Release Notes
IBM® Security Identity RACF Adapter
First Edition (August
19, 2019)
Copyright International Business Machines
Corporation 2003, 2019. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Table of Contents
Preface
Welcome to the
IBM Security Identity RACF Adapter.
These Release Notes contain information for the following products that was not
available when the IBM Security Identity Adapter manuals were created:
§ IBM Security Identity Manager RACF
Adapter Installation and Configuration Guide
§ IBM Security Privileged Identity
Manager RACF Adapter Installation and configuration Guide
Adapter Features and Purpose
The
RACF Adapter is designed to create and manage RACF accounts. The adapter runs in ”agent” mode and must be installed on z/OS. One adapter
is installed per RACF Database, but the RACF Adapter may be configured to
support a subset of the accounts through the scope of authority feature on the
RACF Service Form.
The
Security Identity Adapters are powerful tools that require administrator level
authority. Adapters operate much like a human system administrator, creating
accounts, permissions and home directories. Operations requested from the
Identity server will fail if the adapter is not given sufficient
authority to perform the requested task. IBM recommends that this adapter run
with administrative permissions.
License Agreement
Review
and agree to the terms of the IBM Security Identity product license prior to using
this product. The license can be viewed from the "license" folder
included in the product package.
Contents of this Release
Adapter Version
|
Component |
Version |
|
Release
Date |
23/09/2019 |
|
Adapter
Version |
6.0.38 |
|
Component
Versions |
Adapter
Build 6.0.0038.00 Profile 6.0.0038 ADK 6.06.0012 z/OS enRole Resource Management API 6.0.6 OpenSSL
1.0.2q |
|
Documentation |
Please check out the latest documentation on the IBM Knowledge Center . Select the latest server release to navigate to the latest version of the adapter documentation. |
New Features
|
Internal # |
RFE /CASE# |
Description |
|
|
|
Items
included in current release |
|
RTC
55048 |
RFE
122650 |
RACF
CSDATA segment support for single account lookup |
|
|
|
Items
included in release 6.0.37 |
|
|
|
No
items included |
|
|
|
Items
included in release 6.0.36 |
|
182517 |
RFE
127701 |
ISIM RACF
Adapter enhancement. |
|
RTC
182687 |
|
Disallow
external calls to agentCfg port. |
|
|
|
Items
included in release 6.0.35 |
|
|
|
No
items included |
|
|
|
Items
included in release 6.0.34 |
|
|
|
No
items included |
|
|
|
Items
included in release 6.0.33 |
|
|
|
No
items included |
|
|
|
Items
included in release 6.0.32 |
|
RTC
174146 |
RFE
52070 |
Add
an option to include “REMOVE <connect_group>” or “CONNECT
<connect group>” for PRE MODIFY
and POST MODIFY operations to be passed on to ISIMEXIT. |
|
RTC
174284 |
N/A |
As
an adapter for RACF user I want to have an option to run RECOJOB outside of
the adapter so that the adapter can instantly start processing the RECOSAVE
contents. |
|
RTC
176712 |
N/A |
Add
a registry setting to specify if the adapter should attempt to delete
existing data set profiles before deleting an account. |
|
RTC 174414 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2o to address PSIRT CVE-2018-0739 |
|
|
|
Items
included in release 6.0.31 |
|
RTC 52661 RTC 173352 |
115005 |
As an AD for z/OS developer I need to offer the ability to
explicitly disable TLS1.0 in all ADK based adapters. |
|
RTC 173354 |
TS000074249 |
As an ADK for z/OS developer I need to add diagnostic
messages to the ADK that allow troubleshooting 2-way ssl
connections |
|
RTC 173351 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL
1.0.2n |
|
|
|
Items
included in release 6.0.30 |
|
RTC1709009 |
|
Add
support for WAEMAIL in WORK segment |
|
|
|
Items
included in previous releases |
|
RTC 163356 |
|
Enable SSL by default in the ISPF installation panels |
|
RTC
166584 |
PMR
22151,003,756 |
Registry setting to keep the RECOSAVE
export data set |
|
RTC156626 |
N/A |
Upgrade expat
libraries to 2.2.0 |
|
RTC154227 |
|
TSO/E
8 Character Userid support |
|
RTC154238 |
|
Update OpenSSL to release 1.0.2j |
|
RTC154263 |
PMR
42182,122,000 |
Disable SSLV3 and RC4 ciphers and certify TLS 1.1 / 1.2 is supported by the ADK |
|
RTC156347 |
IV32546 |
Adapter
appears to be running while it was unable to connect to the socket. |
|
RTC156101 |
IV45711 |
RACF
adapter enhancement. How to know what attributes are being modified in a ISIMEXIT. |
|
RTC154270 |
IV46597 |
Support
ROAUDIT attribute in the RACF adapter |
|
RTC152021 |
|
Update
the adapter panels |
|
RTC152023 |
|
Include
a license folder in the adapter package |
|
RTC149041 |
|
Add
two initial lines to CustomLabels.properties which
are required for translation |
|
RTC
135237 |
|
Complex
Attribute Handler for RACF Connect Groups |
|
RTC
136795 |
|
ISIM
Lookup transaction performance enhancements |
|
RTC 93081 |
|
Remove
APPC protocol dependency |
|
RTC
74287 |
|
Added
support for password phrases |
|
RTC
35332 |
|
Added
support for custom fields (CSDATA) |
|
RTC
75819 |
|
Changed
KERB form: Added AES and changed DESD description |
|
|
|
Changed
agent behavior: |
Closed Issues
Known Issues
|
Internal # |
APAR # |
PMR # /
Description |
|
|
N/A |
This release of the RACF
Adapter does not support FIPS. |
|
|
N/A |
The lookup operation will not
return UAUDIT settings for an account when the ADAPTER ID does not have the
AUDIT attribute. |
Installation and Configuration Notes
See your
products specific RACF Adapter Installation and Configuration Guide for
detailed instructions.
Configuration
The current
adapter profile's schema.dsml
skips objectid 1.3.6.1.4.1.6054.3.127.2.135.
Please do NOT
use this oid and/or change the object ids for
superseding attributes.
Corrections and/or additions to the Installation and Configuration sections of the adapter guide.
Chapter 1: Overview
No updates for
the current release
Chapter 2: Planning
No updates for
the current release
Chapter 3: Installing
No updates for the current release
Chapter 4: Upgrading
No updates for the
current release
Chapter 5: Configuring
After
you install the adapter, configure it to function correctly. Configuration is
based on your requirements or preference.
You can use the adapter configuration tool, agentCfg, to view or modify the adapter parameters. You
can also do this from a remote workstation.
The regis tool can be used to view or modify the adapter
parameters while it is offline.
Configuring the adapter parameters
You can use the
adapter configuration tool, agentCfg, to view or
modify the adapter parameters. You can also do this from a remote
workstation.
All the changes that you make to the parameters, by using the agentCfg, take effect immediately.
The adapter configuration tool can only be used to configure the adapter while it is active. To modify configuration settings while the adapter is not active, use the regis tool.
Using the regis tool
Start the regis tool to modify the different adapter parameters.
Procedure
1. Browse to the Windows Command Prompt.
2. Log on to the TSO on the z/OS® operating system that hosts the adapter.
3. Run the following command. Press Enter to enter the UNIX System Services environment.
Note You can also use a telnet session to enter the UNIX System Services environment.
4. In the command prompt, change to the read/write /bin subdirectory of the adapter.If the adapter is installed in the default location for the read/write directory, run the following command.
./regis -<option>
The following
options are available for the regis tool:
-version ;show regis
version
-registry < value > ;Registry File
-encryptkey < value > ;Encryption key for string data
-setstring < value > ;Set Registry String, [key::value]
-getstring < value > ;Get Registry String
-create ;Create Registry (Default:registry)
-list < value > ;List Registry Contents (Default:registry)
-delete < value > ;Delete Registry key
-script ;Produce output for scripting
-protocol < value > ;Protocol (Default:DAML)
-installpath < value > ;Set agent's install path
-property < value > ;Property name for protocol
-value < value > ;Argument value
-logdir < value > ;Agent's logfile directory
-logfile < value > ;Agent's logfile name
-mainproperty < value > ;Set main property
-instanceclass < value > ;Create instance class
[class::item::encrypt].
-instanceset <
value > ;Create
instance class [class::instance::item::value].
The -registry
<readwrite_home/data/<adapterid.dat> option is
required for all options except -version
Regis command examples
Examples can be
found in installation job ‘hlq’.CNTL(J4)
Modifying
DAML protocolproperties
/var/ibm/isi/bin/regis -reg /var/ibm/isi/data/ISIAGENT.dat
-protocol DAML -property PASSWORD -value newpassword
/var/ibm/isi/bin/regis
-registry /var/ibm/isi/data/ISI.DAT
-protocol daml -list
Modifying
non-encrypted registry settings:
/var/ibm/isi/bin/regis -reg /var/ibm/isi/data/ISIAGENT.dat -setstring PASSEXPIRE::TRUE
Modifying main properties:
/var/ibm/isi/bin/regis -reg /var/ibm/isi/data/ISIAGENT.dat -mainproperty Agent_MaxFile -value 5
/var/ibm/isi/bin/regis -reg /var/ibm/isi/data/ISIAGENT.dat -mainproperty Agent_Debug -value
TRUE
/var/ibm/isi/bin/regis -reg /var/ibm/isi/data/ISIAGENT.dat -mainproperty
Agent_Detail -value TRUE
Chapter 6: Troubleshooting
No updates for
the current release
Chapter 7: Reference
No updates for the current release
Upgrading to the current release
Upgrading to
the current release of adapter requires a full install of the adapter.
Starting and stopping the adapter
Before
you start the adapter, ensure that TCP/IP is active.
Customizing or Extending Adapter Features
The Identity
Manager adapters can be customized and/or extended. The type and method of this
customization may vary from adapter to adapter.
Getting Started
Customizing and
extending adapters requires a number of additional
skills. The developer must be familiar with the following concepts and skills
prior to beginning the modifications:
·
LDAP schema
management
·
Working
knowledge of scripting language appropriate for the installation platform
·
Working
knowledge of LDAP object classes and attributes
·
Working
knowledge of XML document structure
Note: This adapter supports customization only through the use of pre-Exec and post-Exec scripting. The RACF adapter has REXX scripting options. Please see the RACF Installation and Configuration guide for additional details
.
IBM Security Identity Product Resources:
Check the Identity and Access Management
Products overview.
Supported Configurations
Installation Platform
The IBM
Security Identity Manager Adapter supports any combination of the following
product versions.
Adapter Installation
Platform:
z/OS V2.2 and higher
Managed
Resource:
IBM
Security Server (RACF) for z/OS
IBM Security
Identity Manager:
Identity
Manager v6.x
IBM Security
Privileged identity Manager :
Privileged Identity Manager v2.X
Notices
This information
was developed for products and services offered in the U.S.A. IBM may not offer
the products, services, or features discussed in this document in other
countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that
IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual
property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product,
program, or service.
IBM may have
patents or pending patent applications covering subject matter described in
this document. The furnishing of this document does not give you any license to
these patents. You can send license inquiries, in writing, to:
IBM
Director of Licensing
IBM Corporation
North Castle
Drive
Armonk, NY 10504-1785 U.S.A.
For license
inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing,
to:
IBM World Trade
Asia Corporation
Licensing
2-31 Roppongi 3-chome,
Minato-ku
Tokyo 106-0032,
Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This
information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references
in this information to non-IBM Web sites are provided for convenience only and
do not in any manner serve as an endorsement of those Web sites. The materials
at those Web sites are not part of the materials for this IBM product and use
of those Web sites is at your own risk.
IBM may use or
distribute any of the information you supply in any way it believes appropriate
without incurring any obligation to you.
Licensees of
this program who wish to have information about it for the purpose of enabling:
(i) the exchange of information between independently
created programs and other programs (including this one) and (ii) the mutual
use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet
Road
Austin, TX 78758 U.S.A.
Such
information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed
program described in this information and all licensed material available for
it are provided by IBM under terms of the IBM Customer Agreement, IBM
International Program License Agreement, or any equivalent agreement between
us.
Any performance
data contained herein was determined in a controlled environment. Therefore,
the results obtained in other operating environments may vary significantly.
Some measurements may have been made on development-level systems and there is
no guarantee that these measurements will be the same on generally available
systems. Furthermore, some measurements may have been estimated through
extrapolation. Actual results may vary. Users of this document should verify the
applicable data for their specific environment.
Information
concerning non-IBM products was obtained from the suppliers of those products,
their published announcements or other publicly available sources. IBM has not
tested those products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those
products.
Trademarks
The following terms are trademarks or registered
trademarks of International Business Machines Corporation in the United States,
other countries, or both:
IBM
IBM logo
RACF
IBM Security Systems
Adobe, Acrobat, Portable Document Format
(PDF), and PostScript are either registered trademarks or trademarks of Adobe
Systems Incorporated in the United States, other countries, or both.
Cell Broadband
Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in
the United States, other countries, or both and is used under license
therefrom.
Java and all
Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United
States, other countries, or both.
Microsoft,
Windows, Windows NT®, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Intel®, Intel
logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo,
Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®,
and Pentium® are trademarks or registered trademarks of Intel Corporation or
its subsidiaries in the United States and other countries.
UNIX is a
registered trademark of The Open Group in the United States and other
countries.
Linux is a
trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL® is a
registered trademark, and a registered community trademark of the Office of
Government Commerce, and is registered in the U.S.
Patent and Trademark Office.
IT
Infrastructure Library® is a registered trademark of the Central Computer and
Telecommunications Agency which is now part of the Office of Government
Commerce.
Other company,
product, and service names may be trademarks or service marks of others.
End of Release Notes