After you configure the z/OS® LDAP
server, you need to set up RACF® to
activate identity mapping. You also need to grant Db2 authority to use the SAF user mapping plug-in
service.
To set up RACF for
the z/OS LDAP server:
- Enable identity mapping by activating the FACILITY class.
The FACILITY class must be active to enable identity mapping.
Use the following SETROPTS command if it is not
already active at your installation:
SETROPTS CLASSACT(FACILITY)
- Define a KEYMSTR profile to store an encryption key.
Make sure to choose a key that is known only to the security
administrator, and store it in the KEYMSTR profile that you defined,
as shown in the following example:
RDEF KEYSMSTR LDAP.BINDPW.KEY SSIGNON(KEYMASKED(0123456789ABCDEF))
The LDAP BIND passwords are encrypted with the key that is stored
in the LDAP.BINDPW.KEY profile. The value of the key in this example
is 0123456789ABCDEF.
- Authorize Db2 to
request lookup services by defining and granting READ access to the
SYSDSP user in the following RACF profiles:
RDEF FACILITY IRR.RGETINFO.EIM UACC(NONE)
PE IRR.RGETINFO.EIM ACCESS(READ) ID(SYSDSP) CL(FACILITY)
RDEF FACILITY IRR.RDCEKEY UACC(NONE)
PE IRR.RDCEKEY ACCESS(READ) ID(SYSDSP) CL(FACILITY)
- Define the IRR.PROXY.DEFAULTS profile in the FACILITY class,
as follows:
RDEF FACILITY IRR.PROXY.DEFAULTS
PROXY(LDAPHOST(‘ldap://v25ec099.svl.ibm.com:3389')
BINDDN(‘cn=eim user,o=IBM,c=US') BINDPW(‘secret'))
EIM(DOMAINDN(‘ibm-eimDomainName=My Domain,o=IBM,c=US')
LOCALREG(‘My Target Registry'))
SETROPTS RACLIST(FACILITY) REFRESH
- Grant Db2 the authority
to use the SAF user mapping plug-in service by issuing the following
commands:
RDEF PROGRAM IRRSPIM ADDMEM ('USER.PRIVATE.DLLLIB'//NOPADCHK)
PE IRRSPIM ACCESS(READ) ID(SYSDSP) CL(PROGRAM)
RDEF PROGRAM IRRSPIME ADDMEM (‘USER.PRIVATE.DLLLIB'//NOPADCHK)
PE IRRSPIME ACCESS(READ) ID(SYSDSP) CL(PROGRAM)
SETROPTS WHEN(PROGRAM) REFRESH