Skip to main content

Configuration Process

Mainframe Connector subsystem internal configuration

Run-time parameters

Parmlib Customization

This section describes the parameters that you can specify for Mainframe Connector processing.

Every z/OS image running Mainframe Connector will require access to a parameter dataset. The parameter dataset is specified through the PARMLIB DD referenced in the Mainframe Connector cataloged procedure. This dataset is read during startup processing only, so any changes to this dataset will not take effect until Mainframe Connector is restarted.

Parmlib Syntax

  • An "*" coded in column one indicates that the corresponding statement is to be treated as a comment.

  • Parameter statements can be prefixed with multiple blank characters.

  • The end of parameter data occurs at the first blank character following the start of a valid parameter statement. Any data coded after this terminating blank is considered a comment.

  • Parameter statements cannot span multiple card images.

  • If Mainframe Connector encounters duplicate parameters, it keeps the value specified in the first occurrence and ignores the duplicates.

  • If Mainframe Connector encounters an invalid parameter, it ignores the invalid parameter and issues a warning message.

Parameter descriptions

A set of Mainframe Connector parameters as specified in the PARMLIB DD dataset may include the following:

ADMINID

Use this parameter to specify an administrator id that is to be used for validating Mainframe Connector listener password reset requests, password resetexpire requests, database userid list requests, userid enable requests, userid disable requests, and userid status check requests. A userid of up to seven characters can be specified. If ADMINID validation will be used, the userid must be defined to the security product, it must have a password value associated with it, the password value must not be expired, and the userid must not be in revoked status. If you do not wish to perform the adminid/password cross-validation check on a target Mainframe Connector environment, specify an ADMINID value of N/A.

Syntax:

ADMINID=userid

Example:

ADMINID=PSADMIN

ADMINID=N/A

Default:

PSYNCH

DATASPACE

Use this parameter to request dataspace logging of SMF, AUDIT, and/or SYNCHLOG records. These may be interpreted and viewed in real time during Mainframe Connector operation using PICS (Mainframe Connector Parallel Information Communication Service) under TSO/ISPF (see Mainframe Connector ISPF/PDF Interface for details on how to activate and use PICS).

The DATASPACE parameter accepts up to four option values that indicate what logging information is to be captured as well as the size of the supporting dataspace. The four valid option values are:

  • SMF - indicates that Mainframe Connector SMF record data is to be captured in the dataspace

  • AUDIT - indicates that AUDIT log information is to be captured in the dataspace

  • SYNCHLOG - indicates that SYNCHLOG log information is to be captured in the dataspace

  • nnnnnn - is a value between 1 and 524,288 indicating the number of 4K blocks that will comprise the dataspace. If the DATASPACE parameter is specified with at least one of the log information values and the dataspace size value is omitted, the default is 100.

Data will be recorded into the dataspace in "wraparound" fashion - that is, when the dataspace is filled to capacity, recording re-commences at the beginning of the dataspace and continues, overlaying the previous oldest data. Sizing of the dataspace is therefore dependent upon the volume of log information captured, the level of log-generating activity, and the historical "retention" interval desired.

Note

The dataspace and its contents are deleted upon Mainframe Connector termination. The dataspace, therefore, should not constitute the fundamental mechanism upon which a strategy for longer-term retention of Mainframe Connector log data is based.

Dataspace recording of AUDIT and SYNCHLOG information is typically not necessary if the associated output is directed to SYSOUT, as they may be viewed, while active, during Mainframe Connector operation. If the output is being directed elsewhere, for example - to DASD, then viewing the active contents of the output log is not possible. In this case, dataspace recording may be appropriate to permit continuously updated realtime viewing.

The MODIFY command can be used to change the log recording options specified for the DATASPACE parameter. See Modifying the DATASPACE logging options for details on dynamically modifying the DATASPACE log recording options. The size of the dataspace can not be modified while Mainframe Connector is active. To modify the dataspace size, the DATASPACE parameter value must be updated and Mainframe Connector must be restarted.

Syntax:

DATASPACE=[SMF][,AUDIT][,SYNCHLOG][,nnnnnn]

Example:

DATASPACE=SMF,SYNCHLOG,123

DATASPACE=AUDIT,SYNCHLOG

Default:

none

DEBUGLEVEL

Use this parameter to specify a debugging level to be used for the Mainframe Connector network modules. The parameter can be used to produce diagnostic messages regarding logic flow and the contents of inbound and outbound network traffic. Valid values for this parameter are numeric 0 to 9.

Syntax:

DEBUGLEVEL=n

Example:

DEBUGLEVEL=2

Default:

0

Mainframe Connector currently supports four debugging levels as follows:

  • 0 indicates no debugging

  • 1 indicates standard level debugging and provides basic feedback on logic flow and diagnostic information on network interface function calls

  • 2 indicates that all debugging from level 1 is to be provided and also includes diagnostic messages for events that occur on a repeating time interval basis

  • 5 indicates that all debugging from levels 1 and 2 is to be provided and also includes diagnostic messages that contain sensitive information such as clear text userids or password values

Using a DEBUGLEVEL other than 0 should only be necessary under the advisement of Bravura Security technical support.The MODIFY command can be used to change the DEBUGLEVEL value. See Modifying the DEBUGLEVEL for details on dynamically modifying the DEBUGLEVEL value.

DEBUGMAX

Use this parameter to specify the maximum DEBUGLEVEL that will be accepted either through the DEBUGLEVEL=n parameter specified in the Mainframe Connector PARMLIB dataset or through the F mfc,DEBUGLEVEL=n modify operator command.

This command can be used to prevent inadvertent use of the DEBUGLEVEL option.

Syntax:

DEBUGMAX=n

Example:

DEBUGMAX=1

Default:

9

DNS

Use this parameter to define the Bravura Security Fabric server. This is a required parameter. The value can be specified as the Bravura Security Fabric server host name (the MVS system must make use of Domain Name Services for host name to be used) or the dotted decimal TCP/IP address.

Syntax:

DNS=pwdidman.server.name

Example:

DNS=corporate.pwdman.server

DNS=155.13.2.7

Default:

none

ENCRYPTION

Use this parameter to define the encryption technique that will be used for encrypting the data that will be exchanged by Mainframe Connector and the Bravura Security Fabric server. This is an optional parameter however if it is not specified, Mainframe Connector will use 128-bit AES encryption.

Syntax:

ENCRYPTION={IDEA/AES}

Example:

ENCRYPTION=AES

Default:

AES

ENTROPYFALLBACK

Use this parameter to indicate whether or not a weak source of randomness can be used as the basis for encryption.

Syntax:

ENTROPYFALLBACK={YES/NO}

Example:

ENTROPYFALLBACK=NO

Default:

YES

HOSTID

Use this parameter to specify a host name by which the Bravura Security Fabric server will know this system. It should be unique across multiple specified or defaulted HOSTID values when Mainframe Connector is running on multiple systems or if multiple Mainframe Connector started tasks are running on the same z/OS image. The HOSTID value is an arbitrary identifier, but if the z/OS system will be used as a transparent password synchronization trigger system, this value MUST match to a hostid value in a Bravura Security Fabric server host definition entry.

Syntax:

HOSTID=hostname

Example:

HOSTID=OS390SYSA

Default:

MVS SMF sysid

KEY

Use this parameter to set the communication encryption key value that will permit connection handshake with the Bravura Security Fabric server. The key value should be unique for accessing a Bravura Security Fabric server (one Mainframe Connector cannot be targeted by two different targets or instances using different keys). The key value is a 32-digit hexadecimal number, so please use the first 32 characters of the unencrypted COMMKEY ) configured on the Bravura Security Fabric server. This is a required parameter."

Syntax:

KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Example:

KEY=A538B72CE1F0F47D961A20B6379D284A

Default:

none

KEYDISPLAY

Use this parameter to indicate to Mainframe Connector whether or not the key value supplied in the KEY= parameter is displayed as specified or masked in Mainframe Connector console messages that contain the key value.

Syntax:

KEYDISPLAY={ASIS/MASK}

Example:

KEYDISPLAY=MASK

Default:

ASIS

KEYENCRYPT

Use this parameter to indicate to Mainframe Connector that the key value supplied in the KEY= parameter is an encrypted key and that internal decryption will be necessary before a successful key exchange can occur with a Bravura Security Fabric server. Setting KEYENCRYPT=YES will cause Mainframe Connector to effectively function with KEYDISPLAY=MASK regardless how this parameter value has been specified.

Syntax:

KEYENCRYPT={YES/NO}

Example:

KEYENCRYPT=YES

Default:

NO

LISTCHECK

Use this parameter to determine how the contents of an INLIST or an EXLIST will be used. Include or exclude list checking can be activated for outbound or inbound password reset events. If include or exclude list checking is to be active only for inbound reset events, a LISTCHECK value of INBOUNDONLY would be used. If include or exclude list checking is to be active only for z/OS trigger password reset events, a LISTCHECK value of OUTBOUNDONLY would be used. If the contents of the include or exclude list are to be checked for both inbound and outbound events, a LISTCHECK value of INOUT would be used. The MODIFY command can be used to change the LISTCHECK value. See Modifying the LISTCHECK value for details on dynamically modifying the LISTCHECK value.

Syntax:

LISTCHECK={INOUT/INBOUNDONLY/OUTBOUNDONLY}

Example:

LISTCHECK=INOUT

Default:

INBOUNDONLY

LISTENMAX

Use this parameter to set the maximum number of concurrent listener tasks that will be supported by this Mainframe Connector subsystem. The MODIFY command can be used to change the LISTENMAX value. See Modifying the LISTENMAX value for details on dynamically modifying the LISTENMAX value.

Syntax:

LISTENMAX=nn (nn is from 1 to 99)

Example:

LISTENMAX=10

Default:

5

LISTENPORT#

Use this parameter to set the Mainframe Connector listener TCP socket port number. This is the port number that this system will use to detect incoming Mainframe Connector password synchronization requests. This is a required parameter.

Syntax:

LISTENPORT#=nnnnn (nnnnn is from 1 to 65535)

Example:

LISTENPORT#=8000

Default:

none

LISTENONLY

Use this parameter to set Mainframe Connector into listen only mode. This parameter is useful for sites that have yet to determine if they will be using their z/OS system as a trigger system for Bravura Pass . The security product’s "new password" exit provided by Mainframe Connector can be installed without being effectively activated by specifying L ISTENONLY=YES . The use of LISTENONLY=YES effectively disables the PASSIVESTART parameter described later. The MODIFY command can be used to change the LISTENONLY value. See Modifying the LISTENONLY value for details on dynamically modifying the LISTENONLY value.

Syntax:

LISTENONLY={YES/NO}

Example:

LISTENONLY=YES

Default:

NO

OUTBOUNDPWCASE

If Mainframe Connector is being used as a transparent password synchronization trigger system, use this parameter to indicate how the password value will be sent to the target Bravura Pass server. Three possible options can be specified for OUTBOUNDPWCASE . If OUTBOUNDPWCASE=ASIS is specified, the password value received by the security product’s "new password" exit is passed through to the Bravura Pass server in its raw state (case sensitivity is maintained). If OUTBOUNDPWCASE=LOWER is specified, the alpha characters for the password value received by the security product’s "new password" exit are passed through to the Bravura Pass server as lower case values. If OUTBOUNDPWCASE=UPPER is specified, the alpha characters for the password value received by the security product’s "new password" exit are passed through to the Bravura Pass server as upper case values.

The MODIFY command can be used to change the OUTBOUNDPWCASE value. See Modifying the OUTBOUNDPWCASE for details on dynamically modifying the OUTBOUNDPWCASE value.

Syntax:

OUTBOUNDPWCASE={ASIS/LOWER/UPPER}

Example:

OUTBOUNDPWCASE=LOWER

Default:

ASIS

PASSIVESTART

Use this parameter to indicate to Mainframe Connector whether or not repetitive attempts should be made to successfully handshake with the Bravura Pass server during startup. A parameter value of NO indicates that one attempt will be made to communicate with the Bravura Pass server at startup. If this communication is successful, Mainframe Connector will continue with initialization. If not, Mainframe Connector will terminate. A parameter value of YES indicates that Mainframe Connector will attempt to establish communication with the Bravura Pass server at five minute intervals until either a connection is established or an operator command to stop Mainframe Connector is entered.

Syntax:

PASSIVESTART={YES/NO}

Example:

PASSIVESTART=YES

Default:

NO

REPORTSYSID

Use this parameter to indicate to Mainframe Connector whether or not the z/OS SMF system id should be included as a prefix on the log messages issued to AUDIT or SYNCHLOG . A parameter value of NO indicates that the SMF system id will not be used as a log message prefix. A parameter value of YES indicates that the SMF system id will be used as a log message prefix.

Syntax:

REPORTSYSID={YES/NO}

Example:

REPORTSYSID=YES

Default:

NO

RESETAUTH

Use this parameter to indicate to Mainframe Connector what authority level is to be used for password reset events and userid resume/revoke requests. A parameter value of APF indicates that password reset requests or userid resume/revoke requests will function at the highest administrator authority level. A parameter value of STCID indicates that those requests will occur under the authority level of the userid being used for the Mainframe Connector started task.

Note

This parameter is valid for RACF or ACF2 environments and has no impact in TopSecret environments (Mainframe Connector in a TopSecret environment runs RESETAUTH=STCID at all times).

If RESETAUTH=STCID is used in a RACF environment, the RACF started task must be running for password reset requests and resume/revoke requests to be successful. As well, if userid create, userid delete, userid attribute extract, userid attribute update, userid group add, or userid group delete requests are processed by Mainframe Connector in a RACF environment, they will be processed as if RESETAUTH=STCID regardless of how the parameter is specified.

Syntax:

RESETAUTH={APF/STCID}

Example:

RESETAUTH=STCID

Default:

APF

SMFREC

Use this parameter to specify if Mainframe Connector SMF recording is to take place. If SMF recording is active, Mainframe Connector will create an SMF record for the supported Mainframe Connector events. You can examine the SMF record mapping in SMF Record Mapping to determine all events for which SMF records will be recorded.

If the parameter is omitted, no SMF recording will occur.

Syntax:

SMFREC=nnn (nnn is from 200 to 255)

Example:

SMFREC=245

Default:

no SMF recording

SOCKETCLOSEWAIT

Use this parameter to delay the socket close operation that occurs following the transmission of the last data block for a transaction with a Bravura Security Fabric server. If the value is specified, it indicates the number of seconds that Mainframe Connector should wait prior to initiating the socket close. Valid values for this parameter are numeric 0 to 5.

The MODIFY command can be used to change the SOCKETCLOSEWAIT value. See Modifying the SOCKETCLOSEWAIT for details on dynamically modifying the SOCKETCLOSEWAIT value.

Syntax:

SOCKETCLOSEWAIT=n

Example:

SOCKETCLOSEWAIT=2

Default:

0

SUBSYSNAME

Use this parameter to specify a unique subsystem name to be used exclusively by the Mainframe Connector subsystem address space. The name is up to four characters. This is a required parameter. See Defining the Subsystem Name for techniques that can be used to define subsystem names to z/OS.

Syntax:

SUBSYSNAME=cccc

Example:

SUBSYSNAME=MFCS

Default:

none

TCPPORT#

Use this parameter to set the Bravura Security Fabric server TCP socket port number. This is a required parameter.

Syntax:

TCPPORT#=nnnnn (nnnnn is from 1 to 65535)

Example:

TCPPORT#=3333

Default:

none

TIMEOUT

Use this parameter to specify a timeout limit for the maximum time (in seconds) a request will wait for a response from the Bravura Pass server. This value is only used for timeout situations associated with transparent password synchronization operations and as such, has no applicability to Bravura Identity operations. Values from 20 to 120 are acceptable.

The MODIFY command can be used to change the TIMEOUT value. See Modifying the TIMEOUT value for details on dynamically modifying the TIMEOUT value.

Syntax:

TIMEOUT=nnn

Example:

TIMEOUT=45

Default:

20

TSSTARGET#

Use this parameter to specify a TopSecret command default TARGET indicator. Valid values for this parameter are special characters '=' or '*'.

Syntax:

TSSTARGET=spch (spch is '=' or '*')

Example:

TSSTARGET==

Default:

*

USERIDFASTDEL

Use this parameter to set the userid fast delete option. This parameter is used only in RACF security product environments and if it is active, it causes Mainframe Connector to remove only the bare minimum of the RACF profile definitions that will permit a userid to be deleted. Setting this parameter may result in orphaned entries being left in the RACF database. This is an optional parameter.

Syntax:

USERIDFASTDEL={YES/NO}

Example:

USERIDFASTDEL=YES

Default:

NO

Optional Run-time parameters

 

Include/Exclude List Customization

This section describes the optional include or exclude list that can be specified to the Mainframe Connector subsystem at startup. These lists are indicated to the Mainframe Connector subsystem at startup through the presence of either an INLIST or EXLIST DD statement in the Mainframe Connector subsystem JCL.

The INLIST and E XLIST DD statements are mutually exclusive, but if both DD statements are detected the INLIST will be processed and the EXLIST will be ignored.

The dataset used for either the INLIST DD or the EXLIST DD is a standard z/OS PARMLIB dataset. The dataset can be either a sequential dataset or a member of a partitioned dataset. In either case, the dataset should have the following characteristics:

LRECL=80

RECFM=FB

BLKSIZE=multiple of 80
Inlist/Exlist Syntax

  • An " * " coded in column one indicates that the corresponding statement is to be treated as a comment.

  • Parameter statements can be prefixed with multiple blank characters.

  • The end of parameter data occurs at the first blank character following the start of a valid parameter statement. Any data coded after this terminating blank is considered a comment.

  • Parameter statements cannot span multiple card images.

  • If Mainframe Connector encounters an invalid parameter, it ignores the invalid parameter and issues a warning message.

INLIST Parameter Descriptions

You can specify an include user with the INCLUDEUSER= control card. Data for an INCLUDEUSER must not exceed eight characters and can be a specific userid or a userid with masked characters. An ' * ' can be used to match any single character. A ' - ' indicates a match on the remainder of the userid. For example:

  • INCLUDEUSER=DBA*10 would match userid’s DBAR10 and DBA010 but not DBA100 or DBA010A.

  • INCLUDEUSER=DBA- would match DBA5 , DBA050 , DBAPROD

You can specify an include group with the INCLUDEGROUP= control card. Data for an INCLUDEGROUP must not exceed eight characters and must represent a complete group name (masking is not supported for group names).

If a password reset request is identified for a userid specified in an INCLUDEUSER= control card, or the userid is a member of one of the groups specified on an INCLUDEGROUP= control card, the password reset will occur. Otherwise, the password reset will be rejected.

EXLIST Parameter Descriptions

You can specify an exclude user with the EXCLUDEUSER= control card. Data for an EXCLUDEUSER must not exceed eight characters and can be a specific userid or a userid with masked characters. An ' * ' can be used to match any single character. A ' - ' indicates a match on the remainder of the userid. For example:

EXCLUDEUSER=DBA*10 would match userid’s DBAR10 and DBA010 but not DBA100 or DBA010A .

EXCLUDEUSER=DBA- would match DBA5 , DBA050 , DBAPROD

You can specify an exclude group with the EXCLUDEGROUP= control card. Data for an EXCLUDEGROUP must not exceed eight characters and must represent a complete group name (masking is not supported for group names).

If a password reset request is identified for a userid specified in an EXCLUDEUSER= control card, or the userid is a member of one of the groups specified on an EXCLUDEGROUP= control card, the password reset will be rejected. Otherwise, the password reset will be accepted.

Dynamically Modifying the INLIST or EXLIST

Modifying the INLIST list and Modifying the EXLIST list describe a full range of operator commands that can be used to modify the contents of the include or exclude list.

Administrator ID List Customization

This section describes the optional administrator ID list that can be specified to the Mainframe Connector subsystem at startup. This list is indicated to the Mainframe Connector subsystem at startup through the presence of an ADMINIDS DD statement in the Mainframe Connector subsystem JCL.

The dataset used for either the ADMINIDS DD is a standard z/OS PARMLIB dataset. The dataset can be either a sequential dataset or a member of a partitioned dataset. In either case, the dataset should have the following characteristics:

LRECL=80

RECFM=FB

BLKSIZE=multiple of 80

The ADMINIDS DD statement should be included in your Mainframe Connector subsystem JCL if you want to limit the administrator IDs that can forward password resets to the Bravura Pass server. When the ADMINIDS DD statement is used, only the specified administrators will have their password reset events sent to the Bravura Pass server for validation and password synchronization.

This does not affect the password reset process on the z/OS host as that event will continue through its normal course.

If the ADMINIDS DD statement is not included in the Mainframe Connector JCL, no administrative password resets will be forwarded to the Bravura Pass server. If the ADMINIDS DD statement is used, the following rules are applied.

Administrator ID List Parameter Syntax

  • An " * " coded in column one indicates that the corresponding statement is to be treated as a comment.

  • Parameter statements can be prefixed with multiple blank characters.

  • The end of parameter data occurs at the first blank character following the start of a valid parameter statement. Any data coded after this terminating blank is considered a comment.

  • Parameter statements cannot span multiple card images.

  • If Mainframe Connector encounters an invalid parameter, it ignores the invalid parameter and issues a warning message.

ADMINIDS Parameter Descriptions

You can specify a specific administrator ID with the ADMINID= control card. Data for an ADMINID must not exceed eight characters and must be a specific userid. Masking is not used for specific administrator IDs. Valid control cards would have the following format:

ADMINID=DBAADM

ADMINID=TECHADM

ADMINID=MVSADM

If you want all administrator IDs to have the ability to forward password reset events to the Bravura Pass server for validation and synchronization, an ADMINIDS DD statement should be included in the Mainframe Connector subsystem JCL. The dataset should contain one control card entry with the following format:

ADMINID=-

This indicates that all administrator IDs will have password reset events that they have initiated on behalf of other users forwarded to the Bravura Pass server.

Dynamically Modifying the Administrator ID List

Modifying the ADMINIDS list describes a full range of operator commands that can be used to modify the contents of the administrator id list.

Static host name resolution

If host name resolution is to be used to determine the IP address of the Bravura Security Fabric server, a number of techniques are available. Using the SYSTCPD DD in the Mainframe Connector startup JCL has been suggested earlier, however alternate methods are available.

Your z/OS TCP/IP administrator can indicate the best option for host name resolution within your environment.

Preparing for Mainframe Connector Subsystem Startup

Defining the Subsystem Name

Mainframe Connector uses the unique subsystem name specified on the SUBSYSNAME parameter. The name can be defined to MVS in one of three ways:

  • Pre-defined in member IEFSSNxx of SYS1.PARMLI B and activated at system IPL time.

  • Added dynamically by the Mainframe Connector started task during the initial Mainframe Connector start. When the Mainframe Connector task is started, it will check for the existence of the subsystem name specified on the SUBSYSNAME parameter. If the subsystem name does not exist, an entry will be dynamically created and used for the current and any subsequent Mainframe Connector restarts that may occur during the life of the current IPL.

  • Defined dynamically using an operator command:

    SETSSI ADD,SUBNAME=mfcs

    where mfcs represents the subsystem name to be used for Mainframe Connector.

Defining an Authorized Library

Mainframe Connector load modules need to run in an APF authorized library. You can copy them into an existing authorized library or you can optionally authorize the current target library by creating an entry for it in member IEAAPFxx or PROGxx of SYS1.PARMLIB .

This can be done dynamically to avoid an IPL by using the following operator command:

SETPROG APF,ADD,DSNAME=your.mfc.loadlib,VOLUME=volser

SYS1.PROCLIB

Before you can start Mainframe Connector , you must provide a startup procedure and include it in a library defined to JES2 . There is a sample shown below followed by a description of each statement. The sample is also provided in member PROC of the install dataset.

  //MFC      PROC

  //MFC      EXEC PGM=PSNCDRVR,TIME=1440

  //STEPLIB  DD   DSN=MFC.LOADLIB,DISP=SHR

  //PARMLIB  DD   DSN=MFC.PARMLIB,DISP=SHR

  //PSYNCLIB DD   DSN=MFC.LOADLIB,DISP=SHR

  //SYSTCPD  DD   DSN=TCPIP.DATA,DISP=SHR

  //AUDIT    DD   DSN=MFC.AUDIT,DISP=SHR

  //INLIST   DD   DSN=MFC.INLIST,DISP=SHR

  //ADMINIDS DD   DSN=MFC.ADMINIDS,DISP=SHR

  //SYNCHLOG DD   SYSOUT=*

  //SYSPRINT DD   SYSOUT=*

  //SYSABEND DD   SYSOUT=*

This example is described below:

  • //MFC PROC

    This statement is required. The procedure name does not have to be MFC .

  • //MFC EXEC PGM=PSNCDRVR,TIME=1440

    This statement is required. The TIME=1440 parameter allows MFC an unlimited amount of processor time.

  • //STEPLIB DD DSN=MFC.LOADLIB,DISP=SHR

    This statement is required. If the PSNCDRVR program and related Mainframe Connector modules reside in your system linklist the STEPLIB DD is still required and must contain the Mainframe Connector parallel function load module P SNCTTOC . The sample expects PSNCTTOC to be in MFC.LOADLIB .

  • //PARMLIB DD DSN=MFC.PARMLIB,DISP=SHR

    This statement is required. It identifies the dataset that contains the startup parameters for Mainframe Connector . It can be a sequential dataset or any member of a partitioned dataset (PDS). The ddname must be PARMLIB . The sample uses MFC.PARMLIB to contain Mainframe Connector parameters.

  • //PSYNCLIB DD DSN=MFC.LOADLIB,DISP=SHR

    This statement is required. Even if you place all Mainframe Connector load modules in your system linklist, you must still code this DD statement and reference the library containing the Mainframe Connector modules. Mainframe Connector uses this library for all its directed load module loads. The ddname must be PSYNCLIB . The sample expects Mainframe Connector load modules to be in MFC.LOADLIB .

  • //SYSTCPD DD DSN=TCPIP.DATA,DISP=SHR

    This statement is optional. It is one of the methods available to obtain TCP/IP parameters for DNS name resolution. The dataset referenced is used to contain those parameters. It can be a sequential dataset or any member of a partitioned dataset (PDS). The ddname must be SYSTCPD. The sample expects TCP/IP parameters to be in TCPIP.DATA . In most cases, the dataset referenced by this DD statement will be the same as the dataset referenced by the SYSTCPD DD statement used by the corresponding TCP/IP stack with one exception as noted below.

    If Mainframe Connector will be making use of a TCPaccess TCP/IP stack, the dataset specified on the SYSTCPD DD statement must be a sequential dataset and it must not be in use for any other application.

    If you specify the server name of the Bravura Security Fabric server in the DNS start parameter, this DD statement will most likely be required.

  • //AUDIT DD DSN=MFC.AUDIT,DISP=SHR

    This statement is optional. The sample uses MFC.AUDIT to write log records containing password change request information. It specifies a disposition of SHR but a disposition of MOD may be used to preserve audit records across multiple startups. It would also be appropriate to specify a JES SYSOUT dataset to record AUDIT log information.

  • //INLIST DD DSN=MFC.INLIST,DISP=SHR

    This statement is optional. The INLIST DD is mutually exclusive with the EXLIST DD however if both are detected in the start JCL, the INLIST DD will be processed and the EXLIST DD will be ignored. If you want to allow only certain userids or certain groups of users to have their passwords reset in a transparent fashion, you can use the INLIST DD statement. The sample uses MFC.INLIST as an input dataset for include list userids or groups.

    If the dynamic reload command (see Mainframe Connector Operator Commands ) will be used to refresh the contents of the INLIST list, the number of datasets in the INLIST DD concatenation should be limited to a maximum of 32 to obtain expected results.

  • //EXLIST DD DSN=MFC.EXLIST,DISP=SHR

    This statement is optional. The EXLIST DD is mutually exclusive with the INLIST DD however if both are detected in the start JCL, the INLIST DD will be processed and the EXLIST DD will be ignored. If you want to exclude certain userids or certain groups of users from having their passwords reset in a transparent fashion, you can use the EXLIST DD statement. The sample JCL does not show an example EXLIST DD statement.

    If the dynamic reload command (see Mainframe Connector Operator Commands ) will be used to refresh the contents of the EXLIST list, the number of datasets in the EXLIST DD concatenation should be limited to a maximum of 32 to obtain expected results.

  • //ADMINIDS DD DSN=MFC.ADMINIDS,DISP=SHR

    This statement is optional. The ADMINIDS DD is used to indicate which administrator IDs have the ability to forward a third party password reset event to the Bravura Pass server for validation and synchronization. The absence of this DD statement indicates that no administrative password resets will be forwarded to the Bravura Pass server.

    If the dynamic reload command (see Mainframe Connector Operator Commands ) will be used to refresh the contents of the ADMINIDS list, the number of datasets in the ADMINIDS DD concatenation should be limited to a maximum of 32 to obtain expected results.

  • //SYNCHLOG DD SYSOUT=*

    This statement is optional. It defines a dataset or SYSOUT in which log messages for incoming listener events are written. If this statement is omitted, the Bravura Security Fabric server will be the only source of event information.

  • //SYSPRINT DD SYSOUT=*

    This statement is optional. It defines a dataset or SYSOUT in which messages are written. If you omit this statement, runtime diagnostic messages may be lost. The sample specifies an output class.

  • //SYSABEND DD SYSOUT=*

    This statement is optional. It defines a dataset or SYSOUT in which a dump is written if Mainframe Connector abends. If you omit this statement, no dump will be available to investigate the abend condition. The sample specifies an output class.

  • Other DD statements available for capturing dumps are SYSUDUMP and SYSMDUM P.

If TCPaccess will provide the TCP/IP stack environment, the Mainframe Connector started task procedure would likely be somewhat different than the example described above. The following is an example procedure that could be used for TCPaccess stack environments.

  //MFC      PROC

  //MFC      EXEC PGM=PSNCDRVR,TIME=1440

  //STEPLIB  DD   DSN=MFC.TCP.ACCESS.LOADLIB,DISP=SHR

  //         DD   DSN=MFC.LOADLIB,DISP=SHR

  //         DD   DSN=tcp.access.LINK,DISP=SHR  <== chng "tcp.access"

  //PARMLIB  DD   DSN=MFC.PARMLIB,DISP=SHR

  //PSYNCLIB DD   DSN=MFC.LOADLIB,DISP=SHR

  //SYSTCPD  DD   DSN=TCPIP.DATA,DISP=SHR

  //AUDIT    DD   DSN=MFC.AUDIT,DISP=SHR

  //INLIST   DD   DSN=MFC.INLIST,DISP=SHR

  //SYSPRINT DD   SYSOUT=*

  //SYNCHLOG DD   SYSOUT=*

  //SYSABEND DD   SYSOUT=*

In the above example MFC.LOADLIB would contain all the common Mainframe Connector load modules and the Mainframe Connector load modules that are used if the IBM TCP/IP stack is being used. The dataset, MFC.TCP.ACCESS.LOADLIB , contains the load modules specific to use in TCPaccess stack environments.

If the Mainframe Connector procedure includes an audit dd statement, auditing of Mainframe Connector events will occur. This is an optional DD statement and if it is not present in the Mainframe Connector procedure, no auditing will occur.

SYS1.LPALIB

Mainframe Connector makes use of password or pass phrase change exits. For RACF (ICHPWX01) or RACF (ICHPWX11) and ACF2 (NEWPXIT), the exit(s) must reside in an LPALIB dataset and requires a system IPL to enable any changes.

If the "new password" exit for RACF or ACF2 is already in use for another function or if the "new pass phrase" exit for RACFis already in use for another function, see Password Change Notification Exit Conflict for an alternative method of creating the "new password" exit when more than one subsystem requires the functionality.

SYS1.LINKLIB

TopSecret Installation Exit TSSINSTX

Mainframe Connector makes use of password change exits. For TopSecret (TSSINSTX), the exit must reside in a linklist dataset.

The current active system linklist can be used for TSSINSTX and an LLA REFRESH should be performed before attempting to dynamically enable the exit to the TopSecret subsystem.

In this section: