IBM OS/400 Server Hosted Applications

Connector name	`agtos400script`
Connector type	Executable
Type (UI field value)	IBM OS/400 Server (Script)
Target system versions supported / tested	Bravura Security Fabric can manage application-specific accounts or passwords on IBM OS/400 servers using the scripted connector for OS/400 (`agtos400script`). This connector issues custom commands (that you provide in a script file) from the Bravura Security Fabric server via IBM iSeries access for Windows to the application on the OS/400 server.
Connector status / support	Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.
Installation / setup	Write a script file to define SQL commands used in the interaction between the `agtos400script` connector and the OS/400 database. Common requirements for all database scripted connectors are described in Scripts for SQL Application Connectors .

The following Bravura Security Fabric operations are supported by this connector:

administrator verify password
user change password
expire password
administrator reset password
administrator reset+expire password
unexpire password
unlock account
user verify password
verify+reset password
create account
delete account
disable account
enable account
expire account
create group
delete group
add user to group
delete user from group
add group to group
remove group from group
check account enabled
check account expiry
check account lock
lock account
unexpire account
update attributes
list account attributes
List:
- accounts
- attributes
- groups
- members

This connector also supports custom operations, as defined in the configuration script. Common requirements for all database scripted connectors are described in Scripts for SQL Application Connectors .

See also

Bravura Security Fabric can also manage IBM OS/400 system accounts using the connector for OS/400 (agtos400 ). See IBM OS/400 Server for details. In either case, no software is installed on the OS/400 server.
Bravura Security Fabric can also manage application accounts on OS/400 servers by issuing commands over a TN-5250 session using the programmable Telnet connector (agtelnet). This method, however, is less secure and requires a greater deal of scripting. See TCP Telnet HTTP or HTTPS Access for more information.

Preparation

Before Bravura Security Fabric can perform operations on an OS/400 server, you must:

Install the client software.
Configure a target system administrator.
Installing as-svrmap.
Enable SSL.
Create at least one template account.
Write a script to configure connector behavior.

Installing client software

Bravura Security Fabric communicates with the OS/400 server via APIs provided by the IBM iSeries Access for Windows client. Before you can target an OS/400 server, you must install the IBM iSeries Access for Windows client software on the Bravura Security Fabric server.

To install IBM iAccess Windows Application framework:

Obtain the IBMiAccess_v1r1_WindowsAP_English.zip package from the IBM website.
Extract the files from the zip package.
Run setup.exe in the Image64a folder.

Note the default installation directory which is: C:\Program Files (x86)\IBM\Client Access\

By default, the setup program installs:

Required programs
ODBC
OLE DB Provider
.NET Data Provider
Secure Socket Layer (SSL)
Languages
Header, Libraries, and Documentation

After the install, cwbco.dll is installed in C:\Windows\SysWOW64 .

The client requires ports to be open between all the Bravura Security Fabric servers (nodes or proxies, wherever the agent runs), and all targets to be managed, as described in: https://www.ibm.com/support/pages/unable-start-or-connect-tcpip-server .

Connectors for OS/400 Server and OS/400 Server hosted applications use the API contained in this DLL and its sub-DLLs.

This software also contains a 5250 emulator. The emulator is used to configure the server for transparent password synchronization. If you plan to implement transparent synchronization, verify that you can establish a connection to the OS/400 server with it. If you cannot, install a 5250 emulator that can communicate with your OS/400 server.

Consult the documentation included with your iSeries client software for more information.

Configuring a target system administrator

Bravura Security Fabric uses a designated account (for example, psadmin) on the OS/400 server to perform operations. The authority required by the target system administrator may vary depending on your application.

In general, the target system administrator must have the *ALLOBJ and *SECADM special authority. Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the OS/400 application to Bravura Security Fabric .

Listing users

In order for the IBM client API to retrieve a list of users from the OS/400 server, the as-svrmap service must be installed and running on the OS/400 server.

To retrieve the user list, you may need to use the ODBC administration tool to create a specific System DSN for the OS/400 server using the iSeries Access ODBC Driver.

Enabling SSL

SSL security is recommended. To enable SSL for OS/400 systems using iSeries Navigator:

Open iSeries Navigator (Start > IBM iSeries Access for Windows > iSeries Navigator).
Right-click the server you are trying to connect to and select Properties.
From the Secure Sockets tab, press Download.

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new OS/400 accounts.

The steps required to create a template account depend on your application. Consult your OS/400 application documentation for more information.

To learn how to create a template for an OS/400 system account, see Creating a template account .

Writing a script to configure connector behavior

Write a script file to define SQL commands used in the interaction between the agtos400script connector and the OS/400 database. Common requirements for all database scripted connectors are described in Scripts for SQL Application Connectors.

Targeting OS/400 hosted applications

For each OS/400 server hosted application, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems).

Type is IBM OS/400 Server (Script) .
Address uses the following settings:
Connection over SSL Enables an SSL connection when connecting to the target system server. The default is "true".
(key: ssl)
Server IP address or host name.
(key: server)
Instance Optional script variable instance name.
(key: instance)
Script file The file must be in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and describes the SQL commands used in the interaction between the connector and the database.
See SQL script files to learn how to write the script.
(key: script)
The address is entered in the format:
<server name>[/<script_variable_instance>]//<script filename>[/ssl=<true|false>]
Administrator ID and Password is the login ID and password for the target system administrator you configured earlier.

The full list of target parameters is explained in Target System Options .

Handling account attributes

In order for Bravura Security Fabric to manage attributes, you must first add the attributes to Bravura Security Fabric.

See Account attributes in the Bravura Security Fabric configuration documentation for more information.

Troubleshooting

If you experience any errors, verify that:

The IBM iSeries Access for Windows client software is installed on the Bravura Security Fabric server.
The IBM iSeries Access for Windows libraries are on the system-wide search path (PATH variable). If not, add the appropriate directory to the PATH environment variable and restart the Bravura Security Fabric server.
You can log into each OS/400 server from the Bravura Security Fabric server, using any tool in the IBM iSeries Access for Windows client, and the target system administrator ID and password you created.
Ensure correct ports are open between all the Bravura Security Fabric servers (nodes or proxies, wherever the agent runs), and all targets to be managed, as described in: https://www.ibm.com/support/pages/unable-start-or-connect-tcpip-server . Encrypted communication is recommended.
You can issue the crtusrprf and chgusrprf commands to create and update accounts when logged into each OS/400 server as the target system administrator.
You can issue a chgusrprf command on each OS/400 server to reset a user’s password when logged in with the administrative account.
You can execute the same instructions in your script interactively, while logged into the same database instance with the same login ID, using any tool in iSeries Access for Windows.

Specific error messages

If you get the following error messages:

cwbCO_Connect: err=10061 (winsock error) The connection has been refused.

Check with the target administrators if they used different ports than the ones in the port table from the IBM article https://www.ibm.com/support/pages/unable-start-or-connect-tcpip-server , for these services:

Port mapper
License Management
Signon Verification
Telnet (PC5250 Emulation)
Open remote access from the Privilege servers or proxies to whatever ports those services are listening on, to each specific target server, as they can be configured differently from target to target.

cwbCO_Connect: err=11001 (winsock error) The host was not found. Change the target system address line from the DNS to IP address.

cwbCO_CreateSystem: err=8014 Ensure there is no whitespace in the target system address line.

In this section: