Settingevent notification triggers” on page 28.


Enter new thread priority [1-10]:

Type a different thread value to change the event notification process priority.Setting the thread priority to a lower value reduces the impact that the eventnotification process has on the performance of the adapter. A lower value mightalso cause event notification to take longer.


Table 7. Options for the event notification menus (continued)


F Displays the following prompt:

Enter new context name:

Type the new context name and press Enter. The new context is added.

G Displays a menu that lists the available contexts. For more information, see“Modifying an event notification context” on page 29.

H Displays the Remove Context Menu. This option displays the following prompt:

Delete context context1? [no]:

Press Enter to exit without deleting the context or type Yes and press Enter todelete the context.

I Displays the Event Notification Contexts in the following format:

Context Name : Context1Target DN : erservicename=context1,o=IBM,ou=IBM,dc=com--- Attributes for search request ---{search attributes listed}-----------------------------------------------

J When you select the Set password attribute names, you can set the names of theattributes that contain passwords. These values are not stored in the state databaseand changes are not sent as events. This option avoids the risk of sending a deleterequest for the old password in clear text when IBM Security Identity Managerchanges a password. Changes from IBM Security Identity Manager are recorded inthe local database for event notification. A subsequent event notification does notretrieve the password. It sends a delete request for the old password in clear textthat is listed in the IBM Security Identity Manager log files.

4. If you changed the value for options B, C, E, or F, press Enter. The otheroptions are automatically changed when you type the corresponding letter ofthe menu option. The Event Notification Menu is displayed with your newsettings.

Setting event notification triggersBy default, all the attributes are queried for value changes. Attributes that changefrequently, for example, Password age or Last successful logon, must be omittedfrom event notification.


configuration tool” on page 19.2. At the Event Notification Menu, type E to display the Event Notification Entry

Types Menu.

Event Notification Entry Types-------------------------------------------A. erAcf2ACCOUNTX. DoneSelect menu option:

The USER and GROUP types are not displayed in the menu until you meet thefollowing conditions:v Enable Event notificationv Create and configure a context


v Perform a full reconciliation operation3. Take on of the following actions:

v Type A for a list of the attributes that are returned during a userreconciliation.

v Type B for attributes returned during a group reconciliation.

The Event Notification Attribute Listing for the selected type is displayed. Thedefault setting lists all attributes that the adapter supports. The followingexample lists example attributes.

Event Notification Attribute Listing-----------------------------------------------------------------------{A} ** ERACCOUNTSTATUS {B} ** ERACF2ACCCNT {C} ** ERACF2ACCDATE{D} ** ERACF2ACCOUNT {E} ** ERACF2ACCSRCE {F} ** ERACF2ACCTPRIV{G} ** ERACF2ACF2CICS {H} ** ERACF2ALLCMDS {I} ** ERACF2ASSIZE{J} ** ERACF2AUDIT {K} ** ERACF2AUTHSUP1 {L} ** ERACF2AUTHSUP2{M} ** ERACF2AUTHSUP3 {O} ** ERACF2AUTHSUP4 {Q} ** ERACF2AUTHSUP5{R} ** ERACF2AUTHSUP6 {S} ** ERACF2AUTHSUP7 {T} ** ERACF2AUTHSUP8(p)rev page 1 of 10 (n)ext-------------------------------------------------------------------------X. Done

4. To exclude an attribute from an event notification, type the letter of the menuoption

Note: Attributes that are marked with ** are returned during the eventnotification. Attributes that are not marked with ** are not returned during theevent notification

Modifying an event notification contextYou can modify an event notification context that corresponds to a service on theIBM Security Identity Manager server.

About this task

Some adapters support multiple services. One CA ACF2 Adapter can have severalIBM Security Identity Manager services if you specify a different base point foreach service. You can have multiple event notification contexts, however, you musthave at least one adapter.

To modify an event notification context, perform the following steps. In thefollowing example screen, Context1, Context2, and Context3 are different contextsthat have a different base point.1. Access the Agent Main Configuration Menu, if you have not already done so.

See “Starting the adapter configuration tool” on page 19.2. From Event Notification, type the Event Notification Menu option.3. From Event Notification Menu, type the Modify Event Notification Context

option to display a list of available context. For example,

Modify Context Menu------------------------------A. Context1B. Context2C. Context3X. DoneSelect menu option:

4. Type the option of the context that you want to modify to obtain a list asdescribed in the following screen.


A. Set attributes for searchB. Target DN:X. DoneSelect menu option:

Table 8. Options for the modify context menu


A Adding search attributes for event notification See “Adding event notificationsearch attributes.”

B Configuring the target DN for event notificationcontexts

See “Configuring the target DNfor event notification contexts”on page 31.

Adding event notification search attributes:

For some adapters, you might need to specify an attribute-value pair for one ormore contexts.

About this task

These attribute/value pairs, which are defined by completing the following steps,serve multiple purposes:v When a single adapter supports multiple services, each service must specify one

or more attributes to differentiate the service from the other services.v The adapter passes the search attributes to the event notification process either

after the event notification interval occurs or the event notification startsmanually. For each context, a complete search request is sent to the adapter.Additionally, the attributes specified for that context are passed to the adapter.

v When the IBM Security Identity Manager server initiates a reconciliation process,the adapter replaces the local database that represents this service with the newdatabase.

Procedure

1. Access the Agent Main Configuration Menu. See “Starting the adapterconfiguration tool” on page 19.

2. At the Modify Context Menu for the context, type A to display theReconciliation Attribute Passed to Agent Menu.

Reconciliation Attributes Passed to Agent for Context: Context1--------------------------------------------------------------------------------------------------------A. Add new attributeB. Modify attribute valueC. Remove attributeX. DoneSelect menu option:

The CA ACF2 for z/OS requires the resource_name attribute to be specified foreach context. The value of the attribute must be set to the Managed ResourceName defined on the IBM Security Identity Manager Service Form.


Configuring the target DN for event notification contexts:

You must configure target DN for event notification contexts for the adapter toknow which service the adapter must send the request to.

About this task

During event notification configuration, the adapter sends requests to a service thatis running on the IBM Security Identity Manager server.

Configuring the target DN for event notification contexts involves specifyingparameters, such as:

The adapter service nameOrganization (o)Organization name (ou)

Procedure

1. Access the Agent Main Configuration Menu. See “Starting the adapterconfiguration tool” on page 19.

2. Type the option for Event Notification to display the Event Notification Menu.3. Type the option for Modify Event Notification Context, then enter the option of

the context that you want to modify.4. At the Modify Context menu for the context, type B. The following prompt is

displayed:Enter Target DN:

5. Type the target DN for the context and press Enter. The target DN for the eventnotification context must be in the following format:erservicename=erservicename,o=organizationname,ou=tenantname,rootsuffix

Table 9 describes each DN element.

Table 9. DN elements and definitions

Element Definition

erservicename Specifies the name of the target service.

o Specifies the name of the organization.

ou Specifies the name of the tenant under which theorganization is. If this installation is an enterpriseinstallation, then ou is the name of the organization.

rootsuffix Specifies the root of the directory tree. This value is thesame as the value of Identity Manager DN Location whichis specified during the IBM Security Identity Managerserver installation.

The Modify Context Menu displays the new target DN.

Search attribute specification:

For some adapters, you might need to specify an attribute-value pair for one ormore contexts.

These attribute/value pairs, which are defined in the context under Set attributesfor search, serve multiple purposes:


v When multiple service instances on the IBM Security Identity Manager serverreference the adapter, each service instance must have permissions to specify anattribute-value pair so that the adapter knows which service instance isrequesting work.

v The attribute is sent to the event notification process when the event notificationinterval occurred or is manually initiated. When the attribute is received, theadapter processes information that the attribute/value pair indicates.

v When you initiate a server-initiated reconciliation process is initiated, theadapter replaces the local database that represents this service instance.

Table 10 describes a partial list of possible attribute/value pairs that you canspecify for Set attributes for search.

Table 10. Attributes for search

Service type Form label Attribute name Value

CAACF2Profile CA ACF2 loginidunder which requestsare processed

eracf2requester A ScopedPrivilegedCA ACF2loginid thatmanages users inthis service.

Modify Context Menu------------------------------

A. CA ACF2

X. Done

Select menu option:a

Modify Context: CA ACF2------------------------------------

A. Set attributes for searchB. Target DN:


Reconciliation Attributes Passed to Agent for context: CA ACF2-------------------------------------------------

A. Add new attributeB. Modify attribute valueC. Remove attribute

X. Done


Attribute name : ercaacf2requester

Attribute value: admnbu1

Reconciliation Attributes Passed to Agent for context: CA ACF2-------------------------------------------------01. ercaacf2requester ’admnbu1’-------------------------------------------------


X. Done

Select menu option:x


Pseudo-distinguished name value determination:

The Target DN field has the pseudo-distinguished name of the service that receivesevent notification updates.

To assist in determining the correct entries, this name might be considered tocontain the listed components in the A+B+C+D+E sequence.

Note: Do not use a comma to define a pseudo DN.

Table 11. Name values and their description

Component Item Description

A erServicename The value of the erServicename attribute of theservice.

B Zero or moreoccurrences of ouor 1 or both.

When the service is not directly associated with theorganization, you must specify ou and l. Thespecification of these values is in a reverse sequenceof their appearance in the IBM Security IdentityManager organization chart.

C o The value of the o attribute of an organization towhich the service belongs, at the highest level. Thisvalue can be determined by examining the IBMSecurity Identity Manager organization chart.

D ou The ou component is established at IBM SecurityIdentity Manager installation. You can find thiscomponent in the IBM Security Identity Managerconfiguration file named enRole.properties, onconfiguration item named enrole.defaulttenant.id=

E dc The dc component is established at IBM SecurityIdentity Manager installation. This component is theroot suffix of the LDAP environment. You can findthis component in the IBM Security Identity Managerconfiguration file named enRole.properties, onconfiguration item named enrole.ldapserver.root=

Example 1:

A:

The service name on the IBM Security Identity Manager server is MVS CAACF2 4.5.1016 ENTEST. This name becomes the component A of thepseudo-DN:erservicename=MVS CA ACF2 4.5.1016 ENTEST

B:

Table 12 describes an example of the IBM Security Identity Managerorganization chart that indicates the location of the service in theorganization.

Table 12. Organization chart example

+ Identity Manager Home IBM Security Identity Manager Home

+ Acme Inc Base organization o

Component B is not required because the service is directly associated withthe organization at the beginning of the organization chart.


C:

The organization this service is associated with, described on the IBMSecurity Identity Manager organization chart is named Acme Inc. Theservice becomes component C of the pseudo-DN:o=Acme Inc

D:

The value of the property named enrole.defaulttenant.id= defined in theenRole.properties definition file on the IBM Security Identity Managerserver becomes component D of the pseudo-DN. For example:############################################################# Default tenant information###########################################################enrole.defaulttenant.id=Acme

The D component of the pseudo-DN is: ou=Acme

E:

The value of the property named enrole.ldapserver.root= defined in theenRole.properties definition file on the IBM Security Identity Managerserver becomes component E of the pseudo-DN. For example:############################################################# LDAP server information###########################################################enrole.ldapserver.root=dc=my_suffix

The E component of the pseudo-DN is: dc=my_suffix

The following pseudo-DN is the result of all the components (A+B+C+D+Ecomponents):erservicename=MVS CA ACF2 4.5.1016 ENTEST,o=Acme Inc,ou=Acme,dc=my_suffix

Example 2:

A:

The service name on the IBM Security Identity Manager server is IrvineSales. This name becomes component A of the pseudo-DN:erservicename=Irvine Sales

B:

Table 13 describes an example of the IBM Security Identity Managerorganization chart that indicates the location of the service in theorganization.

Table 13. Organization chart example

+ Identity Manager Home IBM Security Identity Manager Home

-Acme Inc Base organization o

- IrvineSales

LocationOrganizational Unit lou

The Irvine Sales service is defined under organizational unit (ou) namedSales, which is defined under location (l) named Irvine.

Component B of the pseudo-DN is:ou=Sales,l=Irvine


C:

The organization this service is associated with, shown on the IBM SecurityIdentity Manager organization chart is named Acme Inc. This organizationbecomes the component C of the pseudo-DN:o=Acme Inc

D:

The value of the property named enrole.defaulttenant.id= defined in theenRole.properties definition file on the IBM Security Identity Managerserver becomes component D of the pseudo-DN. For example:############################################################# Default tenant information###########################################################enrole.defaulttenant.id=Acme

The D component of the pseudo-DN is:ou=Acme

E:

The value of the property named enrole.ldapserver.root= defined in theenRole.properties definition file on the IBM Security Identity Managerserver becomes component E of the pseudo-DN. For example:############################################################# LDAP server information###########################################################enrole.ldapserver.root=dc=my_suffix

The E component of the pseudo-DN is:dc=my_suffix

The following pseudo-DN is the result of the components (A+C+D+E). ComponentB is not required.erservicename=Irvine Sales, ou=Sales,l=Irvine o=Acme Inc,ou=Acme,dc=my_suffix

Removing the baseline database for event notification contexts:

You can remove the baseline database for event notification contexts only after youcreate a context. You must also reconcile on the context to create a BaselineDatabase file.

Procedure

1. From the Agent Main Configuration Menu, type the Event Notification option.2. From the Event Notification Menu, type the Remove Event Notification

Context option to display the Modify Context Menu.3. Select the context that you want to remove.4. After you confirm that you want to remove a context, press Enter to remove

the baseline database for event notification contexts.

Changing the configuration keyYou use the configuration key as a password to access the configuration tool forthe adapter.


About this task

To change the CA ACF2 Adapter configuration key, perform the following steps:


configuration tool” on page 19.2. At the Main Menu prompt, type D.3. Take one of the following actions:

v Change the value of the configuration key and press Enter.v Press Enter to return to the Main Configuration Menu without changing the

configuration key.

Results

The default configuration key is agent. Ensure that your password is complex. Thefollowing message is displayed:Configuration key successfully changed.

The configuration program returns to the Main Menu prompt.

Changing activity logging settingsUse this task to enable or disable log files that monitor various system activities.

About this task

When you enable activity logging settings, IBM Security Identity Managermaintains a log file (CAACF2Agent.log) of all transactions. By default, the log file isin the read/write \log directory.

To change the CA ACF2 Adapter activity logging settings,


configuration tool” on page 19.2. At the Main Menu prompt, type E to display the Agent Activity Logging Menu.

The following screen displays the default activity logging settings.

Agent Activity Logging Menu-------------------------------------A. Activity Logging (Enabled).B. Logging Directory (current: /var/ibm/isimcaacf2/log).C. Activity Log File Name (current: CAACF2Agent.log).D. Activity Logging Max. File Size ( 1 mbytes)E. Activity Logging Max. Files ( 3 )F. Debug Logging (Enabled).G. Detail Logging (Disabled).H. Base Logging (Disabled).I. Thread Logging (Disabled).X. DoneSelect menu option:

3. Perform one of the following steps:v Type the letter for the option that you want to change. Press Enter to change

the value for menu option B, C, D, or E. The other options are changed


automatically when you type the corresponding letter of the menu option.Table 14 describes each option.

v Press Enter to return to the Agent Activity Logging Menu without changingthe value.

Note: Ensure that Option A is enabled for the values of other options to takeeffect.

Table 14. Options for the activity logging menu


A Set this option to Enabled for the adapter to maintain a dated log file ofall transactions.


v Disabled, pressing the A key changes to enabled

v Enabled, pressing the A key changes to disabled

Type A to toggle between the options.

B Displays the following prompt:

Enter log file directory:

Type a different value for the logging directory, for example, /home/Log.When the logging option is enabled, details about each access requestare stored in the logging file that is in this directory.

CDisplays the following prompt:

Enter log file name:

Type a different value for the log file name. When the logging option isenabled, details about each access request are stored in the logging file.

D Displays the following prompt:

Enter maximum size of log files (mbytes):

Type a new value, for example, 10. The oldest data is archived when thelog file reaches the maximum file size. File size is measured inmegabytes. It is possible for the activity log file size to exceed the diskcapacity.


Enter maximum number of log files to retain:

Type a new value up to 99, for example, 5. The adapter automaticallydeletes the oldest activity logs beyond the specified limit.

F If this option is set to enabled, the adapter includes the debugstatements in the log file of all transactions.


v Disabled, pressing the F key changes the value to enabled

v Enabled, pressing the F key changes the value to disabled

Type F to toggle between the options.


Table 14. Options for the activity logging menu (continued)


G If this option is set to enabled, the adapter maintains a detailed log fileof all transactions. The detail logging option must be used for diagnosticpurposes only. Detailed logging enables more messages from the adapterand might increase the size of the logs.


v Disabled, pressing the G key changes the value to enabled

v Enabled, pressing the G key changes the value to disabled

Type G to toggle between the options.

H If this option is set to enabled, the adapter maintains a log file of alltransactions in the Agent Development Kit (ADK) and library files. Baselogging substantially increases the size of the logs.


v Disabled, pressing the H key changes the value to enabled

v Enabled, pressing the H key changes the value to disabled

Type H to toggle between the options.

I If this option is enabled, the log file contains thread IDs, in addition to adate and timestamp on each line of the file.


v Disabled, pressing the I key changes the value to enabled

v Enabled, pressing the I key changes the value to disabled

Type I to toggle between the options.

Modifying registry settingsUse this procedure to access the various types of registry setting that you mightwant to change.


configuration tool” on page 19.2. Type F. The Registry Menu is displayed.

CAACF2Agent 6.0 Agent Registry Menu-------------------------------------------A. Modify Non-encrypted registry settings.B. Modify encrypted registry settings.C. Multi-instance settings.X. DoneSelect menu option:

For a list of valid registry options, their values, and meanings, see Appendix B,“Registry settings,” on page 83.

What to do next

See the following procedures to modify the registry settings.


Modifying non-encrypted registry settingsUse this task to modify registry settings that do not use encryption.

Procedure1. At the Agent Registry Menu, type A. The Non-encrypted Registry Settings

Menu is displayed.

mailAgent Registry Items-------------------------------------------------01. DATEFORMAT 'MDY'02. ENROLE_VERSION '6.0'03. PASSEXPIRE 'TRUE'04. SYSEXEC ’IBMUSER.ISIMACF2.EXEC’

-------------------------------------------------Page 1 of 1


X. Done

Select menu option:

The following table describes the non-encrypted registry keys and theiravailable settings:

Table 15. Non-encrypted registry keys

Key Description

DATEFORMAT Specifies the date format that must match with the configured dateformat of the CA ACF2.

ENROLE_VERSION Specifies the version of IBM Security Identity Manager.

PASSEXPIRE Specifies the default action that the adapter must perform when theadapter receives a password change request. TRUE indicates thatpasswords must be set as expired. FALSE indicates that passwordsmust be set as non-expired.

SYSEXEC Specifies the data set that contains the REXX executable programsISIMEXIT and ISIMEXEC.

2. Type the letter of the menu option for the action that you want to perform onan attribute.

Table 16. Attribute configuration option description


A Add new attribute

B Modify attribute value

C Remove attribute

3. Type the registry item name and press Enter.4. If you selected option A or B, type the registry item value.5. Press Enter.

Results

The Non-encrypted Registry Settings Menu displays the new settings.


Changing advanced settingsYou can change the adapter thread count settings for the following types ofrequests.

About this taskv System Login Addv System Login Changev System Login Deletev Reconciliation

These thread counts determines the maximum number of requests that the adapterprocesses. To change these settings, perform the following steps:


configuration tool” on page 19.2. At the Main Menu prompt, type G to display the Advanced Settings Menu.

The following screen displays the default thread count settings.

CAACF2Agent 6.0 Advanced Settings Menu-------------------------------------------A. Single Thread Agent (current:FALSE)B. ADD max. thread count. (current:3)C. MODIFY max. thread count. (current:3)D. DELETE max. thread count. (current:3)E. SEARCH max. thread count. (current:3)F. Allow User EXEC procedures (current:FALSE)G. Archive Request Packets (current:FALSE)H. UTF8 Conversion support (current:TRUE)I. Pass search filter to agent (current:FALSE)

X. DoneSelect menu option:

3. Type letter of the menu option that you want to change. For a description ofeach option, see Table 17.

Table 17. Options for the advanced settings menu

Option Description

AForces the adapter to submit only one request at a time.

The default value is FALSE.

BLimits the number of Add requests that can run simultaneously.

The default value is 3.

CLimits the number of Modify requests that can run simultaneously.


DLimits the number of Delete requests that can run simultaneously.



Table 17. Options for the advanced settings menu (continued)

Option Description

ELimits the number of Search requests that can run simultaneously.


FDetermines whether the adapter can perform the pre-exec and post-execfunctions. The default value is FALSE.Note: Enabling this option is a potential security risk.

GThis option is no longer supported.

HThis option is no longer supported.

I Currently, this adapter does not support processing filters directly. Thisoption must always be FALSE.

4. Change the value and press Enter to display the Advanced Settings Menuwith new settings.

Viewing statisticsUse this procedure to view an event log for the adapter.


configuration tool” on page 19.2. At the Main Menu prompt, type H to display the activity history for the

adapter.

CAACF2Agent 6.0 Agent Request Statistics--------------------------------------------------------------------Date Add Mod Del Ssp Res Rec

-----------------------------------------------------------------

10/19/2004 000000 000004 000000 000000 000000 000004

-----------------------------------------------------------------

X. Done

3. Type X to return to the Main Configuration Menu.

Modifying code page settingsYou can list and modify the supported code page information for the adapter.

Before you begin

The adapter must be running.

About this task

Run the following command to view the code page information:agentCfg -agent CAACF2Agent -codepages

To change the code page settings for the adapter, perform the following steps:



configuration tool” on page 19.2. At the Main Menu prompt, type I.

The Code Page Support Menu for the adapter is displayed.

CAACF2Agent 6.0 Codepage Support Menu-------------------------------------------* Configured codepage: IBM-1047-s390-------------------------------------------********************************************* Restart Agent After Configuring Codepages*******************************************

A. Codepage Configure.

X. Done

Select menu option:

3. Type A to configure a code page.4. After you select a code page, restart the adapter. The following screen is a

sample session with agentCfg, altering the default code page, from US EBCDIC(IBM-1047) to Spanish EBCDIC (IBM-1145).


IBMUSER:/u/ibmuser: >agentCfg -ag CAACF2Agent

Enter configuration key for Agent ’CAACF2Agent’:

CAACF2Agent 6.0 Agent Main Configuration Menu-------------------------------------------

A. Configuration Settings.B. Protocol Configuration.C. Event Notification.D. Change Configuration Key.E. Activity Logging.F. Registry Settings.G. Advanced Settings.H. Statistics.I. Codepage Support.

X. Done

Select menu option:i

CAACF2Agent 6.0 Codepage Support Menu-------------------------------------------* Configured codepage: IBM-1047-s390-------------------------------------------********************************************* Restart Agent After Configuring Codepages*******************************************


X. Done


Enter Codepage: ibm-1145

CAACF2Agent 6.0 Codepage Support Menu-------------------------------------------* Configured codepage: ibm-1145-------------------------------------------********************************************* Restart Agent After Configuring Codepages*******************************************


X. Done

Select menu option:x

5. Type X to return to the Main Configuration Menu.

Accessing help and additional optionsUse this task to access the agentCfg help menu and use the help arguments.

Procedure1. At the Main Menu prompt, type X to display the USS command prompt.2. Type agentCfg -help at the prompt to display the help menu and list of

commands.-version ;Show version-hostname <value> ;Target nodename to connect to (Default:Local hostIP address)-findall ;Find all agents on target node-list ;List available agents on target node


-agent <value> ;Name of agent-tail ;Display agent’s activity log-schema ;Display agent’s attribute schema-portnumber <value> ;Specified agent’s TCP/IP port number-netsearch <value> ;Lookup agents hosted on specified subnet-codepages ;Display list of available codepages-help ;Display this help screen

The following table describes each argument.

Table 18. Arguments and description for the agentCfg help menu

Argument Description

-version Use this argument to display the version ofthe agentCfg tool.

-hostname <value> Use the -hostname argument with one of thefollowing arguments to specify a differenthost:

v -findall

v -list

v -tail

v -agent

Enter a host name or IP address as thevalue.

-findall Use this argument to search and display allport addresses 44970 - 44994 and theirassigned adapter names. This option timesout the unused port numbers, therefore, itmight take several minutes to complete.

Add the -hostname argument to search aremote host.

-list Use this argument to display the adaptersthat are installed on the local host of the CAACF2 Adapter. By default, the first time youinstall an adapter, it is either assigned toport address 44970 or to the next availableport number. You can then assign all thelater installed adapters to the next availableport address. After the software finds anunused port, the listing stops.

Use the -hostname argument to search aremote host.

-agent <value> Use this argument to specify the adapterthat you want to configure. Enter theadapter name as the value. Use thisargument with the -hostname argument tomodify the configuration setting from aremote host. You can also use this argumentwith the -tail argument.

-tail Use this argument with the -agent argumentto display the activity log for an adapter.Add the -hostname argument to display thelog file for an adapter on a different host.

-portnumber <value> Use this argument with the -agent argumentto specify the port number that is used forconnections for the agentCfg tool.


Table 18. Arguments and description for the agentCfg help menu (continued)

Argument Description

-netsearch <value> Use this argument with the -findallargument to display all active adapters onthe z/OS operating system. You mustspecify a subnet address as the value.

-codepages Use this argument to display a list ofavailable codepages.

-help Use this argument to display the Helpinformation for the agentCfg command.

3. Type agentCfg before each argument you want to run, as shown in thefollowing examples.

agentCfg -listDisplays a list of:v All the adapters on the local host.v The IP address of the host.v The IP address of the local host.v The node on which the adapter is installed.

The default node for the IBM Security Identity Manager server must be44970. The output is similar to the following example:Agent(s) installed on node ’127.0.0.1’-----------------------CAACF2Agent (44970)

agentCfg -agent adapter_nameDisplays the Main Menu of the agentCfg tool, which you can use toview or modify the adapter parameters.

agentCfg -list -hostname 192.9.200.7Displays a list of the adapters on a host with the IP address 192.9.200.7.Ensure that the default node for the adapter is 44970. The output issimilar to the following example:Agent(s) installed on node ’192.9.200.7’------------------CAACF2Agent (44970)

agentCfg -agent adapter_name -hostname 192.9.200.7Displays the agentCfg tool Main Menu for a host with the IP address192.9.200.7. Use the menu options to view or modify the adapterparameters.

CA ACF2 Adapter customizationYou can do specific functions according to your requirements with the followingREXX execs that are provided with the adapter installation.v “ISIMEXIT command usage”v “ISIMEXEC command usage” on page 47

ISIMEXIT command usageISIMEXIT is a REXX command. Use this command to start a REXX exec in responseto a processing request.

You can implement the following instances where the ISIMEXIT exec gets control:


Pre add processingThe request to add a user is received, however, not yet processed.

Post add processingThe request to add a user is completed successfully.

Pre modify processingThe request to modify a user is received, however, not yet processed.

Post modify processingThe request to modify a user is completed successfully.

Pre delete processingThe request to delete a user is received, however, not yet processed.

Post delete processingThe request to delete a user is completed successfully.

Exit processing might indicate success (zero return code) or failure (non-zero returncode) to convey to the adapter. For the pre- add, pre-modify, and pre-delete exits,any non-zero return code returns a failure for the current CA ACF2 user that isprocessed. For the post add, post modify, and post delete exits, a non-zero returncode returns a warning for the current CA ACF2 user that is processed.

You might call other programs and perform file Input/Output (I/O) as necessary.Processing is performed under the authority of the CA ACF2 ID that runs the CAACF2 commands to accomplish the function. You might run a valid TSO commandif it does not prompt for a terminal user for input.

Ensure that the ISIMEXIT exec is available independent of whether it performs anyfunctions. The sample ISIMEXIT provided has an exit 0 as the first executablestatement. You must modify this exit to meet your requirements.

The sample exit provides functions that you might use or customize according toyour requirements. For example:v Defining a user catalog alias in one or more master catalogs at POST ADD or

POST MODIFY exit time.v Defining a user data set profile at POST ADD or POST MODIFY exit time.v Defining a user OMVS (UNIX System Services) home directory at POST ADD or

POST MODIFY exit time.v Deleting a user data set profiles at PRE DELETE exit time.v Deleting a user catalog alias at POST DELETE exit time.

Note: Ensure that the Processing ID has appropriate CA ACF2 authorization toperform the listed exit functions.

The listed information is available to the EXIT.

Table 19. ISIMEXIT processing information

Parameter # Meaning Possible value Availability

1 Verb

Indicates what operationis calling the exit.

ADD, MODIFY, orDELETE.

Always


Table 19. ISIMEXIT processing information (continued)

Parameter # Meaning Possible value Availability

2 Object

The object name of thetransaction.

USER indicating a CAACF2 user object that isprocessed.

Always

3 Prepost

Qualifies whether thisentry is PRE or POSTprocessing entry to theexit.

BEFORE or AFTER. Always

4 User ID The CA ACF2 logonidthat is processed.

Always

5 ERACF2NAME The value of theattribute.

Only ADD BEFORE andAFTER

6 ERACF2USING The value of theattribute.

Only ADD BEFORE andAFTER

ISIMEXEC command usageISIMEXEC is a REXX command. Use this command for backward compatibilitywith the earlier version of the adapter.

The ISIMEXEC processing can present a zero or a non-zero return code when theprocessing is complete. A zero return code indicates successful processing of theAcf2EXECNAME attribute. If a non-zero return code is presented on exit, the adapterindicates that the Acf2EXECNAME attribute failed.

You might call other programs and perform file I/O as necessary. Processing isperformed under the authority of the same CA ACF2 logonid that runs the CAACF2 commands. You might run a valid TSO command if it does not prompt for aterminal user for input.

Table 20. ISIMEXEC processing information

Parameter # Source Value Availability

1 IBM Security IdentityManager attribute oferUid

The value of theerUid.

Always, because thisattribute accompaniesall requests.

2 IBM Security IdentityManager attribute oferAcf2EXECNAME

The value of theerAcf2EXECNAME.

Always, because theavailability of thisattribute indicates thatthis exit must bestarted.

3 IBM Security IdentityManager attribute oferAcf2EXECVAR

The value of theerAcf2EXECVAR.

Based on the requestgenerated by the IBMSecurity IdentityManager server.

When the erAcf2EXECNAME attribute and optionally, the erAcf2EXECVAR attribute areavailable, the ISIMEXEC exit point is started as a TSO command in the commandexecutor.


You cannot run the following command cannot during the add operation.However, you can run the command any time during the modify operation:%ISIMEXEC erUid erAcf2EXECNAME erAcf2EXECVAR

If the erAcf2EXECVAR attribute is available during an add operation, run thecommand after the add operation. However, only the erUid attribute is availableon the CA ACF2 user profile.

When the ISIMEXEC is processed, the erAcf2EXECNAME attribute can representanything that you want to process. It provides a second-level command or execname that you want to run.

Note:

v You can prevent the running of unauthorized commands for processing byinterrogating the erAcf2EXECNAME attribute because ISIMEXEC always receivescontrol.

v ISIMEXEC is never started during a delete command because the adapter presentsonly the erUid attribute.

z/OS adapter language pack installationThe adapters use a separate language package from the IBM Security IdentityManager.

See the IBM Security Identity Manager library and search for information aboutinstalling the adapter language pack.

SSL authentication configuration for the z/OS adapterYou can provide SSL authentication, certificates, and SSL authentication enablementwith the certTool utility.

To establish a secure connection between the adapter and the IBM Security IdentityManager server, configure the adapter and the IBM Security Identity Managerserver. Use the Secure Sockets Layer (SSL) authentication with the defaultcommunication protocol, DAML. By configuring the adapter for SSL, the IBMSecurity Identity Manager server can verify the identity of the adapter before theserver establishes a secure connection.

You can configure SSL authentication for connections that originate from the IBMSecurity Identity Manager server or from the adapter. The IBM Security IdentityManager server initiates a connection to the adapter to set or retrieve the value ofa managed attribute on the adapter. Depending on the security requirements ofyour environment, you might configure SSL authentication for connections thatoriginate from the adapter. For example, adapter events can notify the IBMSecurity Identity Manager server of changes to attributes on the adapter. In thiscase, configure SSL authentication for web connections that originate from theadapter to the web server used by the IBM Security Identity Manager server.

In a production environment, you must enable SSL security. If an externalapplication communicates with the adapter (for example, the IBM Security IdentityManager server) and uses server authentication, enable SSL on the adapter.Enabling SSL verifies the certificate that the application presents.


Overview of SSL and digital certificates for the z/OS adapterAn enterprise network deployment requires secure communication between theIBM Security Identity Manager server and the software products and componentswith which the server communicates.

SSL protocol uses signed digital certificates from a certificate authority (CA) forauthentication. SSL secures communication in a IBM Security Identity Managerconfiguration. SSL provides encryption of the data that is exchanged between theapplications. Encryption makes data that is transmitted over the networkintelligible only to the intended recipient.

Signed digital certificates enable two applications that connect in a network toauthenticate their identity. An application that acts as an SSL server presents itscredentials to verify to an SSL client. The SSL client then verifies that theapplication is the entity it claims to be. You can configure an application that actsas an SSL server so that it requires the application that acts as an SSL client topresent its credentials in a certificate. In this way, the two-way exchange ofcertificates is completed. A third-party certificate authority issues signed certificatesfor a fee. Some utilities, such as those provided by OpenSSL, can also providesigned certificates.

You must install a certificate authority certificate (CA certificate) to verify theorigin of a signed digital certificate. When an application receives a signedcertificate from another application, it uses a CA certificate to verify the certificateoriginator. A certificate authority can be:v Well-known and widely used by other organizations.v Local to a specific region or a company.

Many applications, such as web browsers, use the CA certificates of well-knowncertificate authorities. Using a well-known CA eliminates or reduces the task ofdistributing CA certificates throughout the security zones in a network.

Private keys, public keys, and digital certificates for the z/OSadapterKeys, digital certificates, and trusted certificate authorities establish and verify theidentities of applications.

SSL uses public key encryption technology for authentication. In public keyencryption, a public key and a private key are generated for an application. Thedata encrypted with the public key can be decrypted only with the correspondingprivate key. Similarly, the data encrypted with the private key can be decryptedonly with the corresponding public key. The private key is password-protected in akey database file. Only the owner can access the private key to decrypt messagesthat are encrypted with the corresponding public key.

A signed digital certificate is an industry-standard method of verifying theauthenticity of an entity, such as a server, a client, or an application. To ensuremaximum security, a third-party certificate authority provides a certificate. Acertificate contains the following information to verify the identity of an entity:

Organizational informationThis certificate section contains information that uniquely identifies theowner of the certificate, such as organizational name and address. Yousupply this information when you generate a certificate with a certificatemanagement utility.


Public keyThe receiver of the certificate uses the public key to decipher encryptedtext that is sent by the certificate owner to verify its identity. A public keyhas a corresponding private key that encrypts the text.

Certificate authority's distinguished nameThe issuer of the certificate identifies itself with this information.

Digital signatureThe issuer of the certificate signs it with a digital signature to verify itsauthenticity. The corresponding CA certificate compares the signature toverify that the certificate is originated from a trusted certificate authority.

Web browsers, servers, and other SSL-enabled applications accept as genuine anydigital certificate that is signed by a trusted certificate authority and is otherwisevalid. For example, a digital certificate can be invalidated for the following reasons:v The digital certificate expired.v The CA certificate that is used to verify that it expired.v The distinguished name in the digital certificate of the server does not match

with the distinguished name specified by the client.

Self-signed certificates for the z/OS adapterYou can use self-signed certificates to test an SSL configuration before you createand install a signed certificate that is provided by a certificate authority.

A self-signed certificate contains a public key, information about the certificateowner, and the owner signature. It has an associated private key; however, it doesnot verify the origin of the certificate through a third-party certificate authority.After you generate a self-signed certificate on an SSL server application, you must:1. Extract it.2. Add it to the certificate registry of the SSL client application.

This procedure is equivalent to installing a CA certificate that corresponds to aserver certificate. However, you do not include the private key in the file whenyou extract a self-signed certificate to use as the equivalent of a CA certificate.

Use a key management utility to:v Generate a self-signed certificate.v Generate a private key.v Extract a self-signed certificate.v Add a self-signed certificate.

Usage of self-signed certificates depends on your security requirements. To obtainthe highest level of authentication between critical software components, do notuse self-signed certificates or use them selectively. You can authenticateapplications that protect server data with signed digital certificates. You can useself-signed certificates to authenticate web browsers or IBM Security IdentityManager adapters.

If you are using self-signed certificates, you can substitute a self-signed certificatefor a certificate and CA certificate pair.

Certificate and key formats for the z/OS adapterCertificates and keys are stored in the files with various formats.


.pem formatA privacy-enhanced mail (.pem) format file begins and ends with thefollowing lines:-----BEGIN CERTIFICATE----------END CERTIFICATE-----

A .pem file format supports multiple digital certificates, including acertificate chain. If your organization uses certificate chaining, use thisformat to create CA certificates.

.arm formatAn .arm file contains a base-64 encoded ASCII representation of acertificate, including its public key, not a private key. The .arm file formatis generated and used by the IBM Key Management utility.

.der formatA .der file contains binary data. You can use a.der file for a singlecertificate, unlike a .pem file, which can contain multiple certificates.

.pfx format (PKCS12)A PKCS12 file is a portable file that contains a certificate and acorresponding private key. Use this format to convert from one type of SSLimplementation to another. For example, you can create and export aPKCS12 file with the IBM Key Management utility. You can then importthe file to another workstation with the certTool utility.

DAML protocol for SSL authenticationWhen you start the adapter, it loads the available connection protocols.

The DAML protocol is the only available protocol that supports SSL authentication.You can specify DAML SSL implementation.

The DAML SSL implementation uses a certificate registry to store private keys andcertificates. The certTool key and certificate management tool manages the locationof the certificate registry. You do not need to specify the location of the registrywhen you perform certificate management tasks.

For more information about the, see “Changing protocol configuration settings” onpage 21.

Configuring certificates for SSL authentication for the z/OSadapter

You can configure the adapter for one-way or two-way SSL authentication withsigned certificates.

About this task

Use the certTool utility for these tasks:v “Configuring certificates for one-way SSL authentication for the z/OS adapter”

on page 52v “Configuring certificates for two-way SSL authentication for the z/OS adapter”

on page 53v “Configuring certificates when the z/OS adapter operates as an SSL client” on

page 54


Configuring certificates for one-way SSL authentication for thez/OS adapterIn this configuration, the IBM Security Identity Manager server and the IBMSecurity Identity Manager adapter use SSL.

About this task

Client authentication is not set on either application. The IBM Security IdentityManager server operates as the SSL client and initiates the connection. The adapteroperates as the SSL server and responds by sending its signed certificate to theIBM Security Identity Manager server. The IBM Security Identity Manager serveruses the installed CA certificate to validate the certificate that is sent by theadapter.

In Figure 2, Application A operates as the IBM Security Identity Manager server,and Application B operates as the IBM Security Identity Manager adapter.

To configure one-way SSL, do the following tasks for each application:

Procedure1. On the adapter, complete these steps:

a. Start the certTool utility.b. To configure the SSL-server application with a signed certificate issued by a

certificate authority:1) Create a certificate signing request (CSR) and private key. This step

creates the certificate with an embedded public key and a separateprivate key and places the private key in the PENDING_KEY registryvalue.

2) Submit the CSR to the certificate authority by using the instructions thatare supplied by the CA. When you submit the CSR, specify that youwant the root CA certificate that is returned with the server certificate.

2. On the IBM Security Identity Manager server, perform one of these steps:v If you used a signed certificate that is issued by a well-known CA:

a. Ensure that the IBM Security Identity Manager server stored the rootcertificate of the CA (CA certificate) in its keystore.

b. If the keystore does not contain the CA certificate, extract the CAcertificate from the adapter and add it to the keystore of the server.

CACertificate

A

CertificateA

IBM Security ManagerServer (SSL client)

IBM Security Manageradapter (SSL client)

Truststore

Verify

Hello

Send Certificate A

Figure 2. One-way SSL authentication (server authentication)


v If you generated the self-signed certificate on the IBM Security IdentityManager server, the certificate is installed and requires no additional steps.

v If you generated the self-signed certificate with the key management utilityof another application:a. Extract the certificate from the keystore of that application.b. Add it to the keystore of the IBM Security Identity Manager server.

Configuring certificates for two-way SSL authentication for thez/OS adapterIn this configuration, the IBM Security Identity Manager server and adapter useSSL.

Before you begin

Before you do the following procedure, configure the adapter and IBM SecurityIdentity Manager server for one-way SSL authentication. If you use signedcertificates from a CA:v The CA provides a configured adapter with a private key and a signed

certificate.v The signed certificate of the adapter provides the CA certification for the IBM

Security Identity Manager server.

About this task

The adapter uses client authentication. After the adapter sends its certificate to theserver, the adapter requests identity verification from the server. The server sendsits signed certificate to the adapter. Both applications are configured with signedcertificates and corresponding CA certificates.

In Figure 3, the IBM Security Identity Manager server operates as Application Aand the IBM Security Identity Manager adapter operates as Application B.

Procedure1. On the IBM Security Identity Manager server:

a. Create a CSR and private key.b. Obtain a certificate from a CA.c. Install the CA certificate.d. Install the newly signed certificate.e. Extract the CA certificate to a temporary file.

2. On the adapter, add the CA certificate that was extracted from the keystore ofthe IBM Security Identity Manager server to the adapter.

C

Verify

CACertificate

A

CertificateB

Send Certificate AVerify

HelloKeystore

CertificateA

CACertificate

B

Security Identity Manageradapter (SSL server)

Security Identity ManagerServer (SSL client)

Truststore

Keystore

Figure 3. Two-way SSL authentication (client authentication)


Results

After you configure the two-way certificate, each application has its own certificateand private key. Each application also has the certificate of the CA that issued thecertificates.

Configuring certificates when the z/OS adapter operates as anSSL clientIn this configuration, the adapter operates as both an SSL client and as an SSLserver.

About this task

This configuration applies if the adapter initiates a connection to the web server(used by the IBM Security Identity Manager server) to send an event notification.For example, the adapter initiates the connection and the web server responds bypresenting its certificate to the adapter.

Figure 4 describes how the adapter operates as an SSL server and an SSL client.When the adapter communicates with the IBM Security Identity Manager server,the adapter sends its certificate for authentication. When the adapter communicateswith the web server, the adapter receives the certificate of the web server.

If the web server is configured for two-way SSL authentication, it verifies theidentity of the adapter. The adapter sends its signed certificate to the web server(not shown in the illustration). To enable two-way SSL authentication between theadapter and web server, do the following process:

Procedure1. Configure the web server to use client authentication.2. Follow the procedure for creating and installing a signed certificate on the web

server.3. Install the CA certificate on the adapter with the certTool utility.4. Add the CA certificate corresponding to the signed certificate of the adapter to

the web server.

IBM SecurityIdentityManagerAdapter

IBM SecurityIdentityManagerServer

CA Certificate ACertificate ACA Certificate C

Certificate C

Web server

A B

C

Hello

Certificate A

Hello

Certificate C

Figure 4. Adapter operating as an SSL server and an SSL client


What to do next

You might want the software to send an event notification when the adapterinitiates a connection to the web server (used by the IBM Security IdentityManager server). See the IBM Security Identity Manager product documentation.

Using the certTool utility to manage SSL certificates for the z/OSadapterYou can use the certTool utility to manage private keys and certificates.

About this task

This section includes instructions for performing the following tasks:v “Starting the certTool utility.”v “Generating a private key and certificate request for z/OS adapter” on page 57.v “Installing the certificate on a z/OS adapter” on page 59.v “Installing the certificate and key from a PKCS12 file” on page 59.v “Viewing the installed certificate for the z/OS adapter” on page 60.v “Viewing CA certificates” on page 60.v “Installing a CA certificate for the z/OS adapter” on page 60.v “Deleting a CA certificate” on page 61.v “Viewing registered certificates for the z/OS adapter” on page 62.v “Registering a certificate for the z/OS adapter” on page 61.v “Unregistering a certificate for the z/OS adapter” on page 62.

Starting the certTool utility:

Use the certTool utility to generate a private key and certificate request, install anddelete certificates, register and unregister certificates, and list certificates.

About this task

From the Main menu of the certTool utility, you can complete these tasks:v Generate a CSR and install the returned signed certificate on the adapter.v Install root CA certificates on the adapter.v Register certificates on the adapter.

To start the certificate configuration tool, certTool, for the adapter, complete thesesteps:

Procedure

1. Log on to the adapter.2. For UNIX based operating systems, change to the read/write /bin directory for

the adapter. For example, if the adapter directory is in the default location, typethe command: cd /var/ibm/isimcaacf2/bin

3. Type certTool at the prompt. The Main menu is displayed:


Main menu - Configuring agent: adapter_name------------------------------A. Generate private key and certificate requestB. Install certificate from fileC. Install certificate and key from PKCS12 fileD. View current installed certificate

E. List CA certificatesF. Install a CA certificateG. Delete a CA certificate

H. List registered certificatesI. Register certificateJ. Unregister a certificate

K. Export certificate and key to PKCS12 file

X. Quit

Choice:

What to do next

From the Main menu, you can generate a private key and certificate request, installand delete certificates, register and unregister certificates, and list certificates.

By using the first set of options (A through D), you can generate a CSR and installthe returned signed certificate on the adapter.

A. Generate private key and certificate requestGenerate a CSR and the associated private key that is sent to the certificateauthority. For more information about option A, see “Generating a privatekey and certificate request for z/OS adapter” on page 57.

B. Install certificate from fileInstall a certificate from a file. This file must be the signed certificatereturned by the CA in response to the CSR that is generated by option A.For more information about option B, see “Installing the certificate on az/OS adapter” on page 59.

C. Install certificate and key from a PKCS12 fileInstall a certificate from a PKCS12 format file that includes both the publiccertificate and a private key. If options A and B are not used to obtain acertificate, the certificate that you use must be in PKCS12 format. For moreinformation about option C, see “Installing the certificate and key from aPKCS12 file” on page 59.

D. View current installed certificateView the certificate that is installed on the workstation where the adapteris installed. For more information about option D, see “Viewing theinstalled certificate for the z/OS adapter” on page 60.

The second set of options installs the root CA certificates on the adapter. A CAcertificate validates the corresponding certificate that is presented by a client, suchas the server.

E. List CA certificatesShow the installed CA certificates. The adapter communicates only withservers whose certificates are validated by one of the installed CAcertificates.


F. Install a CA certificateInstall a new CA certificate so that certificates generated by this CA can bevalidated. The CA certificate file can either be in X.509 or PEM encodedformats. For more information about how to install a CA certificate, see“Installing a CA certificate for the z/OS adapter” on page 60.

G. Delete a CA certificateRemove one of the installed CA certificates. For more information abouthow to delete a CA certificate, see “Deleting a CA certificate” on page 61.

Options H through K apply to adapters that must authenticate the application towhich the adapter is sending information. An example of an application is the IBMSecurity Identity Manager server or the web server. Use these options to registercertificates on the adapter. For IBM Security Identity Manager version 4.5 or earlier,register the signed certificate of the IBM Security Identity Manager server with anadapter to enable client authentication on the adapter. You might not upgrade anexisting adapter to use CA certificates. In this case, you must register the signedcertificate that is presented by the server with the adapter.

You must install the CA certificate corresponding to the signed certificate of theIBM Security Identity Manager server to either:v Configure the adapter for event notification.v Enable client authentication in DAML.

Use option F, Install a CA certificate.

H. List registered certificatesList all registered certificates that are accepted for communication. Formore information about listing registered certificates, see “Viewingregistered certificates for the z/OS adapter” on page 62.

I. Register a certificateRegister a new certificate. The certificate for registration must be in Base 64encoded X.509 format or PEM. For more information about registeringcertificates, see “Registering a certificate for the z/OS adapter” on page 61.

J. Unregister a certificateUnregister (remove) a certificate from the registered list. For moreinformation about unregistering certificates, see “Unregistering a certificatefor the z/OS adapter” on page 62.

K. Export certificate and key to PKCS12 fileExport a previously installed certificate and private key. You are promptedfor the file name and a password for encryption. For more informationabout exporting a certificate and key to a PKCS12 file, see “Exporting acertificate and key to PKCS12 file” on page 62.

Generating a private key and certificate request for z/OS adapter:

Use the certTool utility to generate a private key and certificate request for securecommunication between the adapter and IBM Security Identity Manager.

About this task

A certificate signing request is an unsigned certificate that is a text file. When yousubmit an unsigned certificate to a certificate authority, the CA signs the certificatewith the private digital signature that is included in their corresponding CAcertificate. When the certificate signing request (CSR) is signed, it becomes a valid


certificate. A CSR contains information about your organization, such as theorganization name, country, and the public key for your web server.

To generate a CSR file, take these steps:

Procedure

1. At the Main menu of the certTool utility, type A to display the followingmessage and prompt:

Enter values for certificate request (press enter to skip value)----------------------------------------------------------------

2. At Organization, type your organization name and press Enter.3. At Organizational Unit, type the organizational unit and press Enter.4. At Agent Name, type the name of the adapter for which you are requesting a

certificate and press Enter.5. At Email, type the email address of the contact person for this request and

press Enter.6. At State, type the state that the adapter is in and press Enter. For example,

type TX if the adapter is in Texas. Some certificate authorities do not accepttwo letter abbreviations for states. In this case, type the full name of the state.

7. At Country, type the country that the adapter is in and press Enter.8. At Locality, type the name of the city that the adapter is in and press Enter.9. At Accept these values, do one of the following actions and press Enter:

v Type Y to accept the displayed values.v Type N and specify different values.

The private key and certificate request are generated after the values areaccepted.

10. At Enter name of file to store PEM cert request, type the name of the file andpress Enter. Specify the file that you want to use to store the values youspecified in the previous steps.

11. Press Enter to continue. The certificate request and input values are written tothe file you specified. The file is copied to the adapter data directory and theMain menu is displayed again.

What to do next

You can now request a certificate from a trusted CA by sending the .pem file thatyou generated to a certificate authority vendor.

Example of certificate signing request for z/OS adapter:

Your CSR file looks similar to the following example:-----BEGIN CERTIFICATE REQUEST-----MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5naW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdlbnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqbN1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxKXqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2-----END CERTIFICATE REQUEST-----


Installing the certificate on a z/OS adapter:

Use the certTool utility to install the certificate on the adapter.

About this task

After you receive your certificate from your trusted CA, you must install it in theregistry of the adapter.

To install the certificate, complete these steps:

Procedure

1. If you received the certificate as part of an email message, perform thefollowing actions:a. Copy the text of the certificate to a text file.b. Copy that file to the read/write data directory of the adapter. For

example:/var/ibm/isimcaacf2/data2. At the Main menu of the certTool utility, type B. The following prompt is

displayed:Enter name of certificate file:------------------------------------------------

3. At Enter name of certificate file, type the full path to the certificate file andpress Enter.

Results

The certificate is installed in the registry for the adapter, and the Main menu isdisplayed again.

Installing the certificate and key from a PKCS12 file:

If the certTool utility did not generate a CSR to obtain a certificate, you mustinstall both the certificate and private key.

About this task

Store the certificate and the private key in a PKCS12 file. The CA sends a PKCS12file that has a .pfx extension. The file might be a password-protected file and itincludes both the certificate and private key.

To install the certificate from the PKCS12 file, complete these steps:

Procedure

1. Copy the PKCS12 file to the data directory of the adapter.2. At the Main menu of the certTool utility, type C. The following prompt is

displayed:Enter name of PKCS12 file:------------------------------------------------

3. At Enter name of PKCS12 file, type the full path to the PKCS12 file that hasthe certificate and private key information and press Enter. You might typeDamlSrvr.pfx.

4. At Enter password, type the password to access the file and press Enter.


Results

After you install the certificate and private key in the adapter registry, the certToolutility displays the Main menu.

Viewing the installed certificate for the z/OS adapter:

To list the certificate on your workstation, type D at the Main Menu of certTool.

About this task

The utility displays the installed certificate and the Main Menu. The followingexample shows an installed certificate:The following certificate is currently installed.Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAML Server

Installing a CA certificate for the z/OS adapter:

Use the certTool utility to install root CA certificates on the adapter.

About this task

If you use client authentication, you must install a CA certificate that is providedby a certificate authority vendor.

To install a CA certificate that was extracted in a temporary file, complete thefollowing steps:

Procedure

1. At Main Menu, type F (Install a CA certificate). The following prompt isdisplayed:Enter name of certificate file:

2. At Enter name of certificate file, type the name of the certificate file, such asCAcert.der and press Enter. The certificate file opens and the following promptis displayed:[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=EngInstall the CA? (Y/N)

3. At Install the CA, type Y to install the certificate and press Enter.

Results

The certificate file is installed in the DamlCACerts.pem file.

Viewing CA certificates:

Use the certTool utility to view a private key and certificate that are installed forthe adapter.

Viewing CA certificates:

Use the certTool utility to view a private key and certificate that are installed forthe adapter.


About this task

The certTool utility installs only one certificate and one private key. You can list theCA certificate on the adapter.

Procedure

Type E at the Main Menu prompt.

Results

The certTool utility displays the installed CA certificates and the Main menu. Thefollowing example shows an installed CA certificate:Subject: o=IBM,ou=SampleCACert,cn=TestCAValid To: Wed Jul 26 23:59:59 2006

Deleting a CA certificate:

You can delete a CA certificate from the adapter directories.

Procedure

1. At Main Menu, type G to display a list of all CA certificates that are installedon the adapter.0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=SupportEnter number of CA certificate to remove:

2. At Enter number of CA certificate to remove, type the number of the CAcertificate that you want to remove and press Enter.

Results

After you delete the CA certificate from the DamlCACerts.pem file, the certToolutility displays the Main menu.

Registering a certificate for the z/OS adapter:

Use the certTool utility to register certificates on the adapter when the adaptermust authenticate to an application.

About this task

Adapters that must authenticate to the application to which it is sendinginformation must have a registered certificate. An example of an application is theIBM Security Identity Manager server or the web server. Use this task to registercertificates on the adapter.

For IBM Security Identity Manager version 4.5 or earlier, register the signedcertificate of the IBM Security Identity Manager server with an adapter to enableclient authentication on the adapter. You might not upgrade an existing adapter touse CA certificates. In this case, you must register the signed certificate that ispresented by the server with the adapter.

Procedure

1. At the Main Menu prompt, type I to display the following prompt:Enter name of certificate file:


2. At Enter name of certificate file, type the name of the certificate file that youwant to register and press Enter. The subject of the certificate is displayed, anda prompt is [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=EngRegister this CA? (Y/N)

3. At Register this CA, type Y to register the certificate, and press Enter.

Results

After you register the certificate to the adapter, the certTool displays the Mainmenu.

Viewing registered certificates for the z/OS adapter:

The adapter accepts only the requests that present a registered certificate whenclient validation is enabled.

Procedure

To view a list of all registered certificates, type H on the Main Menu.The utility displays the registered certificates and the Main Menu. The followingexample shows a list of the registered certificates:0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

Unregistering a certificate for the z/OS adapter:

You can unregister a certificate for the adapter.

Unregistering a certificate:

You can unregister a certificate for the adapter.

Procedure

1. At the Main Menu prompt, type J to display the registered certificates. Thefollowing example shows a list of registered certificates:0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

2. Type the number of the certificate file that you want to unregister and [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=EngUnregister this CA? (Y/N)

3. At Unregister this CA, type Y to unregister the certificate and press Enter.

Results

After you remove the certificate from the list of registered certificate for theadapter, the certTool utility displays the Main menu.

Exporting a certificate and key to PKCS12 file:

You can export a certificate and key to a PKCS12 file.


Procedure

1. At the Main Menu prompt, type K to display the following prompt:Enter name of PKCS12 file:

2. At Enter name of PKCS12 file, type the name of the PKCS12 file for theinstalled certificate or private key and press Enter.

3. At Enter Password, type the password for the PKCS12 file and press Enter.4. At Confirm Password, type the password again and press Enter.

Results

After you export the certificate or private key to the PKCS12 file, the certTooldisplays the Main menu.


Chapter 5. Configuration notes

The IBM Security Identity Manager ACF2 Adapter can handle multiple requestssimultaneously. Learn how the adapter processes specific attributes and requestsand how it interacts with z/OS during the processing of some of the requests.

Passwords

IBM Security Identity Manager ACF2 Adapter 6.0.5 and later supports thereconciliation of password profile attributes. The following attributes are available:v #PSWDCNTv #PWD-TODv KEYFROM

All attributes are implemented as read-only and can only be modified with ACF2.The adapter is configured to replace the # sign in the attribute name with anadditional P for internal usage. The account form on the IBM Security IdentityManager server uses the correct label to display the attribute value for a givenaccount.

For example, attribute #PWD-TOD is displayed as #PWD-TOD on the IBM SecurityIdentity Manager server on the account form for a specific account. In the adapterlog file, the initialized attribute is referred to as PPWD-TOD. PPWD-TOD is alsothe name of the attribute provided in the ACF2 and IBM Security Identity Managerschema files used by the adapter.

Password phrases

IBM Security Identity Manager ACF2 Adapter 6.0.4 and later supports ACF2 passphrases.

A pass phrase in ACF2 is an authentication mechanism that allows the secret stringto be between 9 and 100 characters. When setting passwords from theIBM SecurityIdentity Manager server, a string with lesser than or equal to 8 characters is treatedas a password. A string with more than 8 characters is treated as a pass phrase.

Only one authentication mechanism available to the user at a time. To ensurecompatibility with all ACF2 password and pass phrase configurable options, theadapter versions 6.0.7 and higher set NOPWPALLOW when assigning a newpassword to an ACF2 logonid. When changing a new pass phrase to an ACF2logonid, both the PWPALLOW and the new phrase are set. This allows both thepassword and pass phrase to be used to gain access to the system. If both thepassword and pass phrase are indicated, the password however is ignored.

When using the IBM Security Identity Manager server to add a new ACF2 logonid:v In case a password is received, the adapter sets the password for the new

logonid to the value received from the IBM Security Identity Manager server.v In case a pass phrase is received, the adapter sets the pass phrase for the

logonid to the value received from the IBM Security Identity Manager server.The adapter does not set PWPALLOW because it is assumed that the


administrator, who creates the account, specifies PWPALLOW when requestingthis new ACF2 logonid in the same or subsequent request from the IBM SecurityIdentity Manager server.

Ensure that the ACF2 pass phrase requirements are included in the IBM SecurityIdentity Manager server rules for passwords. Otherwise, ACF2 might reject thespecified pass phrase. These pass phrase requirements include setting thepassword string policy to have more than 8 characters.

OMVS AUTOUID

IBM Security Identity Manager ACF2 Adapter 6.0.6 and later supportsauto-assignment of OMVS UIDs using AUTOUID.

When you create a user in the IBM Security Identity Manager server account form,enter 'AUTOUID'(case sensitive) in the attribute field. For example:’INSERT IBMUSER UID(2345)’.

When the adapter receives the string AUTOUID from the IBM Security IdentityManager server, the adapter runs the following command:INSERT <USER> AUTOUID

For exampleINSERT IBMUSER AUTOUID

Custom boolean attributes

The ACF2 adapter supports custom boolean attributes that are defined asv <PRIVILEGENAME> when privilege is granted to a user orv NO<PRIVILEGENAME> when the user has not been granted the privilege

For example, MYCICS or NOMYCICS is specified for a specific ACF2 logonid.

Temporary data set creation

In IBM Security Identity Manager ACF2 Adapter 6.0.3 and later, temporary datasets that are generated during reconciliation have a high level qualifier (HLQ). TheHLQ is equal to the adapter logonid instead of the generic HLQ. As such, the datasets are cataloged in the adapter logonids user catalog.

TimeZones

The ACF2 Adapter converts all date values to UTC before forwarding them to theISIM server. It uses the $TZ timezone variable, which is specified in the adapteraccount environment settings, as an offset to convert the local timezone to UTC.When no offset is specified, the adapter assumes that the received date can bereturned as UTC without any further conversion.


Chapter 6. Adapter error troubleshooting

Troubleshooting is the process of determining why a product does not function asit is designed to function.

This topic provides information and techniques for identifying and resolvingproblems related to the CA ACF2 Adapter.

Note: If a problem is encountered, enable all levels of activity logging (debug,detail, base, and thread). The adapter log contains the main source oftroubleshooting information. See “Changing activity logging settings” on page 36.

Troubleshooting techniquesTroubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. Certain common techniques can help with the task oftroubleshooting.

The first step in the troubleshooting process is to describe the problem completely.Problem descriptions help you and the IBM technical-support representative knowwhere to start to find the cause of the problem. This step includes asking yourselfbasic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When starting to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.


The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one platform or operating system, or is it common

across multiple platforms or operating systems?v Is the current environment and configuration supported?v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration; many problems can betraced back to incompatible levels of software that are not intended to run togetheror have not been fully tested together.

When does the problem occur?

Develop a detailed timeline of events leading up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you need to look only as far as the first suspicious eventthat you find in a diagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being performed?v Does a certain sequence of events need to happen for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might have occurred around the same time, theproblems are not necessarily related.


Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Consequently,problems that you can reproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?v Are multiple users or applications encountering the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

For information about obtaining support, see Appendix D, “Support information,”on page 87.

Warning and error messagesA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.

The following table contains warnings or errors that might be displayed on theuser interface if the adapter is installed on your workstation.

Table 21. Error messages, warnings, and corrective actions

Error message orwarning

Additional warnings,messages, or information Corrective action

CTGIMU107W

The connection to thespecified service cannotbe established. Verify theservice information, andtry again.

An IO error occurredwhile sending a request.Error: Connectionrefused: connect

Ensure that the adapter service isrunning. For more informationabout starting the adapter service,see “Starting and stopping theadapter” on page 11.

The adapter returned anerror status for a bindrequest. Status code:invalid credentials adaptererror message:Authentication Failed

Check the adapter authentication IDand password match the installedvalues. See the screen forAdapter-specific parameters in thetask“Running the ISPF dialog” onpage 6.

An IO error occurredwhile sending a request.Error: com.ibm.daml.jndi.JSSESocketConnection.HANDSHAKE_FAILED:

If SSL is enabled, check theconfiguration. See “SSLauthentication configuration for thez/OS adapter” on page 48. Theadapter log contains details aboutthe certificates loaded duringinitialization.

caacfAdd: User useridadd Successful. Someattributes could not bemodified.

This warning occurs when a user iscreated, however, some additionalattributes failed. For moreinformation, see the adapter log file.

Chapter 6. Adapter error troubleshooting 69

Table 21. Error messages, warnings, and corrective actions (continued)

Error message orwarning

Additional warnings,messages, or information Corrective action

caacf2Modify: Someattributes unsuccessful.

This warning occurs when a user ismodified, however, some additionalattributes failed. For moreinformation, see the adapter log file.

caacf2Modify: Allattributes unsuccessful.

The modify request failed to set theattributes on the managed resource.For more information, see theadapter log file.

caacf2Search:Reconciliation did notreturn at least 1 Logonid.

During the reconciliation request,no Logonids were returned. Formore information, see the MVSsystem log and the adapter log.

Adapter log filesWhen the adapter is initially configured, a default directory is selected to store thelog files, which contain activity from the adapter.

The log files are kept in the USS file system, file system, under the installation pathof the adapter, in the read/write log subdirectory.

The adapter log name is the adapter instance name, followed by an extension of.log. When the extension is .log, it is the current log file. Old log files have adifferent extension, for example, .log_001, .log_002, and .log_003.

For example, an installation path name for the read/write directory is/var/ibm/isimcaacf2, and the adapter name configured is caacf2agent. The logfiles are then in the /var/ibm/isimcaacf2/log/ directory. One or more files namedCAACF2Agent.log exist. For example:v /var/ibm/isimcaacf2/log/CAACF2Agent.log_001

v /var/ibm/isimcaacf2/log/CAACF2Agent.log_002

v /var/ibm/isimcaacf2/log/CAACF2Agent.log_003

You might use the USS obrowse command tail, or any other UNIX based utility toinspect these adapter logs.

The size of a log file, the number of log files, the directory path, and the detailedlevel of logging are configured with the agentCfg program. For more information,see “Adapter configuration for IBM Security Identity Manager” on page 19.

Adapter SSL information collection for support requestsIf you need to contact support for an SSL problem, first gather the necessaryinformation.

This information assumes specifications for VTAM® APPLIDs and user IDsindicated in the installation guide. Replace these APPLIDs and user IDs with thoseIDs you selected for the adapter installation.v The CA ACF2 Adapter log file, from the USS file system.v An excerpt from the MVS SYSTEM log, from the same time frame as the failure.


v A screen capture of the ACF2 service form, describing the connection to thisadapter.

v A display from the adapter utility agentCfg describing the adapter parameters:F. Registry Settings. -> A. Modify Non-encrypted registry settings

v The results from the following job (include all the output produced). A CA ACF2administrator with authority to view all the indicated profiles must run this job.//ACF2LIST JOB ACCT,IBM,CLASS=A,MSGCLASS=X,NOTIFY=&SYSUID//TMP EXEC PGM=IKJEFT01,REGION=0K//SYSTSPRT DD SYSOUT=*//SYSTSIN DD *ACFSET LIDLIST ISIAGNTLIST ISIAGNT PROFILE(ALL)

ISIAGNT is the name of the adapter started task.

For information about obtaining support, see Appendix D, “Support information,”on page 87.

Known issues and limitationsA problem might occur because certain restrictions exist for CA ACF2. Theinformation in this topic identifies known issues that you might encounter.

Read-only attributes

The CA ACF2 schema is customizable and the list of read-only attributes might beunique for your system. The standard list includes:v ACC-CNTv ACC-DATEv ACC-SRCEv CRE-TODv CSDATEv CSWHOv GRP-USERv HOMENODEv KERBCURVv LIDv PSWD-MIXv PSWD-SRCv PSWD-TODv UIDv UPD-TODv #PSWDCNTv #PWD-TODv KEYFROMv PWP-HSTv PWP-TODv PWPA1TOD


Unsupported data segments

This version of the adapter does not support the following data segments:v DCEv KERBv KERBLINKv KEYRINGv LINUXv OPERPARM

Special characters in the attribute names

For password profile attributes the adapter is configured to replace the # sign inthe attribute name with an additional P for internal usage. The account form on theIBM Security Identity Manager server uses the correct label to display the attributevalue for a given account. To provide an example: Attribute #PWD-TOD is displayedas #PWD-TOD on the IBM Security Identity Manager server on the account form for aspecific account. In the adapter log file, the initialized attribute is referred to asPPWD-TOD which is also the name of the attribute provided in the ACF2 and IBMSecurity Identity Manager schema files used by the adapter.

Adapter installation generates a schema to be incorporated into the adapter profile,and a matching cross-reference table for the adapter task. When generated, theschema and cross-reference table files, must be scanned for attribute names thatcontain the following characters -, $, *. Those characters must be replaced with analphanumeric character. The adapter profile does not install correctly if theattribute names contain any of these characters.

Before building and importing the profile, you must scan and replace thegenerated ISIMSCHM file for all references of the invalid attribute name. Forexample:<attribute-type single-value = "true" ><name>erAcf2ICLASS*</name><description>ICLASS-* in segment BASE</description><objectidentifier>1.3.6.1.4.1.6054.3.156.1.120</objectidentifier><objectidentifier>erAcf2ICLASS*-oid</objectidentifier><syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax></attribute-type>...<attribute ref = "erAcf2ICLASS*" required = "false" />

Replace the * with a.<attribute-type single-value = "true" ><name>erAcf2ICLASSa</name><description>ICLASS-* in segment BASE</description><objectidentifier>1.3.6.1.4.1.6054.3.156.1.120</objectidentifier><objectidentifier>erAcf2ICLASSa-oid</objectidentifier><syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax></attribute-type>...<attribute ref = "erAcf2ICLASSa" required = "false" />

The generated cross-reference file ACF2SCHM must be updated so the attribute namesmatch. The ACF2 field names must be left untouched. For example changeICLASS-* erAcf2ICLASS* BASE BINARY S * * 000004 0003

toICLASS-* erAcf2ICLASSa BASE BINARY S * * 000004 0003

Note:

v Attribute names must not be duplicated. Be sure that the attribute name you arecreating does not exist.

v Attribute names are restricted to 14 characters. Replace one existing characterwith one new character.


Chapter 7. Upgrading the adapter

For specific instructions about upgrading the adapter, see the adapter release notes.


Chapter 8. Uninstalling the adapter

Uninstalling the adapter involves tasks, such as removing the started task JCL,removing the directories from the UNIX System Services (USS) environment.

About this task

To uninstall the adapter, perform the following steps:

Procedure1. Stop the adapter, if it is running. See “Starting and stopping the adapter” on

page 11.2. Remove the started task JCL from the system procedure library.3. Remove the read-only and read/write directories from the z/OS USS

environment.4. Remove the CNTL, EXEC, and LOAD libraries that are related to the adapter.5. Remove the ISPF dialog libraries for customization.


Chapter 9. Adapter reinstallation

There are no special considerations for reinstalling the adapter. You do not need toremove the adapter before reinstalling.

For more information, see Chapter 7, “Upgrading the adapter,” on page 75.


Appendix A. Adapter attributes

The CA ACF2 for z/OS schema is modifiable which makes the adapter dynamic.The ACF2 installation augments the ACF2 schema before the installation. Theaugmentation in the schema varies depending on the operating system settings. Inthis case, you must configure the adapter to support the additional attributesdefined in the schema.

The adapter installation process extracts the ACF2 schema and stores it for use atrun time. The installation process builds the schema.dsml file. You must merge theschema.dsml file to the CAACF2 Profile.jar file before importing the profile to theIBM Security Identity Manager server.

The following table describes the format of the schema file.

Table 22. Schema file format

Column Meaning Value

1-8 The ACF2 native attributename.

-

10-24 The IBM Security IdentityManager attribute name.

-

26-33 The segment name. For the ACF2 LID attributes, they aremarked as BASE.

35-42 The attribute type. CHAR, BOOLEAN, BINARY, HEX FULLTOD,PACKDATE

44 The single or multi-valuedattribute

S for single and M for multi-valued.

46 The quotable attributes. Q for quoted and * for non-quoted.

48 The null fields. If N is denoted, the field has a null value.

50-55 The internal ACF2 attributelength.

-

57-60 The ACF2 group numberassigned to this attribute.

-

The following table describes an example of a ACF2SCHM file that is createdduring the adapter installation.

Table 23. Example of a ACF2SCHM file

ACF2nativeattributename

IBM SecurityIdentity Managerattribute name

Segmentname Attribute type

Single ormulti-valuedattribute

Quotedattribute

Nullablefield

InternalACF2attributelength

ACF2groupnumberassignedto thisattribute

ACC-CNT erAcf2ACCCNT BASE BINARY S * * 000004 0003

ACC-DATE erAcf2ACCDATE BASE FULLTOD S * * 000008 0003

ACC-SRCE erAcf2ACCSRCE BASE CHAR S * * 000008 0003

ACCOUNT erAcf2ACCOUNT BASE BOOLEAN S * * 000001 0002

ATTR2 erAcf2ATTR2 BASE HEX S * * 000002 0005

CSDATE erAcf2CSDATE BASE PACKDATE S * * 000004 0001


Table 23. Example of a ACF2SCHM file (continued)

ACF2nativeattributename

IBM SecurityIdentity Managerattribute name

Segmentname Attribute type

Single ormulti-valuedattribute

Quotedattribute

Nullablefield

InternalACF2attributelength

ACF2groupnumberassignedto thisattribute

OPCLASS erAcf2OPCLASS CICS BINARY M * * 000001 0000

ASSIZE erAcf2ASSIZE OMVS BINARY S * * 000004 0004


Appendix B. Registry settings

The following table lists valid registry options, their values, and meanings.

Table 24. Registry settings and additional information

Option attribute Default value Valid value Function and meaning Required?

DATAFORMAT None 3 characters The date format for this attributemust match the configured dateformat in ACF2.

Yes

PASSEXPIRE TRUE TRUE or FALSE This attribute is the default actionthat the adapter must performwhen the adapter receives apassword change request. TRUEindicates that passwords must beset as expired. FALSE indicates thatpasswords must be set asnon-expired.

No

SYSEXEC None 1 - 44 characters This attribute identifies the adapterEXEC library

Yes


Appendix C. Environment variables

The following table contains valid environment variables, their meanings orusages, and values for the CA ACF2 Adapter.

Table 25. CA ACF2 Adapter environment variables

Environmentvariable Meaning or use Default value Required?

PROTOCOL_DIR Specify the locationof adapter protocolmodules, forexample, the ./libdirectory

LIBPATH No

REGISTRYSpecify the locationof a specific registryfile.

The registry path isthe fully qualifiedpath and the filename of the registryfile. The registryname is the adaptername in upper case,with .dat suffixed tothe name.

Current workingdirectory.

No

PDU_ENTRY_LIMIT Specify the maximumnumber of accountsthat are kept in themain storage.

3000 No

LIBPATH Specify the locationof the Dynamic LinkLibrary (DLL) and.so files.

- Yes


Appendix D. Support information

You have several options to obtain support for IBM products.v “Searching knowledge bases”v “Obtaining a product fix” on page 88v “Contacting IBM Support” on page 88

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Youcan optimize your results by using available resources, support tools, and searchmethods.

About this task

You can find useful information by searching the product documentation for IBMSecurity Identity Manager. However, sometimes you must look beyond the productdocumentation to answer your questions or resolve problems.

Procedure

To search knowledge bases for information that you need, use one or more of thefollowing approaches:1. Search for content by using the IBM Support Assistant (ISA).

ISA is a no-charge software serviceability workbench that helps you answerquestions and resolve problems with IBM software products. You can findinstructions for downloading and installing ISA on the ISA website.

2. Find the content that you need by using the IBM Support Portal.The IBM Support Portal is a unified, centralized view of all technical supporttools and information for all IBM systems, software, and services. The IBMSupport Portal lets you access the IBM electronic support portfolio from oneplace. You can tailor the pages to focus on the information and resources thatyou need for problem prevention and faster problem resolution. Familiarizeyourself with the IBM Support Portal by viewing the demo videos(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)about this tool. These videos introduce you to the IBM Support Portal, exploretroubleshooting and other resources, and demonstrate how you can tailor thepage by moving, adding, and deleting portlets.

3. Search for content about IBM Security Identity Manager by using one of thefollowing additional technical resources:v IBM Security Identity Manager version 6.0 technotes and APARs (problem

reports).v IBM Security Identity Manager Support website.v IBM Redbooks®.v IBM support communities (forums and newsgroups).

4. Search for content by using the IBM masthead search. You can use the IBMmasthead search by typing your search string into the Search field at the top ofany ibm.com® page.

5. Search for content by using any external search engine, such as Google, Yahoo,or Bing. If you use an external search engine, your results are more likely to


http://www.ibm.com/software/support/isa/

http://www.ibm.com/support/entry/portal/overview/software/tivoli/tivoli_identity_manager

https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

http://publib-b.boulder.ibm.com/Redbooks.nsf/portals/Tivoli

http://www.ibm.com/software/sysmgmt/products/support/Tivoli_Communities.html

include information that is outside the ibm.com domain. However, sometimesyou can find useful problem-solving information about IBM products innewsgroups, forums, and blogs that are not on ibm.com.

Tip: Include “IBM” and the name of the product in your search if you arelooking for information about an IBM product.

Obtaining a product fixA product fix might be available to resolve your problem.

About this task

You can get fixes by following these steps:

Procedure1. Obtain the tools that are required to get the fix. You can obtain product fixes

from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.2. Determine which fix you need.3. Download the fix. Open the download document and follow the link in the

“Download package” section.4. Apply the fix. Follow the instructions in the “Installation Instructions” section

of the download document.

Contacting IBM SupportIBM Support assists you with product defects, answers FAQs, and helps usersresolve problems with the product.

Before you begin

After trying to find your answer or solution by using other self-help options suchas technotes, you can contact IBM Support. Before contacting IBM Support, yourcompany or organization must have an active IBM software subscription andsupport contract, and you must be authorized to submit problems to IBM. Forinformation about the types of available support, see the Support portfolio topic inthe “Software Support Handbook”.

Procedure

To contact IBM Support about a problem:1. Define the problem, gather background information, and determine the severity

of the problem. For more information, see the Getting IBM support topic in theSoftware Support Handbook.

2. Gather diagnostic information.3. Submit the problem to IBM Support in one of the following ways:

v Using IBM Support Assistant (ISA):Any data that has been collected can be attached to the service request.Using ISA in this way can expedite the analysis and reduce the time toresolution.a. Download and install the ISA tool from the ISA website. See

http://www.ibm.com/software/support/isa/.b. Open ISA.


http://www.ibm.com/support/fixcentral/

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/offerings.html

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/getsupport.html

http://www.ibm.com/software/support/isa/

c. Click Collection and Send Data.d. Click the Service Requests tab.e. Click Open a New Service Request.

v Online through the IBM Support Portal: You can open, update, and view allof your service requests from the Service Request portlet on the ServiceRequest page.

v By telephone for critical, system down, or severity 1 issues: For the telephonenumber to call in your region, see the Directory of worldwide contacts webpage.

Results

If the problem that you submit is for a software defect or for missing or inaccuratedocumentation, IBM Support creates an Authorized Program Analysis Report(APAR). The APAR describes the problem in detail. Whenever possible, IBMSupport provides a workaround that you can implement until the APAR isresolved and a fix is delivered. IBM publishes resolved APARs on the IBM Supportwebsite daily, so that other users who experience the same problem can benefitfrom the same resolution.

Appendix D. Support information 89

http://www.ibm.com/software/support/

http://www.ibm.com/planetwide/

Appendix E. Accessibility features for IBM Security IdentityManager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Security IdentityManager.v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternative input and output devices

The IBM Security Identity Manager library, and its related publications, areaccessible.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for more

navigation.v You can launch any applet, such as the form designer applet, in a separate

window to enable the Alt+Tab keystroke to toggle between that applet and theweb interface, and also to use more screen workspace. To launch the window,click Launch as a separate window.

v You can change the appearance of applets such as the form designer by usingthemes, which provide high contrast color schemes that help users with visionimpairments to differentiate between controls.

IBM and accessibility

See the IBM Human Ability and Accessibility Center For more information aboutthe commitment that IBM has to accessibility.


http://www.ibm.com/able

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to


IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 95

http://www.ibm.com/legal/copytrade.shtml

Java™ and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("SoftwareOfferings") may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, and to tailor interactionswith the end user or for other purposes. In many cases, no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled "Cookies, Web Beacons and Other Technologies and SoftwareProducts and Software-as-a Service".


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en

Index

Aaccessibility x, 91activity logging settings

changing 36enabling 36options 36

adapterCA ACF2 Security for z/OS 2installation

verifying 17z/OS 2

advanced settings 40agentCfg 19

adapter parameters, changingconfiguration key 36

advanced settings 40arguments 43configuration settings 21event notification menu 25help menu 43menu 40modify configuration settings 19utility 19view configuration settings 19

agentCfg utilityconfiguration 2

attributesaccount form 81creation 15search 31value pair 30

authenticationcertificate configuration for SSL 51two-way SSL configuration 53

Bbackward compatibility 47baseline database removal 35

CCA ACF2

configuration 12server-network connectivity ixz/OS ix

CAACF2Profile.jar 13certificate authority

certificatedeleting 61

certTool usage 60deleting 61installation 60viewing 60, 61viewing installed 60viewing registered 62

certificate signing requestdefinition 57file, generating 57

certificate signing request (CSR),examples 58

certificatescertTool usage 61configuration for SSL 51digital certificates 49examples of signing request (CSR) 58exporting to PKCS12 file 63installation 59, 60installation, from file 59installation, using certTool 59key formats 51management with certTool 55one-way SSL authentication 52overview 49private keys 49protocol configuration tool

certTool 49registering 61removing 62self-signed 50SSL 50unregistering 62viewing 60, 61, 62viewing registered 62z/OS adapters 60

certToolcertificate configuration 51certificate installation 59initialization 55private key, generating 57private keys and certificates,

managing 55registered certificates

viewing 62SSL certificate management 55

code page change 41communication with ISIM 15compatibility with earlier versions 47configuration 13, 19

access 12agentCfg 19DAML protocol 25DN 31event notification context 31installation 5key

changing with agentCfg 36default value 36

one-way SSL authentication 52server identification 25tool 19view settings, default values 21

connectivity, testing 15CSR 57customization 45

DDAML protocol

configuration 22

DAML protocol (continued)default values 22identifying the server 25properties 22settings 22

distinguished namespseudo 33

DN elementserservicename 31o 31ou 31rootsuffix 31

download, software 4

Eeducation xencryption

SSL 49encryption, SSL 49environment variables 85

LIBPATH 85PDU_ENTRY_LIMIT 85PROTOCOL_DIR 85REGISTRY 85

error messages 69errors, troubleshooting 67event notification

agentCfg configuration 25configuration 25context 29, 30, 31

baseline database 35baseline database removal 35modifying 29

DN configuration 31IBM Security Identity Manager 26modify 29search attributes 30setting triggers 28

Ffeatures 1first steps, post-installation 19

IIBM

Software Support xSupport Assistant x

IBM Security Identity Managersetting event notification 26

IBM Support Assistant 88import prerequisites 14installation 3

certificate 59certificates for z/OS adapters 60first steps 19ISPF dialog 5language pack 48


installation (continued)plan 3planning 5prerequisites 4private key 59roadmaps 3verification 13

adapter 17ISA 88ISIMEXEC 47ISIMEXIT 45ISPF dialog

installation 5running 5, 6

Kkeys, exporting to PKCS12 file 63knowledge bases 87known issues 71

Llanguage pack

installation 48same for adapters and server 48

limitations 71loginids

defining 12surrogate 13z/OS UNIX System Services 12

logsdefault directory 70detailed 36USS file system 70viewing statistics 41

Mmessages

error 69warning 69

Nname values, pseudo-distinguished

names 33network connectivity prerequisites 4notices 93

Oone-way SSL authentication 52online

publications ixterminology ix

options, access 55overview 1

Ppackage, upload 5parameters

options 55

parameters, changing 51passwords

changing configuration key 36configuration key, default value 36

PKCS12 filecertificate installation 59exporting certificate and key 63importing 51

post-add processing 45post-delete processing 45post-installation first steps 19post-modify processing 45pre-add processing 45pre-delete processing 45pre-modify processing 45preinstallation, roadmap 3prerequisites 4

installation 4network connectivity 4operating systems 4required authority 4server communication 4verification 14

private keygenerating 57installation 59

problem-determination xprofiles 13, 14

building 13building for adapters 13create 13import 13, 14, 15verification 15

protocolchange configuration settings 22DAML 51SSL

two-way configuration 54pseudo-distinguished names 33public keys 49publications

accessing online ixlist of ix

Rregistration

certTool usage 61of certificates 61

registry settings 83DATAFORMAT 83modify 39modifying 38non-encrypted 39PASSEXPIRE 83SYSEXEC 83

reinstallation 79prerequisites 79

requirements 4REXX command, ISIMEXIT 45REXX executables

isimexec 45ISIMEXIT 45

roadmapinstallation 3preinstallation 3

Ssearch attributes, specify 31server communication prerequisites 4service 15

create 13creation 15

settings, advanced 40single address space

unix system services 19software

download 4website 4

SSLadapter configuration 25authentication 51authentication, certificate

configuration 51authentication, one-way 52certificate

signing request 57certificates 50certTool, certificate management 55client 54client and server 54DAML protocol 51data gathering 70digital certificates 49encryption 49implementation 51key formats 51overview 49private keys 49two-way configuration 54

SSL authenticationtwo-way configuration 53

SSL communicationenabling by default 2

start 11statistics, viewing 41stop 11support contact information 88surrogate

loginids 13users 13

TTCP/IP port

change 2protection 2restriction 2

terminology ixtools

certificate management 51certTool key 51

training xtriggers, event notification 28troubleshooting

contacting support 88data gathering 70error messages 69errors 67getting fixes 88known issues and limitations 71problem identification 67searching knowledge bases 87


troubleshooting (continued)SSL information 70support 67support website xtechniques 67warning messages 69warnings 67

two-way configurationSSL

certificates 53

Uuninstallation 77unix system services

two address spaces 19upgrade 77users, surrogate 13USS

single address space 19

Vverification

installation 17

Wwarning messages 69

Zz/OS

adapter package 5dynamic adapter 81operating systems 5schema 81schema modification 81self-signed certificates 50TCP/IP port change 2

Index 99

��

Printed in USA

SC27-4383-01

CAACF2 for z/OSAdapter Installation and Configuration Guide · language. By default, the...

Documents

Transcript of CAACF2 for z/OSAdapter Installation and Configuration Guide · language. By default, the...