Release Notes
IBM®
Security Identity Adapter for
CA ACF2
First Edition (August 22, 2019)
This edition applies to the latest version of IBM Security Identity
Adapter for ACF2 and to all subsequent releases and modifications until
otherwise indicated in new editions.
Copyright International Business Machines Corporation 2003, 2019. All
rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Table of Contents
Welcome to the IBM Security Identity CA ACF2 for z/OS Adapter.
These Release Notes contain information for the following products that was not
available when the IBM Security Identity server manuals were created:
§
IBM Security Identity Manager CA ACF2 for z/OS Adapter
Installation and Configuration Guide
§
IBM Security Privileged Identity Manager CA ACF2 for z/OS
Adapter Installation and Configuration Guide
The
CA ACF2 for z/OS Adapter is designed to create and manage CA ACF2 for z/OS
accounts. The adapter runs in ”agent” mode and must be installed on z/OS. One
adapter is installed per CA ACF2 installation..
The
CA ACF2 for z/OS Adapter is designed to create and manage CA ACF2 for z/OS
accounts. The adapter runs in ”agent” mode and must be installed on z/OS. One
adapter is installed per CA ACF2 installation..
The
IBM Security Identity Adapters are powerful tools that require administrator
level authority. Adapters operate much like a human system administrator,
creating accounts, permissions and home directories. Operations requested from
the IBM Security Identity server will
fail if the adapter is not given sufficient authority to perform the requested
task. IBM recommends that this adapter run with administrative permissions.
Review
and agree to the terms of the IBM Security Identity product license prior to
using this product. The license can be viewed from the "license"
folder included in the product package.
|
Component |
Version |
|
Build
Date |
August
22, 2019 |
|
Adapter
Version |
6.0.30 |
|
Component
Versions |
Adapter
Build 6.0.0030.00 Profile 6.0.0030 ADK 6.06.0012 z/OS enRole Resource
Management API 6.0.6 OpenSSL 1.0.2q |
|
Documentation |
Please find the latest documentation using the IBM Security Identity Manager Knowledge Center. Select the most recent ISIM server release to navigate to the latest version of the adapter documentation. |
|
Internal# |
RFE/CASE# |
Description |
|
|
|
Items included in current release |
|
RTC
184640 |
|
Add an option to automatically delete
temporary reconciliation data sets |
|
|
|
Items
included in 6.0.29 release |
|
|
|
No changes in the current release |
|
|
|
Items
included in 6.0.28 release |
|
|
|
No changes in the current release |
|
|
|
Items
included in 6.0.27 release |
|
|
|
No changes in the current release |
|
|
|
Items
included in 6.0.26 release |
|
|
|
No changes in the current release |
|
|
|
Items
included in 6.0.25 release |
|
|
|
No changes in the current release |
|
|
|
Items
included in 6.0.24 release |
|
|
|
No changes in the current release |
|
|
|
Items
included in 6.0.23 release |
|
RTC
174414 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2o to address PSIRT CVE-2018-0739 |
|
|
|
Items
included in 6.0.22 release |
|
RTC 52661 RTC
173352 |
115005 |
As an AD for z/OS developer I need to offer
the ability to explicitly disable TLS1.0 in all ADK based adapters. |
|
RTC
173354 |
TS000074249 |
As an ADK for z/OS developer I need to add
diagnostic messages to the ADK that allow troubleshooting 2-way ssl
connections |
|
RTC
173351 |
|
As an ADK for z/OS developer I need to
upgrade to OpenSSL 1.0.2n |
|
|
|
Items
included in 6.0.21 release |
|
|
|
No changes in the current release |
|
|
|
Items
included in 6.0.20 release |
|
RTC
163356 |
|
Enable SSL by default in the ISPF
installation panels |
|
|
|
Items
included in 6.0.19 release |
|
RTC156626 |
N/A |
Upgrade
expat libraries to 2.2.0 |
|
|
|
Items included in 6.0.18 release |
|
RTC154238 |
|
Update OpenSSL to release 1.0.2j |
|
RTC154263 |
PMR
42182,122,000 |
Disable SSLV3 and RC4 ciphers and certify TLS
1.1 / 1.2 is supported by the ADK |
|
RTC156347 |
IV32546 |
Adapter
appears to be running while it was unable to connect to the socket. |
|
|
|
Items included in 6.0.17 release |
|
RTC
152027 |
|
Update
the adapter panels |
|
RTC
152030 |
|
Include a
license folder in the adapter package |
|
RTC
152024 |
|
Add two
initial lines to CustomLabels.properties which are required for translation |
|
|
|
Items included in 6.0.16 release |
|
RTC
149784 |
|
Performance enhancements to the single user
account lookup operation. |
|
|
|
Items included in 6.0.13 release |
|
RTC
124240 |
RFE 67723 |
ACF2 Password/Passphrase rules used for
random password generation |
|
|
|
Items included in 6.0.8 release |
|
|
|
No changes in the current release |
|
|
|
Items included in 6.0.7 release |
|
RTC
116310 |
|
Password/pass phrase design independent of
password/pass phrase policies. |
|
|
|
Items included in 6.0.6 release |
|
RTC
113711 |
|
Add OMVS
AUTOUID support |
|
|
|
Items included in 6.0.5 release |
|
RTC 95781 |
|
Support
for custom boolean attributes defined in the ACFFDR to define additional
privileges added. |
|
|
|
Items
included in 6.0.4 release |
|
RTC 99347 |
|
Support
for additional pass phrase and password profile attributes added: PWP-HST #PSWDCNT #PWD-TOD KEYFROM |
|
|
|
Items
included in release 6.0.3 |
|
RTC 98320 |
|
Added
support for ACF2 pass phrases |
|
|
|
Items
included in release 6.0.2 |
|
|
|
None |
|
|
|
Items included in release 6.0.1 |
|
|
|
ISIM
6.0 release |
|
|
|
Removal
of the use of APPC |
|
INTERNAL# |
APAR# |
PMR# / Description |
|
|
N/A |
Random passwords/pass
phrases generated by the adapter do not implement site specific GSO
Password/Pass phrase policies |
|
|
N/A |
This release of the CA
ACF2 Adapter does not support FIPS. |
|
RTC 52399 |
N/A |
The adapter is designed to read its configuration
file on start up. If the configuration file is not found, the adapter will
create a new default configuration file. The creation of this configuration
file is not an event that is written to the adapter log file. Please ensure
TCP/IP is fully initialized and the file systems are mounted before starting
the adapter. Under rare conditions where prerequisites for startup have not
been met, the adapter may overwrite a customer's configuration file with a
new default configuration file. |
|
|
N/A |
This version of the adapter does not support the
following data segments/ user profile records: •
DCE •
KERB •
KERBLINK •
KEYRING •
LINUX •
OPERPARM •
MFA |
|
|
N/A |
This version of the adapter does not support
multi-value fields and/or partial fields in the @HEADER and/or @UID string
definitions. |
See your products specific ACF2 Adapter Installation and
Configuration Guide for detailed instructions.
ADK version 6.04 and higher offer a DAML PROTOCOL
setting that allows you to disable TLSv1.0.
ADK version 6.0.3 and higher no longer support
SSLV3 and RC4 ciphers. The ISIM server should be configured to use TLS 1.1 or
higher. This is done by adding the $ITIM/data/enRole.properties
parameter. For example:
com.ibm.daml.jndi.DAMLContext.SSL_PROTOCOL=TLSv1.1
Possible values are:
|
TLSv1.1 |
TLS v1.1 protocol (defined by RFC 4346). |
|
TLSv1.2 |
TLS v1.2 protocol (defined by RFC 5246). |
No updates for the current release
No updates for the current release
7.a Select Disk location parameters. The Disk location parameters page defines or alters data set and UNIX System Services (USS) locations.
----------ISI CA-ACF2 Adapter Customization ----------------------
Option ===>
Input Data Sets
Fully qualified data set name of the UPLOAD data set.
===> ISIMACF2.UPLOAD
Enter data sets names, volume ID, Storage Class and z/OS Unix directories.
USS Adapter read-only home
===> /usr/lpp/isimcaacf2
USS Adapter read/write home
===> /var/ibm/isimcaacf2
Storage Class ===> STORCLAS
and/or
Disk Volume ID ===> DSKVOL
Fully qualified data set name of Adapter Load Library
===> IBMUSER.ISIMACF2.LOAD
Fully qualified data set name of Adapter EXEC Library
===> IBMUSER.ISIMACF2.EXEC
High-level qualifier for reconciliation data sets (optional)
==> ISIAGNT
Keep temporary reconciliation data sets
==> TRUE
b. Supply the following information:
Fully qualified data set name of the UPLOAD data set
Specifies the name of the data set that you received
earlier. For
example, IBMUSER.ISIMACF2.UPLOAD.
Unix System Services (USS) Adapter read-only home
Specifies the location where the adapter USS binary files
are
stored. The adapter installer creates the directories and
the
subordinate directories later.
USS Adapter read/write home
Specifies the location where the adapter registry file,
certificates,
and log files are written. The adapter installer creates the
directories and the subordinate directories later.
Note: The
read-only home and the read/write home must be in
different locations. If they are the same location, the
installation
might fail.
Storage class
Specifies the storage class for the Load and EXEC libraries.
DASD (Disk) volume ID
Specifies the Disk ID for the Load and EXEC libraries.
Fully qualified data set name of Adapter Load Library and
Fully
qualified data set name of Adapter EXEC Library
Specify the fully qualified data set name for the Load and
EXEC
libraries.
High-level qualifier for reconciliation data sets
Specifies a high-level qualifier for the data sets that are
allocated
during reconciliation. If a value is not specified, the
agentID is set
as high-level qualifier. If the agentID cannot be
determined, the
default value ISIAGNT is set as a high-level qualifier.
Keep temporary reconciliation data sets
Specify TRUE to keep temporary reconciliation data sets and
FALSE to automatically delete temporary reconciliation data sets as soon as the
reconciliation has completed.
No updates for the current release
After
you install the adapter, configure it to function correctly. Configuration is
based on your requirements or preference.
You can use the adapter configuration tool,
agentCfg, to view or modify the adapter parameters. You can also do this
from a remote workstation.
The regis tool
can be used to view or modify the adapter parameters while it is offline.
You can use the adapter
configuration tool, agentCfg, to view or modify the adapter parameters. You
can also do this from a remote workstation.
All the changes that you make to the parameters, by using the agentCfg, take effect immediately.
The adapter configuration tool can only be used to configure the adapter while it is active. To modify configuration settings while the adapter is not active, use the regis tool.
Table 16. Non-encrypted registry keys
|
Key |
Description |
|
DSKEEP |
Specify TRUE to keep temporary reconciliation data sets and FALSE to delete temporary reconciliation data sets at the end of a reconciliation. |
|
HEADER |
Specify the @HEADER string as specified in the ACFFDR. The fields that are specified in this string will be collected during a single account lookup. |
|
UID |
Specify the @UID string as specified in the ACFFDR. The fields that are specified in this string will be collected during a single account lookup. |
Start the regis tool to modify the different adapter parameters.
1. Browse to the Windows Command Prompt.
2. Log on to the TSO on the z/OS® operating system that hosts the adapter.
3. Run the following command. Press Enter to enter the UNIX System Services environment.
Note You can also use a telnet session to enter the UNIX System Services environment.
4. In the command prompt, change to the read/write /bin subdirectory of the adapter.If the adapter is installed in the default location for the read/write directory, run the following command.
./regis -<option>
The following options are available for
the regis tool:
-version ;show
regis version
-registry < value
> ;Registry File
-encryptkey < value > ;Encryption key for string data
-setstring < value
> ;Set Registry String, [key::value]
-getstring < value
> ;Get Registry String
-create
;Create Registry (Default:registry)
-list < value
> ;List Registry Contents
(Default:registry)
-delete < value
> ;Delete Registry key
-script
;Produce output for scripting
-protocol < value
> ;Protocol (Default:DAML)
-installpath < value
> ;Set agent's install path
-property < value
> ;Property name for protocol
-value < value
> ;Argument value
-logdir < value
> ;Agent's logfile directory
-logfile < value
> ;Agent's logfile name
-mainproperty < value
> ;Set main property
-instanceclass < value
> ;Create instance class
[class::item::encrypt].
-instanceset < value
> ;Create instance class [class::instance::item::value].
The -registry
<readwrite_home/data/<adapterid.dat>
option is required for all options except -version
Regis command examples
Examples can be found in installation
job ‘hlq’.CNTL(J4)
Modifying DAML protocolproperties
/var/ibm/isi/bin/regis
-reg /var/ibm/isi/data/ISIAGENT.dat
-protocol DAML -property PASSWORD -value newpassword
/var/ibm/isi/bin/regis
-registry /var/ibm/isi/data/ISI.DAT -protocol daml -list
Modifying
non-encrypted registry settings:
/var/ibm/isi/bin/regis -reg
/var/ibm/isi/data/ISIAGENT.dat
-setstring PASSEXPIRE::TRUE
Modifying main properties:
/var/ibm/isi/bin/regis -reg
/var/ibm/isi/data/ISIAGENT.dat -mainproperty Agent_MaxFile -value 5
/var/ibm/isi/bin/regis -reg /var/ibm/isi/data/ISIAGENT.dat
-mainproperty Agent_Debug -value TRUE
/var/ibm/isi/bin/regis -reg
/var/ibm/isi/data/ISIAGENT.dat
-mainproperty Agent_Detail -value TRUE
No updates for the current release
|
Required |
||||
|
DSKEEP |
TRUE |
TRUE/FALSE |
Specify TRUE to keep the temporary data sets that
are created during a reconciliation and FALSE to delete the temporary data
sets at the end of a reconciliation |
Yes |
|
HEADER |
LID,NAME,UID,PHONE |
Coma separated, single value character fields
without spaces |
Specify the @HEADER string as defined in the
ACFFDR. The fields from the string will be collected during a single account reconciliaton. |
Yes |
|
UID |
LID |
Coma separated, full length single value character fields without spaces |
Specify the @UID string as defined in the ACFFDR.
The fields from the string will be collected during a single account
reconciliaton. |
Yes |
Before
you start the adapter, ensure that TCP/IP is active.
The CA ACF2 agent requires one process
per thread plus 8. The default settings
are for 3 threads for each of the four types or requests which is a maximum of
12 active threads which equates to 20 processes (12 + 8). This is below the default MAXUSERPROC value
of 25. If you change the maximum thread
count variables via agentCfg then you might need to increase the MAXUSERPROC parameter
in the parmlib member BPXPRMxx.
The IBM Security Identity
Adapters can be customized and/or extended. The type and method of this
customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional
skills. The developer must be familiar with the following concepts and skills
prior to beginning the modifications:
•
LDAP schema
management
•
Working
knowledge of scripting language appropriate for the installation platform
•
Working
knowledge of LDAP object classes and attributes
•
Working
knowledge of XML document structure
Note: This adapter supports customization only
through the use of pre-Exec and post-Exec scripting. The CA ACF2 for z/OS
adapter has REXX scripting options. Please see the CA ACF2 for z/OS
Installation and Configuration guide for additional details.
The integration to the IBM Security Identity server – the adapter
framework – is supported. However, IBM does not support the customizations,
scripts, or other modifications. If you experience a problem with a customized
adapter, IBM Support may require the problem to be demonstrated on the GA
version of the adapter before a PMR is opened.
Check the Identity and Access Management
Products overview.
The IBM Security Identity Manager Adapter supports any combination
of the following product versions.
Adapter Installation Platform:
z/OS V2.2 and higher
Managed Resource:
CA ACF2 R16
IBM Security Identity Manager:
Identity
Manager v6.0
Identity
Manager v7.0
IBM Security Privileged identity Manager :
Privileged
Identity Manager v2.X
Notices
This information was developed for
products and services offered in the U.S.A. IBM may not offer the products,
services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services
currently available in your area. Any reference to an IBM product, program, or
service is not intended to state or imply that only that IBM product, program,
or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used
instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering
subject matter described in this document. The furnishing of this document does
not give you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information,
contact the IBM Intellectual Property Department in your country or send
inquiries, in writing, to:
IBM World Trade Asia
Corporation
Licensing
2-31 Roppongi 3-chome,
Minato-ku
Tokyo 106-0032, Japan
The
following paragraph does not apply to the United Kingdom or any other country
where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS
IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this
statement may not apply to you.
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are
provided for convenience only and do not in any manner serve as an endorsement
of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any
way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it
for the purpose of enabling: (i) the exchange of information between
independently created programs and other programs (including this one) and (ii)
the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms
and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all
licensed material available for it are provided by IBM under terms of the IBM
Customer Agreement, IBM International Program License Agreement, or any
equivalent agreement between us.
Any performance data contained herein was determined in a
controlled environment. Therefore, the results obtained in other operating
environments may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the
suppliers of those products, their published announcements or other publicly
available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed
to the suppliers of those products.
The
following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
IBM Security Identity Manager
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are
either registered trademarks or trademarks of Adobe Systems Incorporated in the
United States, other countries, or both.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony
Computer Entertainment, Inc., in the United States, other countries, or both
and is used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are
trademarks of Microsoft Corporation in the United States, other countries, or
both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel
Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®,
Itanium®, and Pentium® are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States and other countries.
CA, CA ACF2, and CA Top Secret are trademarks of CA, Inc. in the
United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United
States and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other
countries, or both.
ITIL® is a registered trademark, and a registered community trademark
of the Office of Government Commerce, and is registered in the U.S. Patent and
Trademark Office.
IT Infrastructure Library® is a registered trademark of the
Central Computer and Telecommunications Agency which is now part of the Office
of Government Commerce.
Other company, product, and service names may be trademarks or
service marks of others.
End
of Release Notes