ibm tivoli security administrator for racf install...

IBM
IBM Tivoli Security Administrator for RACF
Install Guide

Version 1.1

GC18-9475-01

12

1

2

IBM
IBM Tivoli Security Administrator for RACF
Install Guide

Version 1.1

GC18-9475-01

12

1

Second Edition (November 2005)

This edition applies to version 1, release 1, of IBM Tivoli Security Administrator for RACF and to all subsequent releases and modifications until otherwise indicated in new editions.

This edition replaces GC18-9475-00.

2

© Copyright International Business Machines Corporation 2005. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . vWho should read this book . . . . . . . . . . . . . . . . . . . . . . . . v

What you need to know . . . . . . . . . . . . . . . . . . . . . . . . vWhat this book contains . . . . . . . . . . . . . . . . . . . . . . . . . . . vPublications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Release information . . . . . . . . . . . . . . . . . . . . . . . . . . . . viBase information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viAccessing publications online . . . . . . . . . . . . . . . . . . . viOrdering publications . . . . . . . . . . . . . . . . . . . . . . . . . vii

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiContacting software support . . . . . . . . . . . . . . . . . . . . . . viiConventions used in this book . . . . . . . . . . . . . . . . . . . . vii

Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . viiOperating system differences. . . . . . . . . . . . . . . . . . viii

Chapter 1. Introduction . . . . . . . . . . . . . . . . 1About the Security Administrator for RACF . . . . . . . . . 1Security Administrator architecture . . . . . . . . . . . . . . . . . 1

Security Administrator server . . . . . . . . . . . . . . . . . . . 2Security Administrator clients . . . . . . . . . . . . . . . . . . 3Operational overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2. Prerequisites . . . . . . . . . . . . . . . 5Product requirements overview . . . . . . . . . . . . . . . . . . . . 5

System requirements summary . . . . . . . . . . . . . . . . . . 5Permission requirements summary . . . . . . . . . . . . . . 6

Chapter 3. Installation Overview . . . . . . . . 7Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Summary of steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 4. Installing the Security Administrator server . . . . . . . . . . . . . . . . . 9

Step 1: Install the Security Administrator using SMP/E 9Step 2: Create the Security Administrator file system . . 9Step 3: Assign Security Administrator directory UNIX permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Step 4: Configure your communications environment 11Step 5: Create sufficient region size . . . . . . . . . . . . . . . . 11Step 6: Create required RACF permissions . . . . . . . . . . 11Step 7: Enable RACF system options (SETROPTS) . . . 12Step 8: Customize and run AORUNPAX. . . . . . . . . . . . 12Step 9: Run the install script . . . . . . . . . . . . . . . . . . . . . . 12Step 10: Create a job card . . . . . . . . . . . . . . . . . . . . . . . . . 13Step 11: Create the Security Administrator LDAP database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Step 12: Enable the IEFU83 user exit points . . . . . . . . . 14Step 13: Activate the SLAPU83 program . . . . . . . . . . . . 15

Activating SLAPU83 dynamically. . . . . . . . . . . . . . . 15Activating SLAPU83 permanently . . . . . . . . . . . . . . 15

Step 14: Start the Security Administrator . . . . . . . . . . . 16Using started tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Using submitted jobs. . . . . . . . . . . . . . . . . . . . . . . . . . 16

Step 15: Test the Security Administrator using the

dotestserver script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Step 16: Test the Security Administrator racf2ldap components using the dotestr2l script . . . . . . . . . . . . . . 17Step 17: Test the Security Administrator ldap2racf component using the dotestl2r script . . . . . . . . . . . . . . 17

Chapter 5. Operating the Security Administration server . . . . . . . . . . . . . . . 19

Starting/stopping the Security Administrator using started tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Setting the debugging level . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 6. Installing the Security Administrator Client . . . . . . . . . . . . . . . . 21

Step 1: Install the PC client . . . . . . . . . . . . . . . . . . . . . . . . 21Step 2: Install the ISPF client . . . . . . . . . . . . . . . . . . . . . . 21

Appendix A. Troubleshooting. . . . . . . . . . 23Gathering diagnostic information. . . . . . . . . . . . . . . . . . 23

General information. . . . . . . . . . . . . . . . . . . . . . . . . . . 23Diagnostic files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Diagnostic commands . . . . . . . . . . . . . . . . . . . . . . . . . 24

Issues with running the install script . . . . . . . . . . . . . . . 24Install Script Error Messages . . . . . . . . . . . . . . . . . . . 25Assembly of SLATEVT fails in the install script . . . 25

Issues with creating the Security Administrator LDAP database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

HFS or z/FS file system full . . . . . . . . . . . . . . . . . . . . 25Temporary file system full . . . . . . . . . . . . . . . . . . . . . 26Default LE libraries incompatible . . . . . . . . . . . . . . . 26Insufficient SORTWK space allocation condition . . 26Error with the DOLDIF step . . . . . . . . . . . . . . . . . . . . 27Unable to parse entry error message. . . . . . . . . . . . . 27

Issues with starting the Security Administrator . . . . . 28Insufficient region size allocated . . . . . . . . . . . . . . . . 28Insufficient HEAP storage available . . . . . . . . . . . . . 28Unable to load LDAP modules . . . . . . . . . . . . . . . . . 29

Issues with operating the Security Administrator server . 29

Too many open files . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Issues with operating the Security Administrator client . . 30

Security Administrator client times out . . . . . . . . . . 30Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . 31

Working offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Appendix B. Notices . . . . . . . . . . . . . . . . . 33Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

© Copyright IBM Corp. 2005 iii

iv IBM Tivoli Security Administrator for RACF:Install Guide

Preface

Welcome to the IBM® Tivoli® Security Administrator for RACF® for z/OS. This product extends RACF configuration and control support to Security Administrator for RACF Clients running on z/OS or Windows.

The IBM Tivoli Security Administrator for RACF Install Guide provides post-installation and configuration information instructions for the Security Administrator for RACF server. Product laydown information and instructions are found in the IBM Tivoli Security Administrator for RACF Program Directory.

Who should read this book

The target audience for this installation guide includes:

• Security administrators

• System programmers

What you need to know

Readers must have the following:

What this book contains

This book contains the following chapters:

• Chapter 1. Introduction describes the Security Administrator and its architecture.

• Chapter 2. Prerequisites summarizes the system and permission requirements necessary to successfully install and configure the product.

Item Description

1 You need to be familiar with LDAP concepts such as LDAP operations and directory schemas.

2 You need to be familiar with z/OS concepts such as JCL, partitioned data sets, and how to submit jobs.

3 You must have knowledge of TCP/IP operations, as well as SMF operation and how to install dynamic exits on z/OS.

4 You need to be familiar with RACF concepts such as resource authorization and password verification.

5 You must have authority to edit mainframe files, create data sets, and submit jobs.

6 You must understand Unix System Services concepts such as how to access USS, know HFS or z/FS file structure, and know basic UNIX commands.

7 You must have authority to access USS and create HFS or z/FS file systems.

8 You must have a copy of the IBM UNIX System Services Planning Guide.

© Copyright IBM Corp. 2005 v

• Chapter 3. Installation Overview summarizes the tasks you must perform to install the product.

• Chapter 4. Installing the Security Administrator server describes in detail how to install the Security Administrator server.

• Chapter 5. Operating the Security Administration server describes how to operate the product.

• Chapter 6. Installing the Security Administrator Client describes in detail how to install a Security Administrator client.

Publications

The IBM Tivoli Security Administrator for RACF documentation set contains the following:

Release information

• IBM Tivoli Security Administrator for RACF Release Notes

SC18-9476-00

Provides late-breaking information, such as software limitations, workarounds, and documentation updates.

Base information

• IBM Tivoli Security Administrator for RACF Program Directory

GI10-8678-00

Explains how to install the Security Administrator from the release media.

• IBM Tivoli Security Administrator for RACF Installation Guide

GC18-9475-00

Provides installation and configuration instructions for the Security Administrator.

• IBM Tivoli Security Administrator for RACF User’s Guide

SC18-9476-00

Describes how to use the Security Administrator.

• IBM Tivoli Security Administrator for RACF Advanced Tuning Guide

SC18-9476-00

Provides extensive configuration information for experienced customers.

Accessing publications online

The publications for this product are available online in Portable Document Format (PDF) or Hypertext Markup Language (HTML) format, or both in the Tivoli Software Library:http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

To locate product publications in the library, click the Product manuals link on the left side of the Library page. Then, locate and click the name of the product on the Tivoli Software Information Center page.

Product publications include release notes, installation guides, users guides, administrators guides, and developers references.

vi IBM Tivoli Security Administrator for RACF:Install Guide

Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you click File ¨Print).

Ordering publications

You can order many IBM Tivoli publications online at: http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

You can also order by telephone:

• In the United States: 800-879-2755

• In Canada: 800-426-4968

• In other countries, for a list of telephone numbers, see http://www.ibm.com/software/tivoli/order-lit/

Accessibility

Accessibility features help a user who has a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You also can use the keyboard instead of the mouse to operate all features of the graphical user interface.

Contacting software support

Before contacting IBM Tivoli Software support with a problem, refer to the IBM Tivoli Software support Web site at:http://www.ibm.com/software/sysmgmt/products/support/

If you need additional help, contact software support by using the methods described in the IBM Software Support Guide at the following Web site:http://techsupport.services.ibm.com/guides/handbook.html

The guide provides the following information:

• Registration and eligibility requirements for receiving support

• Telephone numbers and e-mail addresses, depending on the country in which you are located

• A list of information you should gather before contacting customer support

Conventions used in this book

This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths.

Typeface conventions

The following typeface conventions are used in this book:

Bold Lowercase commands or mixed case commands that are difficult to distinguish from surrounding text, keywords, parameters, options, names of Java classes, and objects are in bold.

Italic Variables, titles of publications, and special words or phrases that are emphasized are in italic.

Preface vii

MonospaceCode examples, command lines, screen output, file and directory names that are difficult to distinguish from surrounding text, system messages, text that the user must type, and values for arguments or command options are in monospace.

Operating system differences

This book uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. If you are using the bash shell on a Windows system, you can use the UNIX conventions.

viii IBM Tivoli Security Administrator for RACF:Install Guide

Chapter 1. Introduction

The IBM® Tivoli® Security Administrator for RACF® for z/OS provides a directory-centric approach to the security management functions of RACF. By using LDAP, the Security Administrator for RACF makes RACF appear just like any other enterprise directory. The product allows new administrators to manage RACF using their existing skills and enables experienced administrators to enhance their productivity.

About the Security Administrator for RACF

The IBM Tivoli® Security Administrator for RACF is a flexible interface to the powerful security management functions of RACF, providing a variety of views of the RACF database and making specific information easy to find and update. As Tivoli Security Administrator for RACF does not require the knowledge of RACF commands, new administrators can manage RACF using their existing skills. Meanwhile, experienced administrators can be much more productive, and help-desk personnel can quickly research and solve security-related problems. In addition, the standards-based API provides access to RACF data from applications running on other platforms.

The Security Administrator can help you:

• Query and view the RACF database. Fields for each type of RACF profile are visible, searchable, and sortable (except for very sensitive fields, such as passwords). This includes not just users and groups, but data sets, resources, access permissions, and system options. Numerous security administration views of the RACF database are provided as well as the ability to customize and create your own. The data is always current, and you can search on any combination of fields.

• Maintain the RACF database. Most RACF fields are modifiable using an easy-to-use Java™-based PC client or ISPF client. All updates are done under the authority of the authenticated RACF administrator. Detailed, comprehensive pop-up help explains each RACF field. Field validation routines check the format and content of each field before sending the change to RACF.

• Manage multiple RACF databases. Consolidated searches across multiple RACF databases and copying users between databases are all part of its multiple database capabilities.

• Access and update RACF data from applications running on non-z/OS® platforms using standards-based application programming interfaces.

The Security Administrator provides a modern, flexible, and powerful interface to view and maintain all types of profiles in the RACF database. Whether the administrator uses traditional interfaces to RACF or the new interfaces provided by the Security Administrator, the underlying security features and controls of RACF are maintained.

Security Administrator architecture

The Security Administrator consists of the following components:

• Security Administrator server

• Security Administrator clients

© Copyright IBM Corp. 2005 1

Security Administrator server

The Security Administrator server maintains an LDAP image of the RACF database, and one Security Administrator server is required for each RACF database managed within your environment. The Security Administrator server consists of the following components:

• Mirror database

• racf2ldap

• ldap2racf

• Configuration database

Mirror database

The mirror database represents a real-time image of the entire RACF database as it resides on the host z/OS system. The RACF database and mirror database are automatically updated with the ldap2racf and racf2ldap synchronization processes.

racf2ldap

racf2ldap updates the mirror database to reflect the current status of the RACF database.

Whenever a change is made to the RACF database, racf2ldap intercepts the SMF record that is generated by the RACF command. The RACF command is then translated into an equivalent LDAP modify command that updates the mirror database accordingly.

ldap2racf

ldap2racf modifies the mirror database to reflect changes initiated by the Security Administrator.

Whenever users make a change using the Security Administrator, ldap2racf translates the LDAP modify command into an equivalent RACF command to update the RACF

2 IBM Tivoli Security Administrator for RACF:Install Guide

database accordingly. Once the change has been made to the RACF database, racf2ldap processes and reflects the change within the mirror database.

Configuration database

The configuration database acts as a central repository of configuration data for all components of the Security Administrator server.

Security Administrator clients

Security Administrator clients connect with any Security Administrator servers within your environment. Administrators determine client privileges for viewing and modifying the data on any RACF database.

PC client

The Security Administrator PC client provides a graphical user interface that accesses the Security Administrator server, and can be run from any PC machine. The PC client is best suited to new RACF administrators, departmental administrators, and help desk personnel.

ISPF client

The Security Administrator ISPF client provides a set of ISPF panels that access the Security Administrator server. The ISPF client is best suited to experienced RACF administrators, but can be configured to provide special support for help desk and audit personnel.

Operational overview

The diagram below illustrates how all of the components within the Security Administrator work together.

Chapter 1. Introduction 3

Chapter 2. Prerequisites

This chapter summarizes the system and permissions requirements that are necessary to successfully install and configure the Security Administrator for RACF.

Product requirements overview

The tables below summarize the system and permission requirements necessary for the proper functioning of the Security Administrator. Each of the requirements listed below are discussed in further detail at the appropriate point during the installation process.

System requirements summary

System Component Requirement

z/OS Operating System Any supported release of z/OS.

RACF • RACF release that was included with the operating system.

• You must also ensure that the RACF susbsystem is enabled in your environment.

TCP/IP TCP/IP for OS/390 or z/OS that was included with the operating system.

LE runtime libraries LE runtime libraries included with the operating system, with C-language support.

Subsystems The SMF subsystem must be enabled on your system. SMF must be configured to collect Type 80 records on all susbsystems that are enabled to accept RACF commands.

Resources The Security Administrator requires resources that are similar to those required for a high-volume CICS region. Verify sufficient CPU, disk, and memory resources have been allocated to the Security Administrator environment.


Permission requirements summary

UNIX System Services

Access USS release included with the operating system. You will need ISHELL, OMVS, or Telnet to access USS on your system:

maxassize parameter The maximum address space size parameter must be set to at least 200 MB. You must ensure that this parameter is not overridden by the RACF OMVS ASSIZEMAX parameter.

maxfileproc parameter The maximum number of open file descriptors per process parameter must be set to at least 400.

maxmmaparea parameter

The maximum mmaparea pages parameter must be set to the maximum of 40960.

maxprocsys parameter The maximum total system processes parameter must be increased by at least 200 from the current level.

maxprocuser parameter

The maximum processes for user parameter must be set to at least 300.

maxsharedpages parameter

The maxsharedpages parameter must be set to at least 131072.


z/OS General The RACF user ID of the person installing the product must have the authority to:

• edit files

• create data sets, HFS or z/FS files, mount HFS or z/FS file systems

• submit jobs

Security Administrator jobs and started tasks

The RACF user-ID that is associated with Security Administrator jobs and started task must be a member of the RACF group that owns the Security Administrator directory.

AORUNPAX JCL Must be run by a user who can become root using the su command.

SMF You must have the authority to install SMF exits.

UNIX System Services

General The user ID of the person installing the product must have the authority to:

• access USS and enter UNIX commands

• create HFS or z/FS files

• browse directories



Chapter 3. Installation Overview

Installation overview

The installation process for the Security Administrator involves downloading the product from tape, performing an SMP/E installation of the product libraries, running install scripts under USS, then installing the PC client software.

Summary of steps

The following table summarizes the steps required to successfully install the Security Administrator.

Step Description

1 Install the Security Administrator using SMP/E.

2 Create the Security Administrator file system.

3 Assign Security Administrator directory UNIX permissions

4 Configure your communications environment

5 Create sufficient region size.

6 Create required RACF permissions.

7 Enable RACF system options (SETROPTS).

8 Customize and run AORUNPAX.

9 Run the install script.

10 Create a job card.

11 Create the Security Administrator LDAP database.

12 Enable the IEFU83 user exit points.

13 Activate the SLAPU83 program.

14 Start the Security Administrator.

15 Test the Security Administrator using the dotestserver script.


16 Test the Security Administrator racf2ldap components using the dotestr2l script.

17 Test the Security Administrator ldap2racf component using the dotestl2r script.

Step Description


Chapter 4. Installing the Security Administrator server

This chapter describes how to install the Security Administrator for RACF.

Step 1: Install the Security Administrator using SMP/E

To install the Security Administrator using SMP/E, complete all instructions in the IBM Tivoli Security Administrator for RACF Program Directory.

Step 2: Create the Security Administrator file system

To create, allocate, and mount the Security Administrator file system, follow the steps below:

1. From TSO, issue the following command:

PERMIT SUPERUSER.FILESYS.MOUNT CLASS(UNIXPRIV) ACCESS(READ) ID(user ID)

Where user ID is your RACF user ID.


SETROPTS RACLIST(UNIXPRIV) REFRESH

3. From OMVS, have an authorized user issue the following command:

mkdir sdir

Where sdir is the location o f the Security Administrator file system. The default location is /usr/lpp/AOR.

4. From ISPF, create a job that contains the sample JCL below:

Note: Consult your systems programmer for a proper sizing estimate for the file system. The amount of disk space required for the file system can be determined using the following formula:

Disk Space = 200MB + (size of RACF database x 4)


//JOBCARD *//*//*****************************************************************//*//* ALLOCATE THE HFS OR Z/FS//*//IEFBR14 EXEC PGM=IEFBR14//AORHFS DD DSN=&SARHFS,// DISP=(NEW,KEEP),// RECFM=U,LRECL=0,BLKSIZE=0,// SPACE=(CYL,(100,50,1)),// DSNTYPE=HFS//* VOL=SER=&TARGVOL,//* UNIT=&UNIT//*//*****************************************************************//*//* MOUNT THE HFS OR Z/FS AT THE DESIRED LOCATION//*//*****************************************************************//*//MNTHFS EXEC PGM=IKJEFT01,REGION=4096K//SYSTSPRT DD SYSOUT=*//SYSTSOUT DD SYSOUT=*//SYSTSIN DD * MOUNT FILESYSTEM('&SARHFS') + MOUNTPOINT('&SDIR') + TYPE(HFS) MODE(RDWR)/*//*//*****************************************************************//*//* SET THE PERMISSION//*//*****************************************************************//*//SETPERM EXEC PGM=BPXBATCH,// PARM='SH CHMOD 771 &SDIR'//STDERR DD PATH='/tmp/chmod.ERR',// PATHOPTS=(OWRONLY,OCREAT),// PATHDISP=(DELETE,KEEP),// PATHMODE=(SIRWXU,SIRGRP)//*//*****************************************************************//*//* SET THE OWNER//*//*****************************************************************//*//SETOWNR EXEC PGM=BPXBATCH,// PARM='SH CHOWN &UID &SDIR'//STDERR DD PATH='/tmp/chown.ERR',// PATHOPTS=(OWRONLY,OCREAT),// PATHDISP=(DELETE,KEEP),// PATHMODE=(SIRWXU,SIRGRP)//*//*****************************************************************//*//* SET THE GROUP//*//*****************************************************************//*//SETGRP EXEC PGM=BPXBATCH,// PARM='SH CHGRP &UID &SDIR'//STDERR DD PATH='/tmp/chgrp.ERR',// PATHOPTS=(OWRONLY,OCREAT),// PATHDISP=(DELETE,KEEP),


// PATHMODE=(SIRWXU,SIRGRP)//*

Where:

• &SARHFS to the name of your Security Administrator HFS or z/FS data set.

• &SDIR is the name of your Security Administrator directory.

• &UID is the user ID of your security administrator for the product.

• &TARGVOL is the volume name of your Security Administrator HFS or z/FS target volume.

• &UNIT to the name of your Security Administrator HFS or z/FS volume type.

5. Add job card information to the JCL, then submit the job to create the Security Administrator file system.

6. Add the Security Administrator file system to your production file systems so that it is available before the daemon process is initiated.

Note: You must use the same case that you specified for the Security Administrator directory when customizing any JCL and CLISTS.

Step 3: Assign Security Administrator directory UNIX permissions

To assign UNIX permissions, perform the steps below:

1. From OMVS, issue the following command:

chmod o+X /usr/lpp

Where /usr/lpp/ is the parent directory of your Security Administrator.

This command assigns the OTHER execute permission to the parent directory.

Step 4: Configure your communications environment

To configure your communications environment, perform the steps below:

1. Ensure that the ports you will run the Security Administrator on are available for use. To verify your ports, examine the /etc/services file. The Security Administrator can communicate using any port number.

Note: Do not create a reserved port definition for the Security Administrator Server.

2. If users will access the product from outside a firewall, have your network administrator modify the firewall to permit access to these ports.

Step 5: Create sufficient region size

To create sufficient region space, perform the step below:

1. Verify with your system programmer that the Security Administrator’s user ID and job class are permitted to allocate a region size of 200 MB or more.

Step 6: Create required RACF permissions

To create the required RACF permissions, follow the steps below:

Note: These permissions are only required for the initial installation of the product.


PERMIT BPX.FILEATTR.PROGCTL CLASS(FACILITY) ACCESS(READ) ID(user/group ID)

Chapter 4. Installing the Security Administrator server 11

Where user ID is the installer’s user ID.


PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ACCESS(READ) ID(user/group ID)

Where user ID is the installer’s user ID.


PERMIT BPX.DAEMON CLASS(FACILITY) ACCESS(READ) ID(user/group ID)

Where user/group ID is the RACF user or group ID for the Security Administrator server.


RALTER PROGRAM * ADDMEM('xxx.SCEERUN2'//NOPADCHK)

Where xxx is the prefix for your language environment libraries (usually “CEE”).


SETROPTS REFRESH WHEN(PROGRAM)

SETROPTS RACLIST(FACILITY) REFRESH

Step 7: Enable RACF system options (SETROPTS)

To enable the required RACF system options, follow the steps below:

1. Verify with your security administrator that your user ID has AUDITOR authority.


SETROPTS AUDIT(*) SAUDIT OPERAUDIT

Step 8: Customize and run AORUNPAX

To run the AORUNPAX job, perform the steps below:

1. Edit the AORUNPAX job from the SQUAL.SRAOSAMP data set, where SQUAL is your high-level qualifier.

2. Add job card information that is appropriate for your environment.

3. Verify that the Security Administrator directory is specified correctly. The specified directory must be one level above the product directory:

SET PATH=/usr/lpp

SET DSN=’SQUAL.SAORSAMP’

Where /usr/lpp is the default, and SQUAL is the high-level qualifier for the Security Administrator data sets.

4. Submit the job. AORUNPAX must be run by a user who can become root using the su command.

Step 9: Run the install script

To run the install script, follow the steps below:

Note: Once you have run the install script, you cannot copy the product files between systems. The install process customizes the product for an individual system.

1. From OMVS, issue the following commands:

cd usr/lpp/AOR

sh install


Where /usr/lpp/AOR is the location of your Security Administrator directory.

2. Respond to the prompts by entering information that is appropriate for your environment. Prompt information is case-sensitive, so ensure that you supply values in their correct case.

Any prompts that are left blank will use default values for that variable. You will be prompted for the following information:

The install script can be run as many times as necessary. Earlier files are deleted and replaced each time install script is run.

Note: If you re-run the install script, you must verify that no user ID is currently using the JCLLIB. If you have previously installed the product, you must verify that the Security Administrator is not currently running.

3. If your site uses non-standard IBM data set names, you must run the ASMEVT job located in SQUAL.JCLLIB after you have finished running the install script.

Step 10: Create a job card

To create a prototype job card, follow the steps below:

1. Edit the JOBCARD member of the SQUAL.JCLLIB data set, where SQUAL is the high-level qualifier for the Security Administrator data sets.

2. Customize the job card with the values that are appropriate for your environment.

3. Save the job card, and use it for all JCL that is required by the Security Administrator.

Prompt Default Value Description

SQUAL AOR SQUAL is the high-level qualifier for the Security Administrator data sets. The default value is recommended.

PDUNIT 3390 PDUNIT is the unit designation for your permanent storage device. Other values include “DISK” and “DASD”.

TDUNIT SYSDA TDUNIT is the unit designation for your temporary storage device. Other values include “VIO”.

SDIR usr/lpp/AOR SDIR is the name of the Security Administrator directory. This value is case-sensitive.

COMPANY company.com COMPANY is the LDAP root for your site. For example, if your company web address is www.company.com, then the value for COMPANY would likely be company.com. If you are unsure of this value, ask your network administrator or accept the default value. You must define this value in order to access the Security Administrator database.

HOSTNAME Current host HOSTNAME is the TCP/IP address of the host for the Security Administrator. If you are unsure of this value, ask your network administrator or accept the default value.

HOSTPORT 389 HOSTPORT is the port that is used for unencrypted communications by your host system. This value must be the same as the port number defined in Step 4: Configure your communications environment.


Step 11: Create the Security Administrator LDAP database

To create the Security Administrator database, follow the steps below:

1. Edit the SLCONVR job that is found within SQUAL.JCLLIB, where SQUAL is the high-level qualifier for the Security Administrator data sets.

2. Change the input data set name in the UNLOAD step to match the RACF database that is being unloaded. The SLCONVR job creates temporary data sets (&&IRRDBU00) that must be twice the size of the database. Change their SIZE parameters as appropriate. The temporary data sets must be twice the size of the data set being unloaded.

3. Submit the SLCONVR job.

The user-ID for SLCONVR job must have the same RACF group owner as the Security Administrator directory. The job has successfully completed when you receive a return code of 4 or less.


SETROPTS

Step 12: Enable the IEFU83 user exit points

To enable the IEFU83 exit points, follow the steps below:

1. Edit the SMFPRMnn member of the SYS1.PARMLIB data set, where nn is the SMF parameter member that is currently active on your system.

2. Enable the SYS.IEFU83 exit-point in the EXITS clause of the SYS parameters as shown in the example below:

SYS(xxx,EXITS(IEFU83,xxx)xxx )

Where xxx represents other keywords and parameters that are used in your environment.

3. If STC is defined as an SMF subsystem, enable the SYSSTC.IEFU83 exit-point in the EXITS clause of the SUBSYS(STC) parameters as shown in the example below:

SUBSYS(STC,EXITS(IEFU83,xxx))

Where xxx represents other keywords and parameters in your environment.

4. If TSO is defined as an SMF subsystem, enable the SYSTSO.IEFU83 exit-point in the EXITS clause of the SUBSYS(TSO) parameters as shown in the example below:

SUBSYS(TSO,EXITS(IEFU83,xxx))


5. If JES2 is defined as an SMF subsystem, enable the SYSJES2.IEFU83 exit-point in the EXITS clause of the SUBSYS(JES2) parameters as shown in the example below:

SUBSYS(JES2,EXITS(IEFU83,xxx))


6. Ensure that if NOTYPE statements exist in the definition of a user exit, they do not include 80 for any of the above statements.


Step 13: Activate the SLAPU83 program

Activating SLAPU83 dynamically

Note: Activating SLAPU83 dynamically only remains in effect until the next system IPL.

To activate the SLAPU83 program dynamically, follow the steps below:

1. Activate SLAPU83 for the SYS.IEFU83 user-exit point by issuing the following command from a console:

SETPROG EXIT,ADD,EXITNAME=SYS.IEFU83,MODNAME=SLAPU83,DSNAME=SQUAL.LOADLIB

Where SQUAL is the high-level qualifier for the Security Administrator data sets.

2. If STC is defined as an SMF subsystem, activate SLAPU83 for the SYSSTC.IEFU83 user-exit point by issuing the following command from a console:

SETPROG EXIT,ADD,EXITNAME=SYSSTC.IEFU83,MODNAME=SLAPU83,DSNAME=SQUAL.LOADLIB


3. If TSO is defined as an SMF subsystem, activate SLAPU83 for the SYSTSO.IEFU83 user-exit point by issuing the following command from a console:

SETPROG EXIT,ADD,EXITNAME=SYSTSO.IEFU83,MODNAME=SLAPU83,DSNAME=SQUAL.LOADLIB


4. If JES2 is defined as an SMF subsystem, activate SLAPU83 for the SYSJES2.IEFU83 user-exit point by issuing the following command from a console:

SETPROG EXIT,ADD,EXITNAME=SYSJES2.IEFU83,MODNAME=SLAPU83,DSNAME=SQUAL.LOADLIB


Activating SLAPU83 permanently

To activate the SLAPU83 program permanently, follow the steps below:

1. Edit the PROGnn member of the SYS1.PARMLIB data set, where nn is the program parameter member that is currently active on your system.

2. Activate SLAPU83 for the SYS.IEFU83 user-exit point by adding the following statements:

EXIT ADDEXITNAME(SYS.IEFU83)MODNAME(SLAPU83)STATE(ACTIVE)DSNAME(SQUAL.LOADLIB)


3. If STC is defined as an SMF subsystem, activate SLAPU83 for the SYSSTC.IEFU83 user-exit point by adding the following statements:

EXIT ADD EXITNAME(SYSSTC.IEFU83)MODNAME(SLAPU83)STATE(ACTIVE)DSNAME(SQUAL.LOADLIB)



4. If TSO is defined as an SMF subsystem, activate SLAPU83 for the SYSTSO.IEFU83 user-exit point by adding the following statements:

EXIT ADDEXITNAME(SYSTSO.IEFU83)MODNAME(SLAPU83)STATE(ACTIVE)DSNAME(SQUAL.LOADLIB)


5. If JES2 is defined as an SMF subsystem, activate SLAPU83 for the SYSJES2.IEFU83 user-exit point by adding the following statements:

EXIT ADDEXITNAME(SYSJES2.IEFU83)MODNAME(SLAPU83)STATE(ACTIVE)DSNAME(SQUAL.LOADLIB)


6. You must IPL the system in order to activate the SLAPU83 program permanently.

Step 14: Start the Security Administrator

Using started tasks

To start the Security Administrator, follow the steps below:

1. Customize the STARTST member of the SQUAL.JCLLIB data set, where SQUAL is the high-level qualifier of the Security Administrator data sets.

Note: The started task spawns subtasks that run under the initial started task. These subtasks take the same name as the started task and append a one or two digit suffix.

2. Ensure that the userID of the started task is connected to the group that owns the Security Administrator directory

3. Copy STARTST over to the appropriate system PROCLIB in your environment.


SETROPTS

Using submitted jobs

To start the Security Administrator, follow the steps below:

1. Add job card information and customize the START member of the SQUAL.JCLLIB data set, where SQUAL is the high-level qualifier of the Security Administrator data sets.

2. Submit the START job.


SETROPTS

Step 15: Test the Security Administrator using the dotestserver script

To test the Security Administrator server, follow the steps below:

1. From OMVS, enter the following commands:

cd /sdir/AOR/samples


sh dotestserver

Where sdir is the name of the Security Administrator directory.

2. At the prompts, enter your RACF user ID and password. The test has successfully completed when you receive information on your RACF user ID from the Security Administrator LDAP directory.

Step 16: Test the Security Administrator racf2ldap components using the dotestr2l script

To test the Security Administrator racf2ldap component, follow the steps below:


ALTUSER testuserID NAME(’RACF2LDAP TEST’)

Where testuserID is any valid RACF user ID.

2. Wait briefly, then from OMVS, issue the following commands:


sh dotestr2l


3. At the prompts, type a validRACF user ID and password along with testuserID. The test has successfully completed when you receive the distinguished name of the entry along with the following text:

cn: RACF2LDAP TEST

If the test does not complete successfully, consult sdir/racf2ldap.log to determine the cause of the error.

Step 17: Test the Security Administrator ldap2racf component using the dotestl2r script

To test the Security Administrator ldap2racf component, follow the steps below:

1. From OMVS, enter the following commands:


sh dotestl2r


2. At the prompts, type a valid RACF user ID and password along with a new user ID to be created on your RACF database.

This command can take up to one minute to complete.

If you receive a RACF error message, your own RACF user ID may not have the authority required to create new user IDs. The RACF message should contain information on why the command failed. If you are unable to correct the problem in RACF, please contact technical support.

3. After the dotestl2r command completes, from TSO, issue the following command:

LU newuserID

The test has successfully completed when you receive text similar to the following:


USER=newuserID NAME=TEST LDAP2RACF OWNER=racfuser CREATED=04.267DEFAULT-GROUP=racfgrp PASSDATE=00.000 PASS-INTERVAL=180ATTRIBUTES=NONEREVOKE DATE=NONE RESUME DATE=NONELAST-ACCESS=UNKNOWNCLASS AUTHORIZATIONS=NONEINSTALLATION-DATA=NO-MODEL-NAMELOGON ALLOWED (DAYS) (TIME)---------------------------------------------ANYDAY ANYTIMEGROUP=racfgrp AUTH=USE CONNECT-OWNER=racfuser CONNECT-DATE=04.267CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWNCONNECT ATTRIBUTES=NONEREVOKE DATE=NONE RESUME DATE=NONESECURITY-LEVEL=NONE SPECIFIEDCATEGORY-AUTHORIZATIONNONE SPECIFIEDSECURITY-LABEL=NONE SPECIFIED***

Where newuserID is the user-ID you created, racfuser is your RACF user ID, and racfgrp is the default RACF group assigned to this user.

If the test does not complete successfully, consult sdir/samples/slapd.err to determine the cause of the error, then contact technical support.


Chapter 5. Operating the Security Administration server

This chapter describes how to perform common system operations with the Security Administrator.

Starting/stopping the Security Administrator using started tasks

To start or stop the Security Administrator using started tasks, follow the step below:

1. Customize the following members in the SQUAL.JCLLIB data set:

• STARTST - creates a started task that starts the Security Administrator.

• STOPST - creates a started task that stops the Security Administrator.

Note: The started tasks may spawn subtasks that run under the initial started task. These subtasks will have job names such as STARTRAO xxx, where xxx represents various spawned processes.

2. Ensure that the userIDs of the started tasks are connected to the group that owns the Security Administrator directory

Setting the debugging level

Security Administrator debugging information is written to the sdir/slapd.out file, and is printed at the termination of the START job.

To set the debugging level, follow the steps below:

1. Stop the Security Administrator.

2. Set the debugging level using the DEBUG parameter in the START job.

3. Start the Security Administrator.

The table below describes the debugging levels.

Table 1. DEBUG parameter settings

DEBUG parameter setting Type of trace performed

DEBUG=-1 Enable all debugging.

DEBUG= 1 Trace function calls.

DEBUG= 2 Trace function handling.

DEBUG= 4 Display all processing.

DEBUG= 8 Trace connections and results.

DEBUG= 16 Display packets being sent and received.

DEBUG= 32 Trace search filter processing.

DEBUG= 64 Display configuration parameters.

DEBUG= 128 Trace access control list processing.

DEBUG= 256 Trace connections/operations/results.

DEBUG= 512 Trace entries sent.

DEBUG= 1024 Trace shell backend processing.


To use multiple debugging levels, add the two individual DEBUG parameter settings together. For example, to trace function calls (DEBUG=1) and display configuration parameters (DEBUG=64), set the debugging level to DEBUG=65.

DEBUG= 2048 Trace entry parsing.

Table 1. DEBUG parameter settings

DEBUG parameter setting Type of trace performed


Chapter 6. Installing the Security Administrator Client

This chapter describes how to install the Security Administrator clients.

Step 1: Install the PC client

The Security Administrator PC client is installed by users accessing the installation package from a network drive.

To transfer the PC client installation package to your network, follow the steps below:

1. Using FTP, download the file /usr/lpp/AOR/rao/windows/setupwin32.exe in binary format from your Security Administrator directory to your network. Consult your system programmer for instructions if you are unfamiliar with FTP.

2. When the download is complete, notify users of the network location for the Security Administrator PC client installation package, then refer them to the IBM Tivoli Security Administrator for RACF User’s Guide for detailed information concerning how to use the PC client.

Step 2: Install the ISPF client

The Security Administrator ISPF client is installed by making the ISPF client CLISTS available to your ISPF session.

To install the ISPF client, follow the steps below:

1. Create a way to access the ISPF client by performing one of the following actions:

• Concatenate SQUAL.CLIST to the SYSPROC DD statement in the TSO Logon procedure, where SQUAL is the high-level qualifier for the Security Administrator.

• From TSO, provide an EXEC that allocates the library to an existing concantenation by issuing the following command:

"ALLOC F(SYSPROC) DATASET (’SQUAL.CLIST’) SHR REUS"

Where SQUAL is the high-level qualifier for the Security Administrator.

• From TSO, dynamically allocate the library by issuing the following command:

"ALTLIB ACT APPLICATION(CLIST) DA(’SQUAL.CLIST’)"

Where SQUAL is the high-level qualifier for the Security Administrator.

• Copy the two CLISTS from SQUAL.CLIST to an existing library concantenated to the SYPROC DD statement in your TSO startup procedure. Modify the first line of the AOR CLIST member from:

PROC 0 CLISTLIB(SQUAL.CLIST)

to:

PROC 0 CLISTLIB(TARGET.TSO.CLIST)

Where SQUAL is the high-level qualifier for the Security Administrator, and TARGET.TSO is the library where the CLISTS were copied.

Note: The sample CLIST files that are provided may require customization to your site’s standards. For example, one CLIST uses the PASSLIB parameter to


invoke the application and may have to be removed if your site does not support this parameter for ISPF applications.


AOR

3. Refer to the IBM Tivoli Security Administrator for RACF User’s Guide for detailed information concerning how to use the ISPF client.

Note: Messages from the Security Administrator ISPF client are written to the userID.AORLOG file, where userID is the administrator’s RACF userID.


Appendix A. Troubleshooting

This appendix describes issues that can occur during the installation of the symptoms and explains the potential causes for issues that can arise with the IBM Tivoli Security Administrator for RACF.

Gathering diagnostic information

To help you resolve the issue you are experiencing, gather diagnostic information from the sources listed below prior to calling technical support.

General information

The following basic information is required for diagnostic purposes:

Diagnostic files

The following files contain diagnostic information:

Information Description

z/OS level The current level of z/OS on the Security Administrator host.

Security Administrator dump information

Security Administrator dump information from sdir/samples. The product records are identified by the prefix CEE. Older records can be deleted if necessary.

USS dump information

Dump information for the USS address space for the Security Administrator.

SLCONVR dump information.

Dump information for the SLCONVR job for the Security Administrator.

File Location Description

installer.out The root directory of the Security Administrator.

Contains messages logged from the install script.

ldif2ldbm.err The root directory of the Security Administrator.

Contains error messages logged from the database load routine.

ldif2ldbm.out The root directory of the Security Administrator.

Contains messages logged from the database load routine.

ls_prddir.out The root directory of the Security Administrator.

Displays the structure and file sizes for the Security Administrator directory.

slapd.err The root directory of the Security Administrator.

Displays some of the messages logged from the Security Administrator. Some of these messages are also written to the UNIX syslog, which is located in the /etc/syslog.conf file for your environment.


Diagnostic commands

The following commands are used to gather diagnostic information:

Issues with running the install script

Issues that can arise while running the install script are described below.

slapd.out The root directory of the Security Administrator.

Displays operational messages from the Security Administrator.

racf2ldap.log The root directory of the Security Administrator.

Contains a log of changes processed by racf2ldap.

racf2ldap.err The root directory of the Security Administrator.

Contains diagnostic data produced by racf2ldap.

racf2ldap.out The root directory of the Security Administrator.

Displays operational messages from racf2ldap.

Command Where executed Description

D OMVS,A=ALL System console. Displays all OMVS processes executing on the target system.

D OMVS,L System console. Displays OMVS system limits.

D OMVS,O System console. Displays SYS1.PARMLIB options set for OMVS processes.

D OMVS,U=user ID System console. Displays all OMVS processes associated with user ID, where user ID is the RACF user ID of the SLCONVR job.

D OMVS,PID=pid number System console. Displays the status of the target thread pid for each process shown by D OMVS,U=user ID.

LU user ID, OMVS TSO command line.

Displays the UNIX privileges set by RACF for user ID, where user ID is the RACF user ID of the SLCONVR job or the Security Administrator started task.

ls -IER >./ls_prddir.out OMVS from the root directory of the Security Administrator.

Produces the ls_prddir.out file.

df -k . >./df_prddir.out OMVS from the root directory of the Security Administrator.

Produces continuing file usage data.

File Location Description


Install Script Error Messages

The first time the installation script is run, four warnings will be produced that are related to the DELETE functions issued for the SRCLIB, JCLLIB, LOADLIB, and ATTR files. These warnings can be safely ignored.

At the end of the script, you may also see a message similar to:

IGD103I SMS ALLOCATED TO DDNAME SYS00024THE RECORD SIZE IN THE OUTPUT DATA SET IS SMALLER THAN A LINE IN THE INPUT FILESOME RECORDS HAVE BEEN TRUNCATED.

This is also a normal message, which you may safely ignore.

Assembly of SLATEVT fails in the install script

Symptom:

The assembly of SLATEVT fails during the running of the install script.

Problem:

Your site uses non-standard IBM data set names.

Solution:

To complete the install, you must customize and run the ASMEVT job located in SQUAL.JCLLIB after you have finished running the install script.

Issues with creating the Security Administrator LDAP database

Issues that can arise while creating the Security Administrator LDAP database are described below.

HFS or z/FS file system full

Symptom:

While running the SLCONVR job, a SOC6 Abend or other UNIX error indicates an HFS or z/FS file system full condition.

Problem:

The Security Administrator does not have sufficient resources allocated for it to operate properly.

Solution:

The amount of disk space required for the directory can be determined using the following formula:

Disk Space = 200MB + (size of RACF database x 4)

If you receive a SOC6 Abend or other UNIX error, you must copy the Security Administrator to another HFS or z/FS file system with sufficient space.

Appendix A. Troubleshooting 25

To copy the Security Administrator to another HFS or z/FS file system, you must use the pax command to preserve the existing file links, permissions, and attributes. Follow the series of steps below:

1. Create a new directory with sufficient space.

2. Copy the existing file system containing the Security Administrator to the new directory. If you used the default installation directory, you would issue the following command:

cd /usr/lpp/AOR

pax -r -w -pe . new_path

where new_path is the location of the new directory you created.

3. Rename the new directory so that new_path matches the original install path you used.

Temporary file system full

Symptom:

While running the SLCONVR job, an error code of 256 indicates a temporary file system full condition, and the server fails to stop.

Problem:

The temporary file system is not large enough.

Solution:

If you receive an error code of 256, you must allocate a larger temporary file system. For more information concerning this procedure, refer to Chapter 24 of the IBM UNIX Systems Services Panning Guide.

Default LE libraries incompatible

Symptom:

While running the SLCONVR job, an 0C4 abend for module IGZCEV5 occurs in the CONV step.

Problem:

Your default Language Environment Libraries are not compatible with the versions used by the Security Administrator server.

Solution:

The Language Environment v1.4 is almost certainly already installed on your system, but you will need to explicitly point the Security Administrator server at these libraries. Identify the library name for the LE 1.4 SCEERUN library, and add it to the STEPLIB concantentation of the CONV step for SLCONVR.

Insufficient SORTWK space allocation condition

Symptom:

The SLCONVR job exits with return code 16 and shows one of the following error messages:


• ICE046A 0 SORT CAPACITY EXCEEDED

• CR07: SORT FAILED, SEE RETURN CODE AND SORT OUTPUT

Problem:

Your SORTWK data set allocation is not large enough.

Solution:

To increase the SORKWK data set allocations, edit the SLCONVR job and modify the DD statements for the SORTWK data sets in the CONV step. For example, the following initial data set allocations have changed both the primary and secondary space allocations:

//SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,(100,50)) //SORTWK02 DD UNIT=SYSDA,SPACE=(CYL,(100,50)) //SORTWK03 DD UNIT=SYSDA,SPACE=(CYL,(100,50)) //SORTWK04 DD UNIT=SYSDA,SPACE=(CYL,(100,50)) //SORTWK05 DD UNIT=SYSDA,SPACE=(CYL,(100,50))

Error with the DOLDIF step

Symptom:

The SLCONVR job exits the DOLDIF step.

Problem:

The SLCONVR job could not allocate sufficient memory, or its user ID did not have sufficient authority to run sdir/samples/doldif or sdir/sbin/slapd.

Solution:

If the SLCONVR job exits the DOLDIF step with a return code 9 (usually without any messages), this indicates that it could not allocate sufficient memory. As delivered, the Security Administrator server requires approximately 200 megabytes of processor memory. You will have to consult your systems programmer, and adjust the user-ID, job class or REGION parameter in the DOLDIF step to assure that this job can allocate sufficient memory.

If the job exits the DOLDIF step with a non-zero return code and a message of "cannot execute", this indicates an authority issue. You must change the user or group of the job to one that has execute authority.

Unable to parse entry error message

Symptom:

The SLCONVR job exits the DOLDIF step with a 2048 return code and an "Unable to parse entry" error message is generated.

Problem:

The RACF database contains characters that cannot be converted into the local code set.


Solution:

Edit the SLCONVR JCL by appending -c to the PARM statement of the DOLDIF step, then resubmit the job. Use the example below:

// PARM=(’SH &SIDIR/samples/doldif &SSYS &DEBUG &SUFFIX -c’)

Once you resubmit the SLCONVR job, you can ignore the 2048 return code if -c appears in the PARM statement.

Issues with starting the Security Administrator

Issues that can arise while starting the Security Administrator are described below.

Insufficient region size allocated

Symptom:

A process exits with return code 9.

Problem:

The process failed to allocate sufficient memory.

Solution:

Security Administrator processes run as a submitted jobs or started tasks that are optimized for a 50,000 user installation and require approximately 200 megabytes of memory.

The default REGION parameter coded in the START JCL is 0M, which usually indicates no memory limitations. However, your site, may have specific limitations that override the REGION=0M parameter. These limitations, usually coded in an IEFUSI user-exit, may be based on your user-id, job class, or other factors. Verify that the job class and user-id for the Security Administrator are permitted to allocate a region size of 200 megabytes or more. A return code 9 indicates that the region size is too small and needs to be adjusted upwards.

Insufficient HEAP storage available

Symptom:

A return code of 0768 or job output containing messages such as “failure to allocate nnn bytes”, or “cannot reallocate nnn bytes”.

Problem:

Sufficient processor memory for HEAP storage cannot be allocated.

Solution:

To allocate sufficient HEAP storage, follow the series of steps below:

1. Edit sdir/samples/stdenv to enable the storage report. Ensure that the appropriate section of line 5 appears as follows:

_CEE_RUNOPTS=RPTS(ON),RPTO(ON)....


2. Re-create the problem and examine the storage report in the SYSOUT to determine the suggested values for the HEAP parameter.

3. Re-edit sdir/samples/stdenv. Ensure that the appropriate section of line 6 appears as follows:

_CEE_RUNOPTS=...H(xxx,5M,ANYWHERE,KEEP,8K,4K)

where xxx is the suggested value for the HEAP parameter from the storage report.

If you adjust the heap size upwards, you may also have to adjust the REGION parameter in the START JCL, as described in “Insufficient region size allocated” on page 28.

Unable to load LDAP modules

Symptom:

A message of "unable to load" appears in the slapd.err file.

Problem:

The Security Administrator LDAP modules are not APF-authorized and program-controlled.

Solution:

To APF-authorize and program-control the Security Administrator LDAP modules, follow the step below:

1. From OMVS, issue the following command for each Security Administrator LDAP module:

extattr +ap sdir/sbin/module

Where sdir is the name of the Security Administrator directory and module is a Security Administrator LDAP module name. The following are the module names:

• slapd

• ldap2racf.so

• pwdbind.so

Issues with operating the Security Administrator server

Issues that can arise while operating the Security Administrator server are described below.

Too many open files

Symptom:

You receive the EDC5124I error message of "Too many open files."

Problem:

Under UNIX System Services, the user ID under which the Security Administrator runs is not permitted to allocate a sufficient number of file descriptors. The typical causes of this problem include that there is either a shortage in the MMAPAREA storage, or the userID is unable to allocate a sufficient region size.


Solution:

To increase the permitted number of open files under UNIX System Services, follow the steps below:

1. From the system console, issue the following command:

D OMVS,O

2. Verify that the following minimum values are listed:

MAXMMAPAREA=40960MAXSHAREDPAGES=131072MAXASSIZE=268435456

If the values are too low, you can change them temporarily using the SETOMVS command, or permanently by changing the appropriate values in SYS1.PARMLIB(BPXPRMxx).

3. Use the LISTUSER user ID OMVS command to verify that the user ID under which the Security Administrator server runs does not have any special limits for MMAPAREA or ASSIZE parameters.

4. Consult your systems programmer to determine that the job class for the Security Administrator is permitted to allocate 200MB of memory, and verify that your site supports the REGION=OM parameter specified in the START JCL.

Issues with operating the Security Administrator client

Issues that can arise while operating the Security Administrator client are described below.

Security Administrator client times out

Symptom:

The Security Administrator client times out while waiting for a change operation to the RACF database to complete.

Problem:

The SLAPU83 user-exit program is not active.

Solution:

To re-activate the SLAPU83 program, follow the steps below:

1. Stop the Security Administrator using the procedure described in “Starting/stopping the Security Administrator using started tasks” on page 19.

2. Activate the SLAPU83 program using the procedure described in “Step 13: Activate the SLAPU83 program” on page 15.

3. Rebuild the Security Administrator LDAP directory using the procedure as described in “Step 11: Create the Security Administrator LDAP database” on page 14.

4. Start the Security Administrator using the procedure described in “Starting/stopping the Security Administrator using started tasks” on page 19.


Frequently asked questions

Questions that commonly arise concerning the Security Administrator are discussed below.

Working offline

Question 1

Can I work offline with the Security Administrator without making changes to the RACF database?

Answer 1

Yes. As part of the installation process, the Security Administrator creates an LDAP copy of the RACF database. It is this LDAP database that is accessed by the Security Administrator. Any queries, reports, etc. that you initiate through the client are performed against the LDAP database, not the RACF database itself.

Question 2

Can someone practice with the Security Administrator without having RACF authorization?

Answer 2

Yes. Anyone can use the Security Administrator client to practice without having RACF authorization. If the user attempts to make an unauthorized change, RACF will deny the change request itself. Users are only permitted to make the changes that RACF allows them to.

Encryption

Question 1

Is there any encryption to move data between the LDAP and RACF databases?

Answer 1

Yes. The Security Administrator is based on open LDAP. The LDAP protocol uses port 389 for unencrypted communications, and port 636 for encrypted SSL/TLS communications. Digital certificates are required for SSL/TLS in a customer environment.

Also note that changes to the RACF database are handled programatically using RADMIN() function calls, and RACF changes are reflected back to the LDAP database with the IEFU83 SMF intercept. Neither of these are susceptible to snooping.

Reports

Question 1

What language is used to create new reports?


Answer 1

The Security Administrator is based on the LDAP protocol. The View reports provided with the product, and new ones created by customers, are based on LDAP search filters. For more information concerning search filters, refer to the following reference:

http://www.ietf.org/proceedings/01mar/I-D/ldapbis-filter-00.txt


Appendix B. Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10594-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this publication to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is as your own risk.

Licensees of this program who want to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

International Business Machines Corporation

Department J46A/G4


555 Bailey Avenue

San Jose, CA

U.S.A.

95141-1003

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject to change before the products described become available.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.

If you are viewing this information soft copy, the photographs and color illustrations may not appear.


Trademarks

The following terms are trademarks of the IBM Corporation in the United States or other countries or both:

Microsoft® and WindowsNT are registered trademarks in the United State, other countries, or both.

Java™ and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.

AIXAS/400DataJoinerDB2DB2® ConnectDistributed Relational Database ArchitectureDRDAIBMInformix

iSeriesNUMA-QMVSOS/2OS/390RedbooksSAASQL/DSz/OS

Appendix B. Notices 35

Index

Aabout this guide vaccessibility viiaccessing publications online viactivating IEFU83 dynamic exit program 15architecture 1

clients 3configuration database 3ISPF client 3ldap2racf 2mirror database 2PC client 3racf2ldap 2server 2

Bbase information vi

Cclient

ISPF client installation instructions 21clients

ISPF client 3PC client 3

configuring z/OS TCP/IP 11contents of this book vconventions

typeface viicustomer support viicustomizing AORUNPAX 12customizing server 12

Ddirectory space requirements 9, 25disability viidisk space requirements 9, 25dotestserver script 16

Eenabling IEFU83 exit points 14

Gguide organization v

IIEFU83 14, 15install script

running 12installation instructions

server 9SMP/E 9

ISPF client 3installation instructions 21

Jjob card 13

LLDAP

populating directory 14ldap2racf

testing 17

NNotices 33

Oordering publications vii

PPC client 3populating LDAP directory 14ports used 11preface information vprogram directory 9

Rracf2ldap

testing 17region size 11release information virunning AORUNPAX 12running install script 12

SSecurity Administator for RACF

introduction 1Security Administrator for RACF

architecture 1clients 3server 2

servercustomizing 12operating 19setting debug level 19starting 16testing 16tuning 19

SETROPTS 12setting debug level 19setting RACF system options 12SMP/E

installation 9space requirements 9, 25support, customer vii

Ttrademarks 35typeface conventions vii

UURLs

customer support vii


IBM@

GC18-9475-01

*07GC18947502*

ibm tivoli security administrator for racf install...

Documents