Onboarding the Broadcoms ACF2 Security for z/OS

Use this task to provision users from Verify to On-Premises Broadcoms ACF2 Security for z/OS adapter.

Before you begin

  1. Configure the identity agent for authentication in Verify. See, Configuring through the Verify user interface.
  2. Deploy and configure the IBM® Security Verify Identity Brokerage On-Premises component.

Procedure

  1. Log in as administrator on IBM Security Verify.
  2. Select Applications > Applications and click Add application.
  3. Search application type as the name set for the uploaded application profile from the menu and click Add application.
    For example, if the Broadcoms ACF2 Security for z/OS profile was uploaded with name Broadcoms ACF2 Security for z/OS, then the application is found with Broadcoms ACF2 Secret on z/OS(custom).
  4. In the Add applications page, select the General tab, and specify the required details.
  5. Select the Account lifecycle tab.
  6. Specify the provisioning and deprovisioning policies.
    Parameters Description
    Provision accounts

    Provision accounts are Disabled by default, which means the account creation is performed outside of IBM Security Verify.

    Select the Enabled option to automatically provision an account when the entitlement is assigned to a user. Password generations and email notification features are available for the account that is created using IBM Security Verify.

    Deprovision accounts

    Deprovision accounts is Disabled by default, which means account removal is performed outside of IBM Security Verify.

    Select the Enabled option in to automatically deprovision an account when entitlement is removed from a user.

    Account password
    Sync user's Cloud Directory password
    This option is available if Password sync is enabled on the Cloud Directory. It uses the Cloud Directory password when a regular user is provisioned to the application. Federated users receive a generated password when provisioned to the application.
    Generate password
    This option generates a random password for the provisioned account. The password is based on the Cloud Directory password policy.
    None
    This option provisions the account without a password.
    Send email notification This option is available when you select the Generate password option. When you select the Send email notification option an email notification with the auto-generated password is sent to your email address after the account is provisioned successfully.
    Grace period (days) Set the grace period in days for which deprovisioned account is kept as suspended before deleting it permanently.
    Deprovision action Delete the account. This field is available only if the deprovision account field is enabled.
  7. In General section, select Application profile from the drop-down. If the profile does not exist you must create one. For more information see, Managing identity adapter application profiles.
  8. Specify the API authentication details.
    Parameters Description
    Service Name Specify a name that identifies the ACF2 Adapter service on the IBM® Security Identity server.
    Service Description Specify a description that identifies the service for your environment. You can specify additional information about the service instance.
    URL Specify the location and port number of the adapter. The port number is defined during installation, and can be viewed and modified in the protocol configuration by using the agentCfg utility. For more information about protocol configuration settings, see Changing protocol configuration settings.
    Note: Configure the adapter for SSL authentication only if https is part of the URL. For more information, see Configuring SSL authentication.
    User ID Specify the name that you defined at installation as the Adapter authentication ID. This name is in the registry. The default value is agent.
    Password Specify the password that you defined at installation for the Adapter authentication ID. The default value is agent.
    ACF2 ID under which requests will be processed Specify a SURROGATE ID. This loginid might have administrative authority over a subset of logonids within the ACF2 database
    Owner Specify the service owner, if any.
    Service Prerequisite Specify an existing service.
  9. Click Test Connection to test the connection to the Broadcoms ACF2 Security for z/OS on premises. The connection needs to be successful to provision or reconcile accounts on the Broadcoms ACF2 Security for z/OS application.
  10. Map the target Broadcoms ACF2 Security for z/OS attributes to the Verify attributes as required. Select the Keep updated check box for the attributes that need to be updated on the target.

  11. Select the Account sync tab.
  12. In the Adoption policy section, add one or more attribute pairs that need to match for the account sync process to assign Broadcoms ACF2 Security for z/OS accounts to their respective account owners on Verify.

  13. In the Remediation Policies section, choose a remediation policy to remediate non-compliant accounts automatically.
  14. Click Save.
  15. After the application is saved, specify the authorization policy on the Entitlements tab.