Configuration notes

The ACF2 adapter can handle multiple requests simultaneously. Learn how the adapter processes specific attributes and requests and how it interacts with z/OS during the processing of some of the requests.

Timezone support

The adapter converts all date values to UTC before it forwards them to the Identity server. The adapter uses the $TZ timezone variable, specified in the environment settings for the adapter account, for example, ITIAGNT. The timezone variable specifies the offset that it must use to convert the local timezone to UTC. If there is no offset specified, the adapter assumes that the received date can be returned as UTC without any further conversion.

For instance, the TZ definition in /etc/profile or the adapter account-specific profile must be TZ=EST5, or TZ=EST5EDT for Daylight Saving Time, rather than TZ=EST.

OMVS AUTOUID

ACF2 adapter 6.0.6 and later supports auto-assignment of OMVS UIDs by using AUTOUID.

When you create a user in the Identity server account form, enter 'AUTOUID'(case sensitive) in the attribute field. For example:

'INSERT IBMUSER UID(2345)'.

When the adapter receives the string AUTOUID from the Identity server, the adapter runs the following command:

INSERT <USER> AUTOUID

For example

INSERT IBMUSER AUTOUID

Passwords

ACF2 adapter 6.0.5 and later support the reconciliation of password profile attributes. The following attributes are available:

#PSWDCNT
#PWD-TOD
KEYFROM

All attributes are implemented as read-only and can be modified only with ACF2. The adapter is configured to replace the # sign in the attribute name with an additional P for internal usage. The account form on the Identity server uses the correct label to display the attribute value for a selected account.

For example, attribute #PWD-TOD is displayed as #PWD-TOD on the Identity server on the account form for a specific account. In the adapter log file, the initialized attribute is referred to as PPWD-TOD. PPWD-TOD is also the name of the attribute that is provided in the ACF2 and IBM Security Verify Governance schema files that are used by the adapter.

Password phrases

ACF2 adapter 6.0.4 and later, support ACF2 pass phrases. A pass phrase in ACF2 is an authentication mechanism that allows the secret string to be 9 - 100 characters. When you set passwords from the Identity server, a string lesser than or equal to 8 characters is treated as a password. A string more than 8 characters is treated as a pass phrase. Starting with adapter version 6.0.13, the implementation of random password and pass phrase generation has changed. Random passwords and pass phrases are generated by using a configuration string, which determines the type and number of characters to be generated.

The default built-in string for passwords is an$NaANa

The default built-in string for pass phrases is an$NaANa#aaNAa

The password generator generates passwords as follows:

For every occurrence of A, the adapter randomly generates a letter from A-Z
For every occurrence of a, the adapter randomly generates a letter from a-z
For every occurrence of N (uppercase!), the adapter randomly generates a numeric character from 0 - 9
For any other character (including lowercase n), the adapter echoes that character back

Internally the adapter ensures that it does not generate the same characters consecutively. The built-in strings can be modified by using new registry settings:

PWD_CONFIG for password configuration strings
PWP_CONFIG for pass phrase configuration strings

PWD_CONFIG allows a maximum of 5 comma-separated strings, which are randomly selected by the adapter to generate random passwords. The size of each string must be 5 - 8 characters long. If a shorter string is specified, the adapter reports an error and tries another string. If a longer string is specified, the adapter uses only the first 8 characters to generate a password. The configuration string is not allowed to contain any of the following hard-coded reserved words:

ACF, APPL, APR, ASDF, AUG, BASIC, CADAM, DB2, DEC, DEMO, ENT ,FEB, FOCUS, GAME, IBM,
IMS, JAN, JUL, JUN, LOG, MAR, MAY, NET, NEW, NOV, OCT, OTIS, PASS, ROS, SEP, SIGN, SONI, SYS, TEST,
TSO, TSYS, VALID, VTAM, WELC, XXXX, 0000, 1111, 1234, 222, 3333, 4444, 5555, 6666, 7777, 8888, 9999,
', "

If a reserved word is found in the configuration string, the adapter reports an error.

After receiving an error, the adapter attempts to select another random configuration string. After two failed attempts, the adapter stops processing and returns an error. The adapter considers the first 4 characters of the logonid for the request it is processing as a reserved word. The adapter also reports an error if the first 4 characters of the logonid are part of the configuration string.

Reserved word and short logonid validation is case insensitive. Reserved word and short logonid validation is repeated for the generated password. If the adapter detects a reserved word and a short logonid as part of the generated password, the adapter stops processing and returns an error.

A new registry setting allows specifying additional reserved words: RESWORD.

Any comma-separated string that is found in the RESWORD registry setting value is added to the hard-coded reserved words list during request processing.

PWP_CONFIG allows a maximum of 3 comma-separated strings that are randomly selected by the adapter to generate random password phrases.

The adapter requires the size of each string to be 9 - 100 characters long. The string must have the minimal length that is specified in the ACF2 Password phrase rules. If a string of less than 9 characters is specified, the adapter reports an error and tries another string. If a string of more than 100 characters is specified, the adapter uses only the first 100 characters to generate a password phrase.

The configuration string is not allowed to contain single or double quotation marks.

If a single or double quotation mark is found in the configuration string, the adapter reports an error. After receiving an error, the adapter attempts to select another random configuration string. After two failed attempts, the adapter stops processing and returns an error.

For information on how to add and modify registry settings, see Modifying non-encrypted registry settings.

Other password phrase-related registry settings

Adapter version 6.0.8 introduced additional registry settings for pass phrase.

These additional registry settings allow customization of the actions to be taken when using the adapter to set pass phrases. You set the pass phrases using the password field on the Identity server.

Registry setting for changing phrases

PASSGEN=ADD (generate random password on ADD account with pass phrase)

PASSGEN=MOD (generate random password on MODIFY account with pass phrase)

PASSGEN=NEVER (never generate a random password)

PASSGEN=BOTH (always generate a random password)

If not specified, PASSGEN defaults to BOTH

Note:

IBM® does not guarantee that the generated random passwords meet the site specific password rules.
With PASSGEN set to NEVER or MOD, new accounts can only be requested using a password. When attempting to add a new account using a pass phrase with PASSGEN set to NEVER or MOD, the following error is returned:
```
ERR:yy/mm/dd hh:mm:ss caacf2Add: pass phrases can NOT be used for INSERT for user <LID>
```

Registry settings for changing passwords

PWPMOD = RANDOM (generate a random phrase on MODIFY account with password)
PWPMOD=DISABLE (does not generate a random phrase, it disables pass phrase usage for this LID on MODIFY account with password)
PWPMOD=IGNORE (no changes are made for the pass phrase when the request is for changing a password )

If not specified PWPMOD defaults to RANDOM.

Note: IBM does not guarantee that the generated random pass phrases meet the site specific pass phrase rules.

PWPMOD=DISABLE ensures the pass phrase usage for a specified LID is disabled on account MODIFY. When changing a password for this LID, an additional registry setting is introduced to specify whether PWPALLLOW is automatically re-enabled when it receives a request to set a pass phrase for a LID.

AUTOPWP=TRUE (automatically set PWPALLOW when it receives a request to change a pass phrase)
AUTOPWP= FALSE (don't automatically set anything for the phrase when the request is for changing a phrase)

If not specified, AUTOPWP defaults to TRUE.

Make sure that the ACF2 requirements for pass phrases are included in the Identity server rules for passwords. The requirements include setting the minimum characters in the password string to be more than 8 in the password policy. If the rules for password phrases employed at your installation site are not reflected in the Identity server password policies, then ACF2 might reject the entered pass phrase.

In the existing documentation, all references to an ACF2 password now encompass both ACF2 passwords and pass phrases.

Temporary data set creation

Temporary data sets that are generated during reconciliation have a high-level qualifier (HLQ). The HLQ is equal to the adapter logonid instead of the generic HLQ. As such, the data sets are cataloged in the adapter logonid user catalog.

Custom Boolean attributes

The ACF2 adapter supports custom Boolean attributes that are defined as

<PRIVILEGENAME> when privilege is granted to a user or
NO <PRIVILEGENAME> when the user is not granted the privilege.

For example, MYCICS or NOMYCICS is specified for a specific ACF2 logonid.

Single account lookup

The LOOKUP transaction type uses the (eruid=<userid>) filter in IBM Security Verify Governance for the reconciliation of a single account. This transaction type ensures that no Pdu entries are created for entries that do not match the eruid specified in the search filter in the server request. For debugging this type of processing, more messages for the _ermPduAddEntry process are added in the Base Logging level (BSE). Unfiltered requests or requests with more than one account that is specified in the search filter still result in a full reconciliation that uses the standard SEARCH transaction.

To support multiple threads for LOOKUP transactions, a new registry setting is added to the agentCfg tool, which can be configured from the Advanced Settings Menu.

Advanced Settings Menu
-----------------------------------------------
A. Single Thread Agent (current:FALSE)
B. ADD max. thread count. (current:3)
C. MODIFY max. thread count. (current:3)
D. DELETE max. thread count. (current:3)
E. SEARCH max. thread count. (current:3)
F. LOOKUP max. thread count. (current:3)
G. Allow User EXEC procedures (current:FALSE)
H. Archive Request Packets (current:FALSE)
I. UTF8 Conversion support (current:TRUE)
J. Pass search filter to agent (current:FALSE)
X. Done
Select menu option:

The single account lookup is performed using the ACF2 report utility ACFRPTSL. Unlike the previous implementation, only the account that matches the eruid specified in the search filter is retrieved using ACFRPTSL. The ACFRPTSL report utility requires no additional configuration.

Specifying an empty prefix value

Running an ACF2 insert command with prefix() sets the default prefix (DFT-PFX) to the LID (12345) but it sets the restrictions to PREFIX().

See the command output below as executed directly in ACF2:


 LID
insert 12345 name(abc)   password(my1thPs!) prefix()
  12345                  12345 ABC
  ACCESS                 ACC-CNT(0) ACC-DATE(00/00/00) ACC-TIME(00:00)
  PASSWORD               KERB-VIO(0) KERBCURV() PSWA1TOD(00/00/00-00:00) 
                         PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-EXP 
                         PSWD-INV(0) PSWD-TOD(06/07/18-20:00) PSWD-VIO(0) 
                         PSWDCVIO(0) PWP-DATE(00/00/00) PWP-VIO(0)
  TSO                    DFT-PFX(12345)
  STATISTICS             CRE-TOD(06/07/18-20:00) SEC-VIO(0) 
                         UPD-TOD(06/07/18-20:00)
  RESTRICTIONS           PREFIX()

Note: The Identity server does not forward a blank value for prefix, unless the previously specified value for prefix is removed.

If a policy runs an Account Modify operation directly after adding an account with the LID specified as PREFIX, the Identity server registers the value that is specified for PREFIX for that account without running a reconciliation and the policy that modifies the account might blank the PREFIX value.