Table of Contents (exploded view)
Abstract for Integrated Security Services Enterprise Identity Mapping (EIM) Guide and Reference
How to send your comments to IBM
z/OS Version 2 Release 1 summary of changes
EIM concepts and use
Enterprise Identity Mapping (EIM)
The problem: Managing multiple user registries
Current approaches
The EIM approach
EIM concepts
EIM domain controller
EIM domain
EIM identifier
EIM identifier representing a person
EIM identifier representing an entity
EIM identifiers and aliasing
EIM registry definition
EIM registry definitions and aliasing
System and application registry definitions
EIM associations
Identifier associations
Source and target association relationship
Policy associations
Lookup information
EIM lookup operation
Mapping policy support and enablement
EIM access control
Migration considerations
Migration from release to release
Migration from EIM Release 6
Migration from EIM Release 5 - Starting point
EIM domain controller
EIM client applications
Removal of SETROPTS EIMREGISTRY/NOEIMREGISTRY
Planning for EIM
Identifying skill requirements
Team members
Planning for EIM client applications
Planning for an EIM domain
Planning for EIM registries
Developing an identity mapping plan
Planning considerations for identifiers
Planning considerations for associations
Accessing the EIM domain
Planning considerations for an EIM domain controller
Planning EIM administration tools
Customizing EIM on your operating system
Task roadmap for implementing EIM
Setting up EIM on z/OS
Steps for installing and configuring the EIM domain controller on z/OS
Installing and configuring EIM on z/OS
Configuring z/OS to participate in an EIM domain
Defining RACF as the local EIM registry
Defining Kerberos or X.509 registry names
Steps for using the eimadmin utility to manage an EIM domain
Domain authentication methods
Using simple binds
Using CRAM-MD5 password protection
Using digital certificates
Using Kerberos
Using Secure Sockets Layer (SSL)
Installation considerations for applications
Configuration considerations for enabling remote services
Ongoing administration
Managing registries
Adding a system and application registry
Listing a registry
Removing a registry
Working with registry aliases
Assigning an alias
Listing an alias
Removing an alias
Assigning an alias name to a different registry
Adding a new user
Adding an identifier
Adding associations
Listing associations
Removing a user
Removing associations
Removing an identifier
Changing access authority
Adding access authorities
Listing access authorities
Removing access authorities
Using RACF commands to set up and tailor EIM
Using RACF for EIM domain access
Setting up default domain LDAP URL and binding information
Storing LDAP binding information in a profile
Adding EIM domain and bind information for servers or administrative users
Adding a system default using the IRR.EIM.DEFAULTS profile
Adding a system default using the IRR.PROXY.DEFAULTS profile
Optionally setting up a registry name for your local RACF registry
Steps for setting up lookups that do not need a registry name
Ongoing RACF administration
Disabling use of an EIM domain
Steps for disabling use of an EIM domain
Using output from the RACF database unload utility and eimadmin to prime your EIM domain with information
Developing applications
Writing EIM applications
Default registry names
Defining private user registry types in EIM
Define a private user registry type in EIM
Building an EIM application
C/C++ Compile considerations
C/C++ Link-edit considerations
Preparing to run an EIM application
Accessing RACF profile checks
Special considerations for applications that will be shared between different releases of z/OS
APIs for retrieving the LDAP URL and binding information
Determining why a mapping is not returned
Messages
ITY0001
ITY0002
ITY0003
ITY0004
ITY0005
ITY0006
ITY0008
ITY0009
ITY0010
ITY0011
ITY0012
ITY0013
ITY0014
ITY0015
ITY0016
ITY0017
ITY0018
ITY0019
ITY0020
ITY0021
ITY00022
ITY0023
ITY0024
ITY0025
ITY0026
ITY0027
ITY0028
ITY0029
ITY0030
ITY0031
ITY0032
ITY0033
ITY0034
ITY0035
ITY0036
ITY0037
ITY0038
ITY0039
ITY0040
ITY0041
ITY0042
ITY0043
ITY0044
ITY0045
ITY0046
ITY0047
ITY0048
ITY0049
ITY0050
ITY0051
ITY0052
ITY0053
ITY0054
ITY0055
ITY0056
ITY0057
ITY0058
ITY0059
ITY0060
ITY0061
ITY0062
ITY0063
ITY0064
ITY0065
ITY0066
ITY0067
ITY0068
ITY0069
ITY0070
ITY0071
ITY3300E
ITY3301E
ITY3302E
ITY3303E
ITY3304E
ITY3350E
ITY3351E
ITY3352E
ITY3353E
ITY3354E
ITY3355E
ITY4001
ITY4002
ITY4010
ITY4011
ITY4012
ITY4013
ITY4014
ITY4015
ITY4016
ITY4017
ITY4020
ITY4021
ITY4022
ITY4023
ITY4024
ITY4025
ITY4026
ITY4027
ITY4028
ITY4030
ITY4031
ITY4040
ITY4041
ITY4042
ITY4043
ITY4044
ITY4045
ITY4046
ITY6002
ITY6003
ITY6004
ITY6005
ITY6006
ITY6007
ITY6008
ITY6009
ITY6010
ITY6011
ITY6012
ITY6013
ITY6014
ITY6015
ITY6016
ITY6017
ITY6018
ITY6019
ITY6020
ITY6021
ITY6022
ITY6023
ITY6024
ITY6025
ITY6026
ITY6027
ITY6028
ITY6029
ITY6500E
ITY6501E
ITY6502E
ITY6503E
ITY6504E
ITY6505E
ITY6506E
ITY6507E
ITY6508E
ITY6509E
ITY6510E
ITY6511E
ITY6512E
ITY6513E
ITY6514E
ITY6515E
ITY6516E
ITY6517E
ITY6518E
ITY6519E
ITY6520E
ITY6521E
ITY6522E
ITY6523E
ITY6524E
ITY6525E
ITY6526E
ITY6527E
ITY6528E
ITY6529E
ITY6530E
ITY6531E
ITY6532E
ITY6592A
ITY6593A
ITY6594A
ITY6595E
ITY6596A
ITY6597A
ITY6598A
ITY6598A
ITY6599E
The eimadmin utility
eimadmin
Examples for working with policies
Creating an x.509 registry
Enabling or disabling a registry for lookup or policy operations
Enabling or disabling a domain's use of policies
Creating an association using the name stored within a certificate
Listing an association that was created using a certificate
Removing an association using the name stored within a certificate
Creating a domain policy
Listing the domain policy
Deleting a domain policy
Creating a registry policy
Listing a registry policy
Deleting a registry policy
Creating a filter policy
Listing the filter policy association
Deleting a filter policy
Examples for listing various objects without an input file
Using an input file
Input file requirements
Input file contents
The label line
Example — Using eimadmin with the tabular output of SMF Unload
Summary of associated labels
Processing differences between command-line options and input files
The output file
The error file
Example for adding a list of identifiers to an EIM domain
Using eimadmin with the tabular output of SMF Unload
EIM Auditing
Auditing EIM events
Categories of EIM events
How events are audited
What goes into an audit record
Working with audit records
The SMF Record Type 83 subtype 2 records
The XML output from the RACF SMF Unload Utility
The tabular output from the RACF SMF Unload utility
EIM APIs
Authority to use APIs
Java APIs
Authorization to use EIM Services
Mapping C++ to Java APIs
Obtaining documentation for the Java APIs
EimRC -- EIM return code parameter for C/C++
Field descriptions
eimAddAccess
eimAddApplicationRegistry
eimAddAssociation
eimAddIdentifier
eimAddPolicyAssociation
eimAddPolicyFilter
eimAddSystemRegistry
eimChangeDomain
eimChangeIdentifier
eimChangeRegistry
eimChangeRegistryAlias
eimChangeRegistryUser
eimConnect
eimConnectToMaster
eimCreateDomain
eimCreateHandle
eimDeleteDomain
eimDestroyHandle
eimErr2String
eimFormatPolicyFilter
eimFormatUserIdentity
eimGetAssociatedIdentifiers
eimGetAttribute
eimGetRegistryNameFromAlias
eimGetTargetFromIdentifier
eimGetTargetFromSource
eimGetVersion
eimListAccess
eimListAssociations
eimListDomains
eimListIdentifiers
eimListPolicyFilters
eimListRegistries
eimListRegistryAliases
eimListRegistryAssociations
eimListRegistryUsers
eimListUserAccess
eimQueryAccess
eimRemoveAccess
eimRemoveAssociation
eimRemoveIdentifier
eimRemovePolicyAssociation
eimRemovePolicyFilter
eimRemoveRegistry
eimRetrieveConfiguration
eimSetAttribute
eimSetConfiguration
eimSetConfigurationExt
EIM header file and example
Example for creating LDAP suffix and user objects
Working with remote services
The z/OS Identity Cache
How the z/OS Identity Cache works
Configuring your environment to use the z/OS Identity Cache
Configuring Java applications to use the z/OS Identity Cache
Configuring the z/OS Identity Cache
Configuring user ID mapping
Configuring and setting up EIM
Configuring Identity Cache connection defaults
Configuring z/OS sysplex for the Identity Cache
ICTX Java API
Configuring the IBM Tivoli Directory Server for remote services support
/com/ibm/ictx/authenticationcontext package
Creating an identity context object from authentication context information
Delegating an identity context object
Parsing an identity context object for authentication context information
/com/ibm/ictx/identitycontext package
Creating a storage mechanism object for interacting with the z/OS Identity Cache
Storing an identity context object in the z/OS Identity Cache
Retrieving an identity context object from the z/OS Identity Cache
/com/ibm/ictx/util package
Sample ICTX application
Accessing RACF remotely to perform authorization checks and create audit records
Using remote authorization and audit
Profile authorizations for working with remote services
Remote authorization requests
Remote authorization ResponseCodes
Remote authorization audit controls
Remote auditing requests
Remote auditing response codes
Remote audit controls
SMF Record Type 83 subtype 4 records