Release Notes
IBM® Security Verify Governance
Broadcom ACF2 for z/OS Adapter
First Edition (December 20, 2024)
This edition applies to the latest version of IBM Security Verify Governance Adapter for ACF2 and to all subsequent releases and modifications until otherwise indicated in new editions.
Copyright International Business Machines Corporation 2003, 2024. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Corrections to the Installation and Configuration sections of the adapter guide. |
Welcome to the IBM Security Verify Governance Adapter for Broadcom ACF2.
These Release Notes contain information for the following products that was not available when the IBM Security Verify server manuals were created:
IBM Security Identity Manager CA ACF2 for z/OS Adapter Installation and Configuration Guide
IBM Security Privileged Identity Manager CA ACF2 for z/OS Adapter Installation and Configuration Guide
IBM Security Identity Governance and Intelligence CA ACF2 for z/OS Adapter Installation and Configuration Guide
IBM Security Verify Governance Broadcom ACF2 for z/OS Adapter Installation and Configuration Guide
IBM Security Verify Identity Broadcom ACF2 for z/OS Adapter Installation and Configuration Guide
The ACF2 for z/OS Adapter is designed to create and manage ACF2 for z/OS accounts. The adapter runs in ”agent” mode and must be installed on z/OS. One adapter is installed per ACF2 installation..
The IBM Security Verify Governance Adapters are powerful tools that require administrator level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Verify server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative permissions.
Review and agree to the terms of the IBM Security Verify product license prior to using this product. The license can be viewed from the "license" folder included in the product package.
|
Component |
Version |
|
Release Date |
December 20, 2024 |
|
Adapter Version |
10.0.3 |
|
Component Versions |
Adapter Build 10.0.003.00 Profile 10.0.003.00 ADK 10.0.100.00 z/OS enRole Resource Management API 10.0.100.00 |
|
Documentation |
Please check out the latest documentation on the IBM Knowledge Center. Select the latest server release to navigate to the latest version of the adapter documentation. |
|
Internal# |
RFE/CASE# |
Description |
|
|
Items included in current release |
|
SVGAD-3469 |
ADAPT-153 |
Update ACF2 adapter to replace OpenSSL with AT-TLS |
|
|
Items included in release 10.0.2 |
|
|
No changes in the current release |
|
|
Items included in release 10.0.1 |
|
RTC 187573 |
N/A |
Rebranding IBM Security Identity to IBM Security Verify |
|
|
Items included in 7.1.32 release |
|
|
No changes in the current release |
|
|
Items included in 7.1.31 release |
|
RTC 186215 |
TS000061080 |
Add option to run the ACF2 unload outside of the adapters control. |
|
RTC 186216 |
|
Reinstate configurable space for intermediate data sets. |
|
|
Items included in 7.1.30 release |
|
RTC 184640 |
|
Add an option to automatically delete temporary reconciliation data sets |
|
|
Items included in 7.1.29 release |
|
|
No changes in the current release |
|
|
Items included in 7.1.28 release |
|
|
No changes in the current release |
|
|
Items included in 7.1.27 release |
|
RTC 182213 |
|
IGI 5.2.5 support - As an adapter developer for z/OS I need to add support for supporting data and canonical values to the IGI profiles |
|
|
Items included in 7.1.26 release |
|
|
No changes in the current release |
|
|
Items included in 7.1.25 release |
|
|
No changes in the current release |
|
|
Items included in 7.1.24 release |
|
|
No changes in the current release |
|
|
Items included in 7.1.23 release |
|
RTC 174414 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2o to address PSIRT CVE-2018-0739 |
|
|
Items included in 7.1.22 release |
|
RTC 52661 RTC 173352 |
115005 |
As an AD for z/OS developer I need to offer the ability to explicitly disable TLS1.0 in all ADK based adapters. |
|
RTC 173354 |
TS000074249 |
As an ADK for z/OS developer I need to add diagnostic messages to the ADK that allow troubleshooting 2-way ssl connections |
|
RTC 173351 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2n |
|
|
Items included in 7.1.21 release |
|
RTC 170056 |
|
Include specialFlags in targetprofile.json |
|
|
Items included in 7.1.20 release |
|
RTC 163356 |
|
Enable SSL by default in the ISPF installation panels |
|
RTC 166577 |
|
Add tooltips to customlabels.properties |
|
|
Items included in 7.1.19 release |
|
RTC158896 |
N/A |
Status tab in IGI target.json, erLastAccessDate in target.json |
|
RTC156626 |
N/A |
Upgrade expat libraries to 2.2.0 |
|
|
Items included in 7.1.18 release |
|
RTC154238 |
|
Update OpenSSL to release 1.0.2j |
|
RTC154263
|
PMR 42182,122,000 |
Disable SSLV3 and RC4 ciphers and certify TLS 1.1 / 1.2 is supported by the ADK |
|
RTC156347 |
IV32546 |
Adapter appears to be running while it was unable to connect to the socket. |
|
|
Items included in 7.1.17 release |
|
RTC 152024 |
|
Include IGI specific profile with JSON in the adapter package |
|
RTC 152027 |
|
Update the adapter panels |
|
RTC 152028 |
|
Include adapter mapping file in the adapter package |
|
RTC 152030 |
|
Include a license folder in the adapter package |
|
RTC 152024 |
|
Add two initial lines to CustomLabels.properties which are required for translation
|
|
|
Items included in 7.0.16 release |
|
RTC 149041 |
|
Performance enhancements to the single user account lookup operation. |
|
|
Items included in 7.0.13 release |
|
|
|
|
RTC 124240
|
RFE 67723 |
ACF2 Password/Passphrase rules used for random password generation |
|
|
Items included in 6.0.8 release |
|
|
No changes in the current release |
|
|
Items included in 6.0.7 release |
|
RTC 116310 |
|
Password/pass phrase design independent of password/pass phrase policies. |
|
|
Items included in 6.0.6 release |
|
RTC 113711 |
|
Add OMVS AUTOUID support |
|
|
Items included in 6.0.5 release |
|
RTC 95781 |
|
Support for custom boolean attributes defined in the ACFFDR to define additional privileges added. |
|
|
Items included in 6.0.4 release |
|
RTC 99347 |
|
Support for additional pass phrase and password profile attributes added: PWP-HST #PSWDCNT #PWD-TOD KEYFROM |
|
|
Items included in release 6.0.3
|
|
RTC 98320 |
|
Added support for ACF2 pass phrases |
|
|
Items included in release 6.0.2 |
|
|
None |
|
|
Items included in release 6.0.1 |
|
|
ISIM 6.0 release |
|
|
Removal of the use of APPC |
|
INTERNAL# |
APAR#Know Issue |
PMR# / Description |
|
N/A |
Random passwords/pass phrases generated by the adapter do not implement site specific GSO Password/Pass phrase policies |
|
N/A |
This release of the ACF2 Adapter does not support FIPS.
|
|
RTC 52399 |
N/A |
The adapter is designed to read its configuration file on start up. If the configuration file is not found, the adapter will create a new default configuration file. The creation of this configuration file is not an event that is written to the adapter log file. Please ensure TCP/IP is fully initialized and the file systems are mounted before starting the adapter. Under rare conditions where prerequisites for startup have not been met, the adapter may overwrite a customer's configuration file with a new default configuration file. |
|
N/A |
This version of the adapter does not support the following data segments/ user profile records:
|
|
N/A |
This version of the adapter does not support multi-value fields and/or partial fields in the @HEADER and/or @UID string definitions.
|
In this release the ADK is upgrade to a version which no longer supports OpenSSL-based SSL communication. SSL connections require the use of AT-TLS. It also no longer supports the use of the DAML_USER and DAML_PASSWORD based authentication using the adapter internal accounts. This release of the adapter mandates a protected adapter logonid to run the started task and a valid SURROGATE ACF loginud and password to authenticate to the adapter and perform all the supported operations such as performing reconciliations, add users, changing passwords and connecting users to groups. The use of a separate ACF2 logonid that can be used to authenticate using a password or password phrase is required as well as the use of a separate, protected logonid for the adapter, since the logonid that is used to authenticate with might get locked out after a defined number of failed login attempts. The ADAPTER ID requires update access to BPX.SERVER in class FACILITY and READ access to the profile for the SURROGATE ID in class SURROGAT. The SURROGATE logonid requires READ access to all the documented IRR.RADMIN.XX profiles . This has not changed for those who already used a SURROGAT ID in previous releases of this adapter. The only difference is that the use of a SURROGATE ID now is mandatory and it's value is defined in the DAML_USER and DAML_PASSWORD section of the service form on the server , rather than in the erracfrequester variable.
A secondary security control has been added to the authentication process. If a specific server exceeds a configuration amount of failed login attempts, the server will be disallowed to try to authenticate for a configurable number of seconds.
The AT-TLS configuration using the policy agent requires a valid certificate in a keyring,
The adapter supports two operating modes: SSLMODE NONE and SSLMODE ATTLS. If, during installation, SSLMODE NONE is specified, it is possible to connect to the adapter using plain HTTP.
To enable AT-TLS, SSLMODE ATTLS must be selected during installation. Please refer to the Reference chapter in the documentation updates in this document for sample AT-TLS and certificate configurations and the following documentation for more information regarding AT-TLS:
https://www.ibm.com/docs/en/zos/3.1.0?topic=protection-tls-policy-configuration
https://www.ibm.com/docs/en/zos/3.1.0?topic=protection-getting-started-tls
In this release, the OpenSSL-based tools : certTool, agentCfg, IsamTool and regis are no longer part of the adapter. The registry file is removed and starting this release, the former registry settings are migrated to a data set member (PARMLIB member) that exports the configurable parameters as environment settings under control of the language environment. This also implies that there will only be one port required for the adapter from now on, which is the DAML_PORT that is used for communication between the server and the adapter and that the adapter will require a restart after an update of the registry/configuration settings.
Corrections to the Installation and Configuration sections of the adapter guide.
The ACF2 Adapter uses IBM Security Verify Governance Identity Manager to perform user tasks on the ACF2 Adapter Security for z/OS®.
The adapter can add, modify, suspend, restore, reconcile, or delete users from IBM Security Verify Governance Identity Manager. The adapter uses the TCP/IP protocol to communicate with IBM Security Verify Governance Identity Manager.
The ACF2 Adapter does not use Secure Socket Layer (SSL) by default to communicate with IBM Security Verify Governance Identity Manager. You have to configure it.
SSL requires digital certificates and private keys to establish communication between the endpoints. Regarding SSL, the ACF2 Adapter is considered a server. When the adapter uses the SSL protocol, the server endpoint must contain a digital certificate and a private key. The client endpoint (IBM Security Verify Governance Identity Manager) must contain the Certificate Authority or CA certificate.
To enable SSL communication by default, install a digital certificate and a private key on the adapter and install the CA certificate on IBM Security Verify Governance Identity Manager.
The default TCP/IP port on the z/OS host for the adapter and server communication is 45580. You can change this port to a different port. You can specify the port number on the adapter service form on IBM Security Verify Governance Identity Manager. Ensure that it references the same port number that is configured for the adapter on the z/OS host. The TCP/IP port value can be updated in the VERAGT00 PARMLIB member.
Use the agentCfg utility to configure the adapter. The utility communicates with the adapter through TCP/IP. The TCP/IP port number that is used is dynamically assigned and is in the range 44970 - 44994. The port number and the range of port numbers cannot be configured.
You can restrict the use of these ports to the ACF2 Adapter. To protect these ports with the ACF2 protection, define the profiles in the ACF2 Adapter SERVAUTH resource class. Take note that applications run from the z/OS shell have a job name that is the started task name plus a one-character suffix. For example, when you are restricting port access with the PORT statement in the TCP/IP profile the job name has to be <jobname>* or <jobname>? to account for the suffix. For more information, see the z/OS Communications Server, IP Configuration Guide or https://www.ibm.com/support/pages/node/78095.
No updates for the current release
Update the panel in Step 9 : Select Adapter communication parameters to define or alter the Identity server to adapter communication settings.
Adapter communication parameters
IP Communications Port Number ===> 45580
Specify SSL Mode: NONE or ATTLS ===> ATTLS
Note: You must install a certificate when SSL is enabled.
Review the documentation for more information.
Maximum failed login attempts.. ===> 3
Seconds to block ip after max failed logins. ===> 1800
Update the explaining text as below:
IP Communications Port Number
Specifies the default IP Communications Port Number, which is 45580. When more than one adapter is active in the same LPAR, use a different port number for each adapter instance.
Adapter authentication ID and Adapter authentication password
Specifies the adapter authentication ID and password that are stored in the adapter registry. The ID and password are used to authenticate the Identity server to the ACF2 Adapter. These two parameters must also be specified on the adapter service form that is created on IBM Security Verify Governance Identity Manager.
Enable SSL
Controls the USE_SSL registry setting. Its default value is TRUE. You must install a certificate when SSL is enabled. For more information, see Configuring SSL authentication.
Disable TLS1.0
Disables or enables TLS1.0 support. The default value is TRUE, which disables TLS1.0.
Disable TLS1.1
Disables or enables TLS1.1 support. The default value is TRUE, which disables TLS1.1.
Specify SSL Mode: NONE or ATTLS
Specifies the default SSL implementation: specify NONE to use plaintext http communication or ATTLS to use AT-TLS
Maximum failed login attempts..
Specify maximum number of failed login attempts for this ISVG/ISVGIM server after which, on the next attempt, new authentication attempts from the same ISVG/ISVGIM server will be blocked for a given number of seconds.
Seconds to block ip after max login attempts
Specify number of seconds to block the ISVG/ISVG-IM server address after exceeding the maximum number of failed login attempts
Update the panel in Step 10 :Select ACF2 site specific parameters.
Site specific ACF2 configuration
@HEADER field as defined in the ACFFDR
===>
@UID field as defined in the ACFFDR
===>
Fully qualified name of a dataset in the PARMLIB concatenation.
This dataset will be used to copy the environment settings member to.
===>
Update the explaining text as below:
@HEADER
Specify the @HEADER string as specified in the ACFFDR. The fields that are specified in this string are collected during a single account lookup.
@UID
Specify the @UID string as specified in the ACFFDR. The fields that are specified in this string are collected during a single account lookup.
Fully qualified name of a dataset in the PARMLIB concatenation.
Fully qualified name of a dataset in the PARMLIB concatenation.
This dataset will be used to copy the environment settings member VERAGT00 to.
This member contains all the adapter configuration settings as used to be available in the registry.dat file for adapter versions prior to version 10.0.010.00
For more information regarding parmlib concatenations see https://www.ibm.com/docs/en/zos/3.1.0?topic=installations-using-parmlib-concatenation-logical-parmlib
Press PF3 (Cancel) or Enter after final input (Accept) to return to the Specify or Alter variables for this configuration panel.
The adapter must run under a valid ACF2 loginid, with access to z/OS UNIX System Services, a valid UID, and a valid TSO account.
The name of the adapter instance must match the name of the started task user.
If you are using shared OMVS userIDs you must make sure that the output for the following command is never empty if the adapter is running: ` ps -ef | grep -i <ADAPTERID> | grep -v grep`
For the adapter to perform requests on behalf of another user, you must define one or more SURROGATE class rules.
The CA ACF2 adapter logonid must have UPDATE permission on the BPX.SERVER resource in the FACILITY class
The R_admin callable service requires READ permission to be defined for the SURROGATE logonid on the following resources:
Table 1.
|
RESOURCE | |
|
FACILITY |
IRR.RADMIN.ADDUSER |
|
FACILITY |
IRR.RADMIN.ALTUSER |
|
FACILITY |
IRR.RADMIN.CONNECT |
|
FACILITY |
IRR.RADMIN.DELUSER |
|
FACILITY |
IRR.RADMIN.PASSWORD |
|
FACILITY |
IRR.RADMIN.REMOVE |
Complete the service/target form fields.
On the General Information tab:
Service Name
Specify a name that identifies the ACF2 Adapter service on the Identity server.
Service Description
Optional: Specify a description that identifies the service for your environment. You can specify additional information about the service instance.
URL
Specify the location and port number of the adapter. The port number is defined during installation, and can be viewed and modified in the PARMLIB member.
Note: Configure the adapter for SSL authentication only if https is part of the URL. For more information, see Configuring SSL authentication.
User ID
Specify the SURROGATE logonid
Password
Specify the password for the SURROGATE logonid
ACF2 ID under which requests will be processed
Optional: Specify a SURROGATE ID. This loginid might have administrative authority over a subset of logonids within the ACF2 database.
Owner
Optional: Specify the service owner, if any
Service Prerequisite
Optional: Specify an existing service.
On the Status and information tab
This page contains read only information about the adapter and managed resource. These fields are examples. The actual fields vary depending on the type of adapter and how the service form is configured. The adapter must be running to obtain the information. Click Test Connection to populate the fields.
Last status update: Date
Specifies the most recent date when the Status and information tab was updated.
Last status update: Time
Specifies the most recent time of the date when the Status and information tab was updated.
Managed resource status
Specifies the status of the managed resource that the adapter is connected to.
Adapter version
Specifies the version of the adapter that the service uses to provision request to the managed resource.
Profile version
Specifies the version of the profile that is installed in the Identity server.
ADK version
Specifies the version of the ADK that the adapter uses.
Installation platform
Specifies summary information about the operating system where the adapter is installed.
Adapter account
Specifies the account that running the adapter binary file.
Adapter up time: Date
Specifies the date when the adapter started.
Adapter up time: Time
Specifies the time of the date when the adapter started.
Adapter memory usage
Specifies the memory usage for running the adapter.
If the connection fails, follow the instructions in the error message and do the following verifications:
•Verify the adapter log to ensure that the test request is successfully sent to the adapter.
•Verify the adapter configuration information.
•Verify service parameters for the adapter profile. For example, verify the workstation name or the IP address of the managed resource and the port.
No updates for the current release
Configuring the adapter parameters
Remove the following paragraphs:
1.Starting the adapter configuration tool
2.Viewing configuration settings
4.Configuring event notification
5.Changing the configuration key
6.Changing activity logging settings
7.Modifying registry settings
8.Modifying non-encrypted registry settings
9.Changing advanced settings
10.Viewing statistics
11.Changing code page settings
12.Accessing help and additional options
Add the below paragraph:
Changing configuration settings:
To change a configuration setting, edit the parmlib member and restart the adapter.
Note that the configuration/registry settings need to be added in the format: name=value. Each setting/value combination needs to be specified on a new line.
E.g. SSLMODE=ATTLS
See the following references for more information:
https://www.ibm.com/docs/en/zos/3.1.0?topic=applications-environment-variables
https://www.ibm.com/docs/en/zos/3.1.0?topic=evszxcl-cee-envfile#ceeenvf
See Chapter 7 of the adapter Installation and Configuration Guide for an overview of the registry settings and their values.
Next in
Section: Configuring SSL Authentication
Remove:
DAML SSL implementation
Selecting an AT-TLS configuration mode:
1. aware - set controlling to false and enabled to true in /etc/pagent/ttls.policy . Use https in the connection from ISVG/ISVGIM. Define SSLMODE=NONE in parmlib member
2. application controlled: set controlling and enabled to true etc/pagent/ttls.policy . Use https in the connection from ISVG/ISVGIM. Define SSLMODE=ATTLS in parmlib member
3. don't use AT-TLS: set enabled and controlling to false in /etc/pagent/ttls.policy. User http in the connection from ISVG/ISVGIM. Define SSLMODE=none in parmlib member
Note: if you set controlling to false and SSLMODE=ATTLS, you will see an ioct error in the adapter logs
For more information see: https://www.ibm.com/docs/en/zos/2.5.0?topic=applications-tls-policy-statements
In section: Configuring certificates for SSL authentication
Paragraph: Configuring certificates for one-way SSL authentication
Replace the below text
On the adapter, complete these steps:
a.Start the certTool utility.
b.Configure the SSL-server application with a signed certificate issued by a certificate authority.
i.Create a certificate signing request (CSR) and private key. This step creates the certificate with an embedded public key and a separate private key and places the private key in the PENDING_KEY registry value.
ii.Submit the CSR to the certificate authority by using the instructions that are supplied by the CA. When you submit the CSR, specify that you want the root CA certificate that is returned with the server certificat
With: configure a KEYRING and certificate as described in the samples in Chapter 7 – Reference
In Configuring certificates when the adapter operates as an SSL client
Replace the below text:
Install the CA certificate on the adapter with the certTool utility.
With: Install the CA certificate in the keyring for the account that owns the adapter as specified in the at-tls policy. See chapter 7 - Reference
Remove paragraph: Install the CA certificate on the adapter with the certTool utility.
Remove paragraph: Using the Regis Tool
add:
If specific fields that belong to the ACFFDR UI or HEADER are not returned during a filtered reconciliation, it is possible that the adapter does not run APF authorized.
Validate if the adapter binaries and libraries are APF authorized in the <adapter_readonly_home>/bin and <adapter_readonly_home/lib> folders.
Add paragraph:
AT-TLS return codes:
For AT-TLS return codes, please see:
https://www.ibm.com/docs/en/zos/2.5.0?topic=tls-return-codes
Add paragraph:
RACF SURROGATE ID authentication.
The adapter uses the BPX1PWD callable service to determine if the DAML_USER and DAML_PASSWORD that are specified in the service form are valid and if the ADAPTER ID has READ access on the profile for this account as defined in the SURROGAT class.
For an overview of Return and Reason codes see:
https://www.ibm.com/docs/en/zos/3.1.0?topic=csd-passwd-passwd-applid-bpx1pwd-bpx4pwd-verify-change-security-information
Logs
Remove below lines:
The size of a log file, the number of log files, the directory path, and the detailed level of logging are configured with the agentCfg program.
For more information, see Configuring the adapter parameters.
Add:
The size of a log file, the number of log files, the directory path, and the detailed level of logging are configured in the parmlib member.
See the below example:
Specify TRUE to enable a specific log level and FALSE to disable
Agent_Debug=TRUE
Agent_Detail=TRUE
Agent_EnableLogging=TRUE
Agent_LogDir=/var/ibm/veragent/v10-009/log
Agent_LogFile=isiagnt.log
Agent_MaxFileSize=10
Agent_MaxFiles=3
Agent_Thread=TRUE
add:
Q: I can see "__errno2 = "" message in the log . What do they mean?
A: you can use the bpxmtext utility to find the full text for the errorno2 number. E.g.:
bpxmtext 77b77221
TCPIP
JRGetConnErr: The connection was not in the proper state for retrieving.
Action: Try the request later.
bpxmtext 05230138
BPXFSCLS 02/14/24
JRFileIsBlocked: The file is blocked
Action: The request cannot be processed. Try again later.
remove:
Why is my registry file cleared?
There might be several causes. To determine the cause, provide an answer to the following questions when contacting support:
Move the table to the "Environment variables" paragraph and rename that paragraph to "Configuration settings/Environment variables".
Add the below rows to the table:
Option Default value Valid Value Function and Meaning Required
SSLMODE ATTLS ATTLS, NONE Use SSL or not No
TLSVER VERSION1 VERSION1, AT-TLS Version No
VERSION2
TIMEOUT N/A any numeric Seconds wait before allowing No
new authentication attempts
MFAILED N/A any numeric Maximum failed login attempts No
before setting the TIMEOUT for
the service.
Remove the rows for REGISTRY and ISIM_ADAPTER_CIPHER_LIST from the RACF Adapter environment variables table.
Add the below paragraphs:
https://www.ibm.com/support/pages/node/713583?mhsrc=ibmsearch_a&mhq=defining-and-securing-keystores-or-truststores
https://www.ibm.com/support/pages/setting-tls-12-support-between-ibm-security-identity-manager-virtual-appliance-and-middleware-servers-such-identity-data-store-and-directory-server
https://www.ibm.com/docs/en/sim/7.0.1.13?topic=configuration-managing-server-settings
Update enRole.properties:
com.ibm.daml.jndi.DAMLContext.SSL_PROTOCOL=TLSv1.2
Restart the IM server.
https://www.ibm.com/docs/en/zos/3.1.0?topic=applications-starting-policy-agent-as-started-task
https://www.ibm.com/docs/en/zos/3.1.0?topic=statements-ttlscipherparms-statement
/etc/pagent #>cat ttls.policy
TTLSConnectionAdvancedParms VERAGNT_Conn_adv { SSLv3 Off TLSv1 Off TLSv1.1 Off TLSv1.2 On ApplicationControlled On SecondaryMap Off HandshakeTimeout 20 }
TTLSCipherParms VERAGNT_cipherparms { V3CipherSuites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256 V3CipherSuites TLS_DHE_RSA_WITH_AES_256_SHA V3CipherSuites TLS_DHE_DSS_WITH_AES_256_SHA V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA V3CipherSuites TLS_DH_DSS_WITH_AES_256_CBC_SHA V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA V3CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 V3CipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 V3CipherSuites TLS_DH_RSA_WITH_AES_128_GCM_SHA256 V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA256 V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA V3CipherSuites TLS_DH_DSS_WITH_AES_128_CBC_SHA V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_RSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256 }
TTLSRule VERAGNT { LocalPortRange 45580 Direction Inbound TTLSGroupActionRef VERAGNT_group TTLSEnvironmentActionRef VERAGNT_env TTLSConnectionActionRef VERAGNT_conn }
TTLSGroupAction VERAGNT_group{ TTLSEnabled On }
TTLSEnvironmentAction VERAGNT_env
{
HandshakeRole Server
EnvironmentUserInstance 0
TTLSKeyringParms
{ Keyring VERAGNT/KEYRING }
}
TTLSConnectionAction VERAGNT_conn
{ HandshakeRole Server TTLSCipherParmsRef VERAGNT_cipherparms TTLSConnectionAdvancedParmsRef VERAGNT_Conn_adv CtraceClearText On Trace 255 }
restart the policy agent after updating the configuration file:
ISPF, SDSF, /F PAGENT,UPDATE
Please consult https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/digital-certificate-support/command-authorization-requirements.html for the required authorization in ACF2.
Gencert certauth.cert1 subjsdn(cn='My Company z/OS CA' o='My Company' ou='My Dept' l='My location' sp=Illinois c=US) size(512) label(CA certificate for My Company) active(09-04-2024) expire(10-12-2025)
Gencert sitecert.server subjsdn(cn='server.my.company.com' o='My Company' ou='My Dept' l='My location' sp=Illinois c=US) size(512) label(Certificate for my server) signwith(certauth label(CA certificate for My Company)
Gencert VERAGT.cert subjsdn(cn='VERAGNT' o='My Company' ou='My Dept' l='My location' sp=Illinois c=US) size(512) label(VERAGNTcert) signwith(certauth label(CA certificate for My Company))
Set profile(user) div(keyring)
Insert VERAGNT ringname(KEYRING)
Set profile(user) div(keyring)
Connect certdata(VERAGNT) label(VERAGNTcert) keyring(VERAGNT) ringname(KEYRING) default
export VERAGNT label(VERAGNTcert) dsn('veragnt.cert.p12') format(pkcs12der) password(mysecretpassword)
Before you start the adapter, ensure that TCP/IP is active.
The ACF2 adapter requires one process per thread plus 8. The default settings are for 3 threads for each of the four types or requests which is a maximum of 12 active threads which equates to 20 processes (12 + 8). This is below the default MAXUSERPROC value of 25. If you change the maximum thread count variables via agentCfg then you might need to increase the MAXUSERPROC parameter in the parmlib member BPXPRMxx.
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
•LDAP schema management
•Working knowledge of scripting language appropriate for the installation platform
•Working knowledge of LDAP object classes and attributes
•Working knowledge of XML document structure
Note: This adapter supports customization only through the use of pre-Exec and post-Exec scripting. The ACF2 for z/OS adapter has REXX scripting options. Please see the ACF2 adapter for z/OS Installation and Configuration guide for additional details.
The integration to the IBM Security Verify server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a case is opened.
Please check out the latest documentation on the IBM Knowledge Center.
Select the latest server release to navigate to the latest version of the adapter documentation.
The IBM Security Verify Manager Adapter supports any combination of the following product versions.
Adapter Installation Platform
z/OS V2.5
z/OS V3.1
Managed Resource:
CA ACF2 R16
IBM Security Verify Governance:
IBM Security Verify Governance v10.x
IBM Security Verify Governance Identity Manager:
IBM Security Verify Identity v10.x
IBM License Tags release (Agent_License) 11.0.0
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
IBM Security Identity Manager
IBM Security Verify
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
CA, CA ACF2, and CA Top Secret are trademarks of CA, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Other company, product, and service names may be trademarks or service marks of others.
End of Release Notes