Skip to main content

Mainframe Connector Operator Commands

Stopping the Mainframe Connector subsystem

The STOP command is used to end Mainframe Connector processing on a system. This is an MVS system command and is entered at a console. The form of the STOP command is:

STOP mfc

P mfc

where mfc specifies the name of your Mainframe Connector catalogued procedure used at startup.

Mainframe Connector issues the following message upon successful termination.

  PSYNC041I - MAINFRAME CONNECTOR TERMINATED

If the Mainframe Connector listener was processing any operations when the stop request was made, the termination process may require some time to allow for the completion or graceful termination of the active operations.

Displaying the Mainframe Connector subsystem parameter status

While Mainframe Connector is up and running, the active parameter values can be displayed at an MVS console using the MVS MODIFY command.

See the detailed explanation of the display listing under message PSYNC934I .

Syntax:

MODIFY mfc,DISPLAY=PARMS

MODIFY mfc,D=PARMS

F mfc,DISPLAY=PARMS

F mfc,D=PARMS

mfc is the Mainframe Connector started task name.

Modifying the LISTCHECK value

The MODIFY command can be used to dynamically change the LISTCHECK value.

Syntax:

MODIFY mfc,LISTCHECK=(INOUT/INBOUNDONLY/OUTBOUNDONLY)
   
F mfc,LISTCHECK=(INOUT/INBOUNDONLY/OUTBOUNDONLY)

Specifying LISTCHECK=INOUT will cause include or exclude list checking to occur for both inbound and outbound password reset events. Specifying LISTCHECK=INBOUNDONLY will cause include or exclude list checking to occur for only inbound password reset events. Specifying LISTCHECK=OUTBOUNDONLY will cause include or exclude list checking to occur for only outbound password reset events.

Modifying the LISTENONLY value

The MODIFY command can be used to dynamically change the LISTENONLY value.

Syntax:

MODIFY mfc,LISTENONLY=(YES/NO)
   
F mfc,LISTENONLY=(YES/NO)

Specifying LISTENONLY=YES will prevent Mainframe Connector from forwarding password change information to the Bravura Pass server for validation and synchronization.

Modifying the LISTENMAX value

The MODIFY command can be used to dynamically change the LISTENMAX value.

Syntax:

MODIFY mfc,LISTENMAX=nn

F mfc,LISTENMAX=nn

Where nn represents the new LISTENMAX value in the range 1 – 99.

Modifying the TIMEOUT value

The MODIFY command can be used to dynamically change the TIMEOUT value.

Syntax:

MODIFY mfc,TIMEOUT=nnn

F mfc,TIMEOUT=nnn

Where nnn represents the new TIMEOUT value in the range 20 – 120.

Modifying the ADMINIDS list

The ADMINIDS DD statement is used to define a dataset(s) that contains a list of userids that will be permitted to have password reset requests that are being made for third party userids (i.e. - not their own) forwarded to the Bravura Pass server for strength validation and synchronization. At Mainframe Connector startup, the contents of the ADMINIDS datasets(s) are copied to an in-storage list which exists, and governs ADMINIDS-related processing, while Mainframe Connector is active.

A number of operator commands are available to dynamically influence the contents of this list and how it is to be interpreted.

Adding a userid to the ADMINIDS list

The MODIFY command can be used to dynamically add a userid to the list of ADMINIDS.

Syntax:

MODIFY mfc ,ADD,ADMINID= userid

F mfc ,ADD,ADMINID= userid

Where ’userid’ indicates the administrator userid that should be added to the ADMINIDS list. Optional Run-time parameters describes acceptable syntax for userid.

If ADMINIDS datasets(s) were absent from the Mainframe Connector startup JCL, the first ADD command will dynamically create an in-storage ADMINIDS list as described previously.

Removing a userid from the ADMINIDS list

The MODIFY command can be used to dynamically remove a userid from the list of ADMINIDS.

Syntax:

MODIFY mfc ,DEL,ADMINID= userid

F mfc ,DEL,ADMINID= userid

Where ’userid indicates the administrator userid that should be removed from the ADMINIDS list.

If the specified userid is not currently included in the ADMINIDS list, a message is issued and processing continues.

Disabling an active ADMINIDS list

The MODIFY command can be used to dynamically disable an active list of ADMINIDS.

Syntax:

MODIFY mfc ,DEACTIVATE,ADMINIDS

F mfc ,DEACTIVATE,ADMINIDS

Using this command will disable administrator-issued password resets from being sent to the Bravura Pass server for validation and synchronization.

If ADMINIDS list processing is not currently active, a message is issued and processing continues.

Enabling a deactivated ADMINIDS list

The MODIFY command can be used to dynamically enable a deactivated list of ADMINIDS.

Syntax:

MODIFY mfc,REACTIVATE,ADMINIDS

F mfc ,REACTIVATE,ADMINIDS

Using this command will re-enable administrator-issued password resets being sent to the Bravura Pass server for validation and synchronization. Only resets by those administrator userids in the list will be processed.

If ADMINIDS list processing is already active or did not previously exist, a message is issued and processing continues.

Reloading the ADMINIDS list

The MODIFY command can be used to reload the list of ADMINIDS from the ADMINIDS DD dataset concatenation.

Syntax:

MODIFY mfc ,RELOAD,ADMINIDS

F mfc ,RELOAD,ADMINIDS

Using this command causes Mainframe Connector to create a new copy of the ADMINIDS list from the current contents of the datasets in the ADMINIDS DD concatenation. This command permits sites to update their static ADMINIDS datasets and activate the contents of those datasets dynamically. To get the expected results, the ADMINIDS DD concatenation must be kept to a maximum of 32 DD statements.

If no ADMINIDS list processing was active, a message is issued and processing continues.

Note that RELOAD will nullify updates resulting from any prior ADD or DEL commands issued against the ADMINIDS list unless the ADMINIDS dataset(s) are updated as well (eg. - via ISPF EDIT) to reflect the ADD or DEL changes prior to issuance of the RELOAD.

Modifying the INLIST list

The INLIST DD statement is used to define a dataset(s) that contains a list of userids and/or groupids that Mainframe Connector will be permitted to process requests against. At Mainframe Connector startup, the contents of the INLIST datasets(s) are copied to an in-storage list which exists, and governs INLIST-related processing, while Mainframe Connector is active. If outbound requests are being checked (LISTCHECK=INOUT or LISTCHECK=OUTBOUNDONLY), the z/OS based password reset requests will be assessed by Mainframe Connector to determine if the requesting userid is in an active INLIST and if it is, the request will be forwarded to the Bravura Pass server for strength validation and synchronization. If inbound requests are being checked (LISTCHECK=INOUT or LISTCHECK=INBOUNDONLY), Bravura Pass server driven reset, resetexpire, and expire requests will be assessed by Mainframe Connector to determine if the target userid is in an active INLIST and if it is, the request will proceed.

A number of operator commands are available to dynamically influence the contents of this list and how it is to be interpreted.

Adding a userid to the INLIST list

The MODIFY command can be used to dynamically add a userid to the INLIST list.

Syntax:

MODIFY mfc ,ADD,INCLUDEUSER= userid

F mfc ,ADD,INCLUDEUSER= userid

Where userid indicates the userid that should be added to the INLIST list. Subsection 7.1.2 describes acceptable syntax for userid.

If INLIST dataset(s) were absent from the Mainframe Connector startup JCL, the first ADD command will dynamically create an in-storage INLIST as described previously. If an EXLIST is already active, the initial status of this INLIST will be deactivated because of the mutual exclusivity of INLIST and EXLIST as described earlier in this guide.

Removing a userid from the INLIST list

The MODIFY command can be used to dynamically remove a userid from the INLIST list.

Syntax:

MODIFY mfc ,DEL,INCLUDEUSER= userid

F mfc ,DEL,INCLUDEUSER= userid

Where userid indicates the userid that should be removed from the INLIST list.

If the specified userid is not currently included in the INLIST list or INLIST processing is currently not active, a message is issued and processing continues.

Adding a groupid to the INLIST list

The MODIFY command can be used to dynamically add a groupid to the INLIST list.

Syntax:

MODIFY mfc ,ADD,INCLUDEGROUP= groupid

F mfc ,ADD,INCLUDEGROUP= groupid

Where ’groupid’ indicates the groupid that should be added to the INLIST list.

If INLIST dataset(s) were absent from the Mainframe Connector startup JCL, the first ADD command will dynamically create an in-storage INLIST as described previously. If an EXLIST is already active, the initial status of this INLIST will be deactivated because of the mutual exclusivity of INLIST and EXLIST as described earlier in this guide.

Removing a groupid from the INLIST list

The MODIFY command can be used to dynamically remove a groupid from the INLIST list.

Syntax:

MODIFY mfc ,DEL,INCLUDEGROUP= groupid

F mfc ,DEL,INCLUDEGROUP= groupid

Where ’groupid’ indicates the groupid that should be removed from the INLIST list.

If the specified groupid is not currently included in the INLIST list or INLIST processing is currently not active, a message is issued and processing continues.

Disabling an active INLIST list

The MODIFY command can be used to dynamically disable an active INLIST list.

Syntax:

MODIFY mfc ,DEACTIVATE,INLIST

F mfc ,DEACTIVATE,INLIST

Using this command will disable INLIST list validation.

If INLIST list processing is not currently active, a message is issued and processing continues.

Enabling a deactivated INLIST list

The MODIFY command can be used to dynamically enable a deactivated INLIST list.

Syntax:

MODIFY mfc ,REACTIVATE,INLIST

F mfc ,REACTIVATE,INLIST

Using this command will re-enable INLIST validation.

If INLIST list processing is already active or did not previously exist, a message is issued and processing continues.

If EXLIST list processing is already active, the command will be disallowed and a message issued, because of the mutual exclusivity of INLIST and EXLIST as described earlier in this guide. It will first be necessary to deactivate the EXLIST.

Reloading the INLIST list

The MODIFY command can be used to reload the INLIST list from the INLIST DD dataset concatenation.

Syntax:

MODIFY mfc ,RELOAD,INLIST

F mfc ,RELOAD,INLIST

Using this command causes Mainframe Connector to create a new copy of the INLIST list from the current contents of the datasets in the INLIST DD concatenation. This command permits sites to update their static INLIST datasets and activate the contents of those datasets dynamically. To get the expected results, the INLIST DD concatenation must be kept to a maximum of 32 DD statements.

If no INLIST list processing was active, a message is issued and processing continues.

Note that RELOAD will nullify updates resulting from any prior ADD or DEL commands issued against the INLIST list unless the INLIST dataset(s) are updated as well (eg. - via ISPF EDIT) to reflect the ADD or DEL changes prior to issuance of the RELOAD.

Modifying the EXLIST list

The EXLIST DD statement is used to define a dataset(s) that contains a list of userids and/or groupids that Mainframe Connector will be excluded from processing requests against. At Mainframe Connector startup, the contents of the EXLIST datasets(s) are copied to an in-storage list which exists, and governs EXLIST-related processing, while Mainframe Connector is active. If outbound requests are being checked (LISTCHECK=INOUT or LISTCHECK=OUTBOUNDONLY), the z/OS based password reset requests will be assessed by Mainframe Connector to determine if the requesting userid is in an active EXLIST and if it is, the request will not be forwarded to the Bravura Pass server for strength validation and synchronization. If inbound requests are being checked (LISTCHECK=INOUT or LISTCHECK=INBOUNDONLY), Bravura Pass server driven reset, resetexpire, and expire requests will be assessed by Mainframe Connector to determine if the target userid is in an active EXLIST and if it is, the request will not proceed.

A number of operator commands are available to dynamically influence the contents of this list and how it is to be interpreted.

Adding a userid to the EXLIST list

The MODIFY command can be used to dynamically add a userid to the EXLIST list.

Syntax:

MODIFY mfc ,ADD,EXCLUDEUSER= userid

F mfc ,ADD,EXCLUDEUSER= userid

Where userid indicates the userid that should be added to the EXLIST list. Optional Run-time parameters describes acceptable syntax for userid.

If EXLIST dataset(s) were absent from the Mainframe Connector startup JCL, or ignored because of the mutual exclusivity of INLIST and EXLIST as described earlier in this guide; the first ADD command will dynamically create an in-storage EXLIST as described previously. If an INLIST is already active, this EXLIST will initially be deactivated because of the aforementioned mutual exclusivity.

Removing a userid from the EXLIST list

The MODIFY command can be used to dynamically remove a userid from the EXLIST list.

Syntax:

MODIFY mfc ,DEL,EXCLUDEUSER= userid

F mfc ,DEL,EXCLUDEUSER= userid

Where userid indicates the userid that should be removed from the EXLIST list.

If the specified userid is not currently included in the EXLIST list or EXLIST processing is currently not active, a message is issued and processing continues.

Adding a groupid to the EXLIST list

The MODIFY command can be used to dynamically add a groupid to the EXLIST list.

Syntax:

MODIFY mfc,ADD,EXCLUDEGROUP=groupid

F mfc,ADD,EXCLUDEGROUP=groupid

Where groupid indicates the groupid that should be added to the EXLIST list.

If EXLIST dataset(s) were absent from the Mainframe Connector startup JCL, or ignored because of the mutual exclusivity of INLIST and EXLIST as described earlier in this guide; the first ADD command will dynamically create an in-storage EXLIST as described previously. If an INLIST is already active, this EXLIST will initially be deactivated because of the aforementioned mutual exclusivity.

Removing a groupid from the EXLIST list

The MODIFY command can be used to dynamically remove a groupid from the EXLIST list.

Syntax:

MODIFY mfc,ADD,EXCLUDEGROUP= groupid

F mfc,ADD,EXCLUDEGROUP= groupid

Where groupid indicates the groupid that should be removed from the EXLIST list.

If the specified groupid is not currently included in the EXLIST list or EXLIST processing is currently not active, a message is issued and processing continues.

Disabling an active EXLIST list

The MODIFY command can be used to dynamically disable an active EXLIST list.

Syntax:

MODIFY mfc,DEL,EXCLUDEGROUP= groupid

F mfc,DEL,EXCLUDEGROUP= groupid

Using this command will disable EXLIST list validation.

If EXLIST list processing is not currently active, a message is issued and processing continues.

Enabling a deactivated EXLIST list

The MODIFY command can be used to dynamically enable a deactivated EXLIST list.

Syntax:

MODIFY mfc,REACTIVATE,EXLIST

F mfc,REACTIVATE,EXLIST

Using this command will re-enable EXLIST validation.

If EXLIST list processing is already active or did not previously exist, a message is issued and processing continues.

If INLIST list processing is already active, the command will be disallowed and a message issued, because of the mutual exclusivity of INLIST and EXLIST as described earlier in this guide. It will first be necessary to deactivate the INLIST.

Reloading the EXLIST list

The MODIFY command can be used to reload the EXLIST list from the EXLIST DD dataset concatenation.

Syntax:

MODIFY mfc,RELOAD,EXLIST

F mfc,RELOAD,EXLIST

Using this command causes Mainframe Connector to create a new copy of the EXLIST list from the current contents of the datasets in the EXLIST DD concatenation. This command permits sites to update their static EXLIST datasets and activate the contents of those datasets dynamically. To get the expected results, the EXLIST DD concatenation must be kept to a maximum of 32 DD statements.

If no EXLIST list processing was active, a message is issued and processing continues.

Note that RELOAD will nullify updates resulting from any prior ADD or DEL commands issued against the EXLIST list unless the EXLIST dataset(s) are updated as well (eg. - via ISPF EDIT) to reflect the ADD or DEL changes prior to issuance of the RELOAD.

Modifying the DEBUGLEVEL

The MODIFY command can be used to dynamically change the debugging level being used by Mainframe Connector.

Syntax:

MODIFY mfc,DEBUGLEVEL= n

F mfc,DEBUGLEVEL= n

Where n represents the new DEBUGLEVEL value in the range 0 – 9.

The DEBUGLEVEL parameter described in Mainframe Connector subsystem internal configuration provides a detailed description of the various debugging levels. A DEBUGLEVEL other than 0 should only be used on recommendation of Bravura Security technical support.

Modifying the ENCRYPTION value

The MODIFY command can be used to dynamically change the encryption format being used by Mainframe Connector to communicate with a Bravura Security Fabric server.

Syntax:

MODIFY mfc,ENCRYPTION= n

F mfc,ENCRYPTION= n

Where n represents the new ENCRYPTION value.

The ENCRYPTION parameter described in Mainframe Connector subsystem internal configuration provides a detailed description of the supported encryption values.

Modifying the ENTROPYFALLBACK value

The MODIFY command can be used to dynamically change the entropy fallback indicator being used by Mainframe Connector .

Syntax:

MODIFY mfc,ENTROPYFALLBACK= n

F mfc,ENTROPYFALLBACK= n

Where n represents the new ENTROPYFALLBACK value. Valid values are YES and NO.

Modifying the SOCKETCLOSEWAIT

The MODIFY command can be used to dynamically change the socket close wait time used by Mainframe Connector.

Syntax:

MODIFY mfc,SOCKETCLOSEWAIT= n

F mfc,SOCKETCLOSEWAIT= n

Where n represents the new SOCKETCLOSEWAIT value in the range 0 – 5.

The SOCKETCLOSEWAIT parameter described in Mainframe Connector subsystem internal configuration provides a description of the socket close wait.

Modifying the OUTBOUNDPWCASE

The MODIFY command can be used to dynamically change the case of outbound password values sent by Mainframe Connector to a Bravura Pass server for synchronization.

Syntax:

MODIFY mfc,OUTBOUNDPWCASE= n

F mfc,OUTBOUNDPWCASE= n

Where n represents the new OUTBOUNDPWCASE value. Valid values are ASIS, LOWER, and UPPER.

The OUTBOUNDPWCASE parameter described in Mainframe Connector subsystem internal configuration provides a description of this parameter value.

Modifying the DATASPACE logging options

If the DATASPACE parameter was specified for Mainframe Connector startup, the MODIFY command can be used to dynamically influence which types of logging information are collected in the Mainframe Connector dataspace.

Activating SMF record log data collection

The MODIFY command can be used to activate the collection of Mainframe Connector SMF record log information.

Syntax:

MODIFY mfc,REACTIVATE,DSSMF

F mfc,REACTIVATE,DSSMF

The REACTIVATE option can be specified even if the SMF value was not specified on the DATASPACE parameter at Mainframe Connector startup.

Deactivating SMF record log data collection

The MODIFY command can be used to deactivate the collection of Mainframe Connector SMF record log information.

Syntax:

MODIFY mfc,DEACTIVATE,DSSMF

F mfc,DEACTIVATE,DSSMF

Activating AUDIT log data collection

The MODIFY command can be used to activate the collection of Mainframe Connector AUDIT log information.

Syntax:

MODIFY mfc,REACTIVATE,DSAUDIT

F mfc,REACTIVATE,DSAUDIT

The REACTIVATE option can be specified even if the AUDIT value was not specified on the DATASPACE parameter at Mainframe Connector startup.

Deactivating AUDIT log data collection

The MODIFY command can be used to deactivate the collection of Mainframe Connector AUDIT log information.

Syntax:

MODIFY mfc,DEACTIVATE,DSAUDIT

F mfc,DEACTIVATE,DSAUDIT

Activating SYNCHLOG log data collection

The MODIFY command can be used to activate the collection of Mainframe Connector SYNCHLOG log information.

Syntax:

MODIFY mfc,REACTIVATE,DSSYNCHLOG

F mfc,REACTIVATE,DSSYNCHLOG

The REACTIVATE option can be specified even if the SYNCHLOG value was not specified on the DATASPACE parameter at Mainframe Connector startup.

Deactivating SYNCHLOG log data collection

The MODIFY command can be used to deactivate the collection of Mainframe Connector SYNCHLOG log information.

Syntax:

MODIFY mfc,DEACTIVATE,DSSYNCHLOG

F mfc,DEACTIVATE,DSSYNCHLOG
In this section: