Configuration notes

The adapter can handle multiple requests simultaneously. Learn how the adapter processes specific attributes and requests and how it interacts with z/OS during the processing of some of the requests.

Modifying Zone, Division and Department

You can change the values for Zone, Division, and Department when you modify an account. The adapter executes a MOVE command each time a value is changed. Changing multiple values in one single request results in multiple MOVE commands, one for each value:
MOVE ACID(USER) ZONE(ZONEA)
MOVE ACID(USER) DIVISION(USFAC)
MOVE ACID(USER) DEPT(HR)
Note:
  • The ACID TYPE is not appended to these commands.
  • The value changes are processed in random order.

As such, it is possible to specify non-compatible values such as request to move an ACID to a DIVISION and a DEPARTMENT, which does not belong to this DIVISION. The ACID type might also change because of the execution of the MOVE command. For more information on the changes in ACID types, when performing a MOVE for an ACID without a specified TYPE, see the CA Top Secret product documentation.

The IBM® Security Identity server updates the account for which the change request is executed. The update is based on the returned result for each individual value change. It does not report any changes in the ACID that resulted from the MOVE command.

To ensure that the IBM Security Identity server reflects the actual current ACID definitions, perform a reconciliation for the changed account directly after you change a ZONE, DIVISION, or DEPARTMENT.

A reconciliation for a single account is interpreted as an Account Lookup request and results with the collection of data for the specified ACID. To request a Lookup, specify a search filter for the reconciliation. The filter must be specified as a reconciliation query for a single eruid value.

To perform a reconciliation for a single account that is named JOHND, use the following query:
Reconcile accounts that match this filter:
(eruid=JOHND)

The Lookup request initiates a lookup-specific APPC transaction to collect the data for the ACID specified in the search filter. It returns the updated account data to the IBM Security Identity server.

Note: The actual values that are retrieved with the Lookup request depend on the administrative scope of the ACID used to perform the request (ADAPTERID or SURROGAT). For more information on the data each ACID type can list within its administrative scope, see the CA Top Secret product documentation.
To support processing of the Lookup request, an APPC transaction is added. It can be configured at installation time:
------------------- ISIM CA-TopSecret Adapter Customization ------------------
Option ===>
VTAM and APPC/MVS Parameters
     VTAM NETID                          ===> NET1
     VTAM Originating Logical Unit       ===> ISIMORIG (*)
     VTAM Destination Logical Unit       ===> ISIMDEST (*)
     VTAM Session Key                    ===> 0123456789ABCDEF
     VTAM LOGMODE entry name             ===> #INTERSC
     Fully qualified data set name of your APPC/MVS transaction data set:
       ===> SYS1.APPCTP
     APPC command transaction name       ===> ISIMTCMD
     APPC reconciliation transaction     ===> ISIMTREC
     APPC ACID lookup transaction        ===> ISIMTLOK
     APPC execution class                ===> A
     APPC Network Qualified Names?       ===> FALSE (True or False)
(*) If both LU's specified are the same, it must reflect the name of the
     APPC/MVS defined BASE logical unit.
The ACID lookup transaction has the following requirements:
  1. The presence of the DSEXEC setting and hlq.EXEC value in the adapter registry. This value is automatically written to the registry file during adapter installation.
  2. The presence of a new template member in the hlq.EXEC dataset: TSSLOKU. This member is automatically created during adapter installation.

Password phrases

Top Secret for z/OS Adapter 6.0.8 and above support Top Secret password phrases. A password phrase in Top Secret is an authentication mechanism that allows the secret string to be 9 - 100 characters. While setting passwords from the IBM Security Identity server, a string less than or equal to eight characters is treated as a password and a string more than eight characters is treated as a pass phrase.

Passwords are considered to be invalid when containing any of the following characters: , ) ( { } ' " and space

Password phrases are considered to be invalid when containing any of the following characters: , ) ( { } ' "

If the adapter encounters any of the above invalid characters it will return an error to the IBM Security Identity server.

On account Add:

When you are requesting a new account on the IBM Security Identity server, the adapter interprets any password string that is shorter than 8 characters as a password and proceeds to create the requested account with a password. A password string longer than 8 characters is interpreted as a password phrase. In this scenario, the adapter by default, generates a random password by using a standard, built-in, configuration string. If the account is requested with the PHRASEONLY attribute set to TRUE, a password is not generated, regardless of the PASSGEN setting.

This standard configuration string is: CnccSCNS

The password generator will use this configuration string to generate a random password as defined in the following table:
Table 1. Configuration strings for the password generator
Character Description
C Random uppercase character (no vowels)
c Random lowercase character (no vowels)
v Random lowercase vowel (a,e,i,o,u, and y)
V Random uppercase vowel (A,E,I,O,U, and Y)
N Random numeric
s Random special character
Any other character Use as is provided (for instance: national characters)

Internally the adapter will ensure it will not generate the same characters consecutively.

The built-in string can be modified by using new registry setting: PWD_CONFIG

PWD_CONFIG will allow a maximum of 5 comma-separated strings which will be randomly selected by the adapter to generate random passwords.

The size of each string should be between 4 and 8 characters long. If a shorter string is specified the adapter will report an error and try another string. If a longer string is specified the adapter will use only the first 8 characters to generate a password.

The configuration string is not allowed to contain any of the following hardcoded reserved words: APPL APR ASDF AUG BASIC CADAM DEC DEMO FEB FOCUS GAME IBM JAN JUL JUN LOG MAR MAY NET NEW NOV OCT PASS ROS SEP SIGN SYS TEST TSO VALID VTAM XXX 1234.

Or any of the following characters: , ) ( { } ' "

If a reserved word is found in the configuration string the adapter will report an error. After receiving an error that the adapter will attempt to select another random configuration string. After two failed attempts the adapter will stop processing and return an error. The adapter will consider the first four characters of the logonid for the request it is processing as a reserved word. In other words: the adapter will also report an error if the first four characters of the logonid are part of the configuration string. Reserved word and short logonid validation is case insensitive.

Reserved word and short logonid validation is repeated for the generated password. If the adapter detects a reserved word and/or short logonid as part of the generated password the adapter will stop processing and return an error.

A new registry setting allows specifying more reserved words: RESWORD.

Any comma-separated string that is found in the RESWORD registry setting value will be added to the hardcoded reserved words list during request processing.

For more information on adding and changing registry settings, see Modifying registry settings.

On account Modify:

Password Phrases can be changed/added during a Modify request for an existing account. When adding an initial password phrase to an existing account don't forget to ensure the user is allowed to use password phrases by setting password phrase to TRUE in the account form when requesting a new user with a password phrase on the IBM Security Identity server. When changing and/or adding a password phrase for an existing account it will by default expire. Password phrase (also referred to as passphrase) expiration can be controlled by using a new registry setting: PHRASEEXPIRE

This setting is provided in the adapter installation menu as shown in the screen and can be changed by using the agentCfg tool.

PHRASEEXPIRE supports 2 values: TRUE and FALSE.
  • When set to TRUE pass phrases are expired.
  • When set to FALSE pass phrases are not expired.
------------------- ISIM CA-TopSecret Adapter Customization -------------------
Option                                          ===>
Adapter specific parameters
Name of adapter instance                        ===> ISIAGNT
Name of Started Task JCL procedure name         ===> ISIAGNT
IP Communications Port Number                   ===> 45598
Note: The adapter will always require access to ports 44970 through 44994.
These ports are implicitly reserved.
Adapter authentication ID (internal)            ===> agent
Adapter authentication password (internal)      ===> agent
PDU backlog limit                               ===> 1000
Do you want passwords set as expired?           ===> TRUE 	(True, False)
Do you want passphrases set as expired?         ===> TRUE  (True, False)
Do you use SYS1.BRODCAST in the environment?    ===> TRUE 	(True, False)
CA-Top Secret SCA ACID for ISIM adapter         ===> ISIAGNT
Password for the ITIM adapter ACID              ===>
CA-Top Secret Default Group ACID for adapter    ===> OMVSGRP
OMVS UID to be assigned to ACID (non-zero)      ===> 45598

For more information on adding and changing registry settings, see Modifying registry settings.