Novell Identity Manager Driver For Mainframes: RACF*
Implementation GuideNovell Identity Manager Driver for Mainframes: RACF*4.0October 15, 2010www.novell.comIdentity Manager 4.0 Driver for Mainframes: RACF Implementation Guidenovdocx (en) 16 April 2010AUTHORIZED DOCUMENTATION
Novell, Inc. and Omnibond Systems, LLC. make no representations or warranties with respect to the contents or useof this documentation, and specifically disclaim any express or implied warranties of merchantability or fitness forany particular purpose. Further, Novell, Inc. and Omnibond Systems, LLC. reserve the right to revise this publicationand to make changes to its content, at any time, without obligation to notify any person or entity of such revisions orchanges.Further, Novell, Inc. and Omnibond Systems, LLC. make no representations or warranties with respect to anysoftware, and specifically disclaim any express or implied warranties of merchantability or fitness for any particularpurpose. Further, Novell, Inc. and Omnibond Systems, LLC. reserve the right to make changes to any and all parts ofthe software, at any time, without any obligation to notify any person or entity of such changes.Any products or technical information provided under this Agreement may be subject to U.S. export controls and thetrade laws of other countries. You agree to comply with all export control regulations and to obtain any requiredlicenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entitieson the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. exportlaws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Seethe the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information onexporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary exportapprovals.Copyright 2006-2010 Omnibond Systems, LLC. All rights reserved. Licensed to Novell, Inc. Portions copyright 2006-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on aretrieval system, or transmitted without the express written consent of the publisher.Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in thisdocument. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one ormore additional patents or pending patent applications in the U.S. and in other countries.Novell, Inc.404 Wyman Street, Suite 500Waltham, MA 02451U.S.A.www.novell.comOnline Documentation: To access the online documentation for this and other Novell products, and to getupdates, see the Novell Documentation Web page (http://www.novell.com/documentation).novdocx (en) 16 April 2010Legal Notices
For Novell trademarks, see the Novell Trademark and Service Mark list list.html).Third-Party MaterialsAll third-party trademarks are the property of their respective owners.novdocx (en) 16 April 2010Novell Trademarks
novdocx (en) 16 April 20104Identity Manager 4.0 Driver for Mainframes: RACF Implementation Guide
novdocx (en) 16 April 2010ContentsAbout This Guide1 Overview1.11.2Driver Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.1.1Component Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.1.2Component Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2.1Data Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2.2OMVS Information Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2.3TSO Information Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2.4Filter and Schema Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2.5RACF Password Phrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.2.6Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Planning for the RACF Driver2.12.22.32.4Deployment Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Migration Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Customization Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Establishing a Security-Equivalent User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Installing the RACF Driver3.13.23.33.43.53.63.73.83.93.10Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Required Knowledge and Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.3.1Connected System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.3.2Identity Vault Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Getting the Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Extending the Schema for Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing the Java Class File on the Metadirectory Server . . . . . . . . . . . . . . . . . . . . . . . . . . .3.6.1Removing Old RACF Driver Class Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.6.2Installing New RACF Driver Class Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Setting Up the Driver on the Metadirectory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing the Driver Shim on the Connected System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.8.1Setting Up the Libraries on Your z/OS System . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.8.2Authorizing the Driver TSO Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.8.3Securing the Driver Shim with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.8.4Configuring the Remote Loader and Driver Object Passwords . . . . . . . . . . . . . . . . .3.8.5Allocating and Initializing the Change Log Data Set . . . . . . . . . . . . . . . . . . . . . . . . .3.8.6Setting Up the Started Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.8.7Testing before Installing the Security System Exit. . . . . . . . . . . . . . . . . . . . . . . . . . .3.8.8Installing the Driver Security System Exits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.8.9Testing the Completed Connected System Installation . . . . . . . . . . . . . . . . . . . . . . .Post-Installation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Uninstalling the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.10.1 Uninstalling the Security System Exits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.10.2 Uninstalling the Driver Shim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.10.3 Uninstalling the Driver Object from eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29303030323334343535353737383939393940Contents5
4.14.2Updating from the Fan-Out Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.1.1Preparing for Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.1.2Migrating Fan-Out Driver Platform Services to the RACF Driver. . . . . . . . . . . . . . . .4.1.3Configuring the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.1.4Post-Migration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Upgrading from the Java-Based RACF Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.2.1Upgrading the RACF Event Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.2.2Upgrading the Identity Vault Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Configuring the RACF Driver5.15.25.35.45.5Driver Parameters and Global Configuration Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5.1.1Setting Properties during Driver Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5.1.2Driver Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5.1.3Global Configuration Values Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Driver Shim Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Setting the Remote Loader and Driver Object Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . .5.3.1Connected System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5.3.2Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Migrating Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5.4.1Migrating Identities from the Identity Vault to the Connected System . . . . . . . . . . . .5.4.2Migrating Identities from the Connected System to the Identity Vault . . . . . . . . . . . .5.4.3Synchronizing the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .International Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Customizing the RACF Driver6.16.26.36.4The Scriptable Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.1.1Modifying a REXX Exec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Connected System Schema File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.2.1Schema File Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.2.2Example Schema File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Connected System Include/Exclude File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.3.1Include/Exclude Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.3.2Include/Exclude File Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.3.3Example Include/Exclude Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing Additional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.4.1Modifying the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Using the RACF Driver7.17.27.37.47.57.6Starting and Stopping the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Starting and Stopping the Change Log Started Task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Starting and Stopping the Driver Shim Started Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Displaying Driver Shim Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Changing the Driver Shim Trace Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Monitoring Driver Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Securing the RACF 77Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Identity Manager 4.0 Driver for Mainframes: RACF Implementation Guidenovdocx (en) 16 April 20104 Upgrading the Driver
Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Driver Security Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Driver REXX Execs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Driver Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Driver Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Administrative Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Connected Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A 8686868789CFG Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89DOM Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90DRVCOM Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90HES Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91LDX0 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91LDXL Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93LDXS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95LDXU Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96LDXV Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98LWS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100NET Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107RDXML Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107C Technical DetailsC.1777878787879797981Driver Status and Diagnostic Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.1.1The System Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.1.2The Trace File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.1.3The REXX Exec Output File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.1.4DSTRACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.1.5The Status Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.1.6The Operational Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.1.7Change Log Started Task Message Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Troubleshooting Common Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.2.1Driver Shim Installation Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.2.2Driver Rules Installation Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.2.3Schema Update Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.2.4Driver Certificate Setup Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.2.5Driver Start Failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.2.6Driver Shim Startup or Communication Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A.2.7Users or Groups Are Not Provisioned to the Connected System . . . . . . . . . . . . . . .A.2.8Users or Groups Are Not Provisioned to the Identity Vault . . . . . . . . . . . . . . . . . . . .A.2.9Identity Vault User Passwords Are Not Provisioned to the Connected System. . . . .A.2.10 Connected System User Passwords Are Not Provisioned to the Identity Vault. . . . .A.2.11 Users or Groups Are Not Modified, Deleted, Renamed, or Moved . . . . . . . . . . . . . .A.2.12 Change Log Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B System and Error Messagesnovdocx (en) 16 April 20108.48.58.68.78.88.98.108.11Driver Shim Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C.1.1Options Used to Set Up Driver Shim SSL Certificates . . . . . . . . . . . . . . . . . . . . . .C.1.2Other Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SAFQUERY Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .LDXSERV Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111111111111112113Contents7
8Identity Manager 4.0 Driver for Mainframes: RACF Implementation Guide113114114114115115116117118novdocx (en) 16 April 2010C.4C.3.1STATUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C.3.2GETNEXT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C.3.3MARKDONE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Performance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C.4.1Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C.4.2Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C.4.3Idle Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C.4.4Subscriber Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C.4.5Publisher Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
novdocx (en) 16 April 2010About This GuideThis guide explains implementation of the Novell Identity Manager 4.0 driver for RACF onmainframes (z/OS* operating system).The driver synchronizes data from a connected mainframe system using RACF, the IBM* securitysystem, with Novell Identity Manager 4.0, the comprehensive identity management suite that allowsorganizations to manage the full user life cycle, from initial hire, through ongoing changes, toultimate retirement of the user relationship.This guide includes the following sections: Chapter 1, “Overview,” on page 11 Chapter 2, “Planning for the RACF Driver,” on page 23 Chapter 3, “Installing the RACF Driver,” on page 27 Chapter 4, “Upgrading the Driver,” on page 41 Chapter 5, “Configuring the RACF Driver,” on page 49 Chapter 6, “Customizing the RACF Driver,” on page 61 Chapter 7, “Using the RACF Driver,” on page 75 Chapter 8, “Securing the RACF Driver,” on page 77 Appendix A, “Troubleshooting,” on page 81 Appendix B, “System and Error Messages,” on page 89 Appendix C, “Technical Details,” on page 111AudienceThis guide is for system administrators and others who plan, install, configure, and use the IdentityManager bidirectional driver for RACF. It assumes that you are familiar with Identity Manager,Novell eDirectoryTM, and the administration of systems and platforms you connect to IdentityManager.FeedbackWe want to hear your comments and suggestions about this manual and the other documentationincluded with this product. Please use the User Comments feature at the bottom of each page of theonline documentation, or go to the Novell Documentation Feedback site ) and enter your comments there.Documentation UpdatesFor the most recent version of this guide, visit the Identity Manager 4.0 Drivers Documentation Website .Additional DocumentationFor additional documentation about Identity Manager drivers, see the Identity Manager 4.0 DriversDocumentation Web site .About This Guide9
For documentation about other related Novell products, such as eDirectory and iManager, see theNovell Documentation Web site’s product index n ConventionsIn Novell documentation, a greater-than symbol ( ) is used to separate actions within a step anditems in a cross-reference path.A trademark symbol ( , TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-partytrademark.When a single pathname can be written with a backslash for some platforms or a forward slash forother platforms, the pathname is presented with a backslash. Users of platforms that require aforward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.10Identity Manager 4.0 Driver for Mainframes: RACF Implementation Guidenovdocx (en) 16 April 2010For additional documentation about Identity Manager, see the Identity Manager 4.0 DocumentationWeb site (http://www.novell.com/documentation/idm40).
The Novell Identity Manager 4.0 driver for RACF synchronizes data between Identity Managerand a RACF installation on a connected mainframe. Identity Manager, installed on any IdentityManager supported platform, communicates with the driver on the target z/OS system over a securenetwork link.1The driver gives you access to RACF user and group attributes in accordance with the z/OS RACFschema. The driver also allows you to issue arbitrary TSO commands on the z/OS system. IdentityManager gives you access to eDirectoryTM objects and their attributes via its Identity Vault.The driver uses embedded Remote Loader technology to communicate with Identity Manager,bidirectionally synchronizing changes between the Identity Vault and RACF. It implements thistechnology using its own embedded Remote Loader component as part of the main driver shim,which runs as a started task on the connected z/OS system.The driver shim’s Subscriber function commits changes to RACF using customizable REXX execsthat issue native TSO commands through the z/OS service routine IKJEFTSR. This flexible interfaceprovides the option for implementing additional business logic through REXX programming.The driver shim’s Publisher function uses standard security system exit routines to capture events ofinterest and submits them to the Identity Manager Metadirectory engine.The Identity Manager 4.0 driver for RACF combines the flexibility of the Fan-Out driver and thebidirectional support and Identity Manager policy options available from traditional IdentityManager drivers. Key features of the driver include: Bidirectional synchronization of data Customizable schema to integrate all aspects of account administration Customizable REXX execs to handle all data to be synchronized Driver shim implemented as a traditional z/OS started task Operator command control for starting and stopping the driver shim, configuring RemoteLoader options, and displaying status information Support for RACF passwords and password phrasesThe following sections present a basic overview of the driver: Section 1.1, “Driver Architecture,” on page 11 Section 1.2, “Configuration Overview,” on page 181.1 Driver ArchitectureThe driver synchronizes information between the Identity Vault on the Identity Manager platformand RACF on the connected z/OS system.Overview11novdocx (en) 16 April 2010Overview1
When changes to passwords and other items relevant to Identity Manager are made at the localRACF installation, two security system exit routines are used to capture the changes and place themin a cross memory queue. The change log, another z/OS started task, moves events from the memoryqueue to the change log data set, where they are stored for processing. At configurable intervals, thePublisher component of the driver polls the change log for events and submits them to IdentityManager, where they are processed for posting to the Identity Vault.Figure 1-1 illustrates the driver’s architecture.Figure 1-1 RACF Driver ArchitectureThe following topics describe the driver architecture in more detail: Section 1.1.1, “Component Summary,” on page 12 Section 1.1.2, “Component Discussion,” on page 151.1.1 Component SummaryMost components of the bidirectional RACF driver can be associated with one of the two channelsof communication—Subscriber and Publisher—used by the driver and Identity Manager in general.12Identity Manager 4.0 Driver for Mainframes: RACF Implementation Guidenovdocx (en) 16 April 2010When Identity Manager detects relevant changes to identities in its Identity Vault, it uses theSubscriber channel to process and communicate the updates to all connected systems. Events arereceived by the Subscriber component of the RACF driver, which runs as a started task on the z/OShost system. This Subscriber component securely passes the information to customizable REXXexecs that carry out the updates to RACF.
novdocx (en) 16 April 2010Subscriber Channel Represents data flowing from Identity Manager to the driver on the connectedz/OS system, then on to its final destination in RACF. In this way, RACF functions as a subscriberto Identity Manager events, receiving any updates from the central Identity Vault via the Subscriberchannel.Publisher Channel Represents data flowing from RACF, through the driver on the host z/OSsystem, and on to Identity Manager. In this way, RACF functions as a publisher of events to IdentityManager, sending any updates from its individual RACF installation to the central Identity Vault viathe Publisher channel.NOTE: The term “channel,” within the context of Identity Manager data flow, should not beconfused with the same term used in mainframe nomenclature to describe a physical cable orconnection.Given this general organization, Table 1-1 provides a summary description for each of the driver’smain components, including the data channel it relates to.Table 1-1 Summary of Driver ComponentsData ChannelComponentDescriptionSubscriberRACF Schema MapProvides a reference to the hierarchy of objects and attributesavailable in RACF. The driver reads the schema map, usually atstartup. Also used by Identity Manager’s Policy Editor to mapthe schema of the Identity Vault to the schema of RACF.Include/Exclude FileOptional configuration file for listing local RACF identities thatyou wish to be included or excluded from the central IdentityVault. Allows local system policy to enforce which objectsreceive provisioning through the Subscriber channel.SAFQUERYCustom, APF-authorized, TSO command used by the driver toquery RACF via SAF (System Authorization Facility), thecommon interface for all z/OS security systems. It usesRACROUTE, a z/OS security macro, to access SAF.REXX ExecsMainframe scripts that apply the schema map and standardTSO commands to issue changes to RACF accounts—includingadds, modifies, deletes, and renames—for User and Groupobjects, and to handle password synchronization. Can beextended to support other object types and events.Overview13
ComponentDescriptionP
Chapter 2, “Planning for the RACF Driver,” on page 23 Chapter 3, “Installing the RACF Driver,” on page 27 Chapter 4, “Upgrading the Driver,” on page 41 Chapter 5, “Configuring the RACF Driver,” on page 49 Chapter 6, “Customizing the RACF Driver,” on page 61 Chapter 7, “Using the RACF Driver,” on page 75
For information about the other Access Manager devices and features, see the following: Novell Access Manager 3.1 SP5 Administration Console Guide Novell Access Manager 3.1 SP5 Identity Server Guide Novell Access Manager 3.1 SP5 Policy Guide Novell Access Manager 3.1 SP5 J2EE Agent Guide Novell Access Manager 3.1 SP5 SSL VPN Server Guide
Novell www.novell.com Novell Confidential Manual (99a) 15 April 2004 iFolder 2.1 June 25, 2004 INSTALLATION AND ADMINISTRATION GUIDE. Novell Confidential Manual (99a) 15 April 2004 . June 25, 2004 INSTALLATION AND ADMINISTRATION GUIDE. Novell Confidential Manual (99a) 15 April 2004 Legal Notices Novell, Inc. makes no representations or .
Novell Native File Access Pack for NetWare 5.1 Installation and Administration Guide . Novell Native File Access Pack for NetWare 5.1 Installation and Administration Guide 100-004513-001 A April 4, 2002 Novell Confidential Manual 99a 38 July 17, 2001 Novell Trademarks
The Novell Client is a powerful and feature rich service that is necessary to gain the full functionality of a Novell NetWare system. The Novell 4.91 client runs on a Windows 2000 or Windows XP workstations and allows your . To launch the Novell Client installation, run the SETUPNW.EXE file as depicted in Illustration 1. Step 2 - Choose the .
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
To the Identity Vault: Identity Manager distributes passwords from the connected system to the Identity Vault only. The connected system determines the level of support for password synchronization. Some systems, such as Microsoft Active Directory and Novell eDirectory, support bidirectional synchronization.
Novell www.novell.com novdocx (ENU) 29 January 2007 Novell Password Management Administration Guide Pa
sebuah standar akuntansi untuk lembaga keuangan syariah yang disebut accounting, auditing, and governance standard for Islamic institution. 3. Perkembangan Akuntansi di Indonesia (IAI) Ketika Indonesia merdeka, hanya ada satu orang akuntan pribumi, yaitu Prof. Dr. Abutari, sedangkan Prof. Soemardjo lulus pendidikan akuntan di
