Skip to main content

Technical Notes

This section describes specific configuration issues and required fixes for the software that Mainframe Connector interfaces with. Review these items to determine if they apply to your environment.

Mainframe Connector and z/OS Security Product Exits

Mainframe Connector optionally makes use of security product exit points (ICHPWX01 for RACF, NEWPXIT for ACF2, and TSSINSTX for TopSecret) to capture z/OS password change events. If your site will not be using your z/OS system as a transparent synchronization trigger system for Bravura Pass , the use of these exits is optional. Alternatively, the exits can be installed and effectively disabled by specifying LISTENONLY=YES in the Mainframe Connector startup parameters. By taking this approach, you allow for the exits to be dynamically ’activated’ with the MODIFY mfc , LISTENONLY=NO operator command.

TopSecret apar BD10748

If the security product that Mainframe Connector will be interfacing with is TopSecret you must install TopSecret apar BD10748. If BD10748 is not installed, Mainframe Connector can experience sporadic abend0C1 conditions.

TopSecret apar BD34839

If the security product that Mainframe Connector will be interfacing with is TopSecret you must install TopSecret apar BD34839. If BD34839 is not installed, the userlist function that can be triggered from the Bravura Security Fabric server could produce erroneous and incomplete results. For TopSecret 5.1, the corresponding PTF is LO92640.

TCPaccess apar MA06505

If the TCP/IP product that Mainframe Connector will be communicating through is Computer Associates product, TCPaccess (newly renamed to NETWORKIT), you should install TCPaccess apar MA06505. Without this fix, every new socket connection will leave behind a x’828’ byte storage block in the Mainframe Connector address space. If enough socket connections are created, this can lead to abend878 conditions in the Mainframe Connector address space.

U4093-1C abend

Minimally, Mainframe Connector requires a 3MB virtual storage region below the 16MB line. If the Mainframe Connector started task is initiated with insufficient below the line region, the Mainframe Connector listener can fail to initialize and the Mainframe Connector address space will indicate U4093-1C abend conditions.

EDCMTF DD statement

Most sites will not require an EDCMTF DD statement in the Mainframe Connector started task JCL. If a PSYNC153E message indicating a __tsched() error -7 is issued at Mainframe Connector startup, this indicates that the multi-tasking facility was unable to locate the PSNCTTOC parallel load module. If this occurs, the Mainframe Connector load library will have to be specified in the EDCMTF DD statement for Mainframe Connector . This should only occur if the site is using a concatenation of datasets in the STEPLIB DD statement and then only if the datasets have differing block sizes.

Performance Group/WLM Service Class

The Mainframe Connector started task should be assigned to a performance group or WLM service class that is consistent with what is used for the z/OS security product started task. This should provide adequate system resources for Mainframe Connector on heavily loaded z/OS systems.

TCP/IP RESOLVERTIMEOUT

If a site chooses to use the name of the Bravura Pass server instead of the IP address in the Mainframe Connector DNS parameter you must be aware that outbound password reset events may be impacted if inconsistent results are being returned from the name serving environment. If the TCP/IP RESOLVERTIMEOUT is left at its default setting (30 seconds), outbound password reset events could be impacted. If your site is experiencing this type of behavior, consider customizing the dataset being used for the SYSTCPD DD and reduce the RESOLVERTIMEOUT value as it relates to Mainframe Connector . This can be done without impacting any other TCP/IP application on your system.

RACF RRSF

If your site is using RACF as the security product and you are using RRSF to apply updates to remote RACF databases and you would like the updates that have been performed by Mainframe Connector forwarded to other systems in the RRSF complex, you will need to ensure the following:

  • the RACF RRSFDATA class must be active

  • RRSF automatic direction of application updates must be enabled. This can be accomplished with the following RACF commands:

    RDEFINE RRSFDATA (AUTODIRECT.sysname.USER.APPL) UACC(NONE) 
PERMIT AUTODIRECT.sysname.USER.APPL CLASS(RRSFDATA) - 
       ACCESS(READ) ID(mfc) 
         
SETROPTS CLASSACT(RRSFDATA) RACLIST(RRSFDATA) 
SETROPTS RACLIST(RRSFDATA) REFRESH

    where sysname is the value of the &SYSNAME variable of the corresponding z/OS system and mfc is the userid under which the Mainframe Connector started task is running.

ACF2 CPF

If your site is using ACF2 as the security product and you are using CPF to apply updates to remote ACF2 databases, this capability will not function in its expected fashion for events initiated through Mainframe Connector from requests generated at the Bravura Security Fabric server. The ACF2 ACALT API does not include support for ACF2 CPF. As a result, Mainframe Connector will need to be deployed on at least one z/OS system where a unique ACF2 database is in use. This functional characteristic affects ACF2 releases that support CPF currently up to, and including ACF2 6.4.

The software vendor for ACF2 has indicated they intend to resolve this functional anomaly in a future release.

TopSecret CPF

Triggering Third Party Password Synchronization

If your site is using TopSecret as the security product and the following conditions are in effect:

  • You use TopSecret CPF to propagate password reset events to other independent TopSecret databases

  • You will be using Mainframe Connector and the supplied TSSINSTX to initiate transparent password synchronization to the Bravura Pass server

You will need to include an ADMINIDS DD statement in the started task JCL for Mainframe Connector . Password reset events initiated by TopSecret CPF on downstream nodes are initiated as third-party reset events. This necessitates the requirement for the ADMINIDS DD . Optional Run-time parameters describes the requirements for this optional DD statement.

If unrestricted third party password reset requests will be eligible to trigger Bravura Pass transparent synchronization, the dataset used for the ADMINIDS DD will need one parameter record as follows:

ADMINID=-

If restricted third party password reset requests will be eligible to trigger Bravura Pass transparent synchronization, the dataset used for the ADMINIDS DD will need to be appropriately populated. Password reset events initiated by validated users during system logon or on behalf of themselves using the TSS REPLACE command will have those events sent to other TopSecret systems through CPF under the MSCA (Master Security Control ACID) of the originating system. To properly handle these scenarios, the dataset used for the ADMINIDS DD will need a parameter record as follows:

ADMINID=mscacid

where ’mscacid’ is the MSCA for the system sending the request. Multiple ADMINID= control cards may be required if more than one source system MSCA exists in a multi-system CPF environment.

CPF TARGET(*) considerations

If the TopSecret CPF environment is not set up to automatically send TopSecret commands to other systems in the TopSecret CPF environment, the following zap should be applied to direct commands issued by Mainframe Connector to other TopSecret nodes:

 NAME PSNCTTOC PSNCSAFR
 VER  0A78 47F0CA86
 VER  0CF0 47F0CCFE
 REP  0A78 4700CA86
 REP  0CF0 4700CCFE
   
 NAME PSNCTTOC PSNCTSS
 VER  0538 47F0A546
 VER  05AE 47F0A5BC
 VER  0624 47F0A632
 VER  0A8E 47F0AA9C
 VER  0B58 47F0AB66
 VER  0CB8 47F0ACC6
 VER  0DF4 47F0AE02
 REP  0538 4700A546
 REP  05AE 4700A5BC
 REP  0624 4700A632
 REP  0A8E 4700AA9C
 REP  0B58 4700AB66
 REP  0CB8 4700ACC6
 REP  0DF4 4700AE02 
   
 NAME PSNCTTOC PSNCPPHR
 VER  09A6 47F0C9B4
 VER  0B9C 47F0CBAA
 REP  09A6 4700C9B4
 REP  0B9C 4700CBAA

TopSecret and REMOVE ASUSPEND

Mainframe Connector password and password phrase reset events in TopSecret environments will, by default, remove the ASUSPEND attribute for the corresponding acid. If you are using Mainframe Connector in a TopSecret environment and you do not want the ASUSPEND attribute reset, apply the following zap:

 NAME PSNCTTOC PSNCSAFR
 VER  0CE2 4700CCF0
 REP  0CE2 47F0CCF0 
   
 NAME PSNCTTOC PSNCPPHR
 VER  0B8E 4700CB9C
 REP  0B8E 47F0CB9C

ACF2 and Removing the CANCEL Flag

Mainframe Connector password and password phrase reset events in ACF2 environments will, by default, remove the CANCEL flag for the corresponding userid. If you are using Mainframe Connector in an ACF2 environment and you do not want the CANCEL flag reset, apply the following zap:

 NAME PSNCACFR PSNCACFR
 VER  0486 D767D62CD62C
 VER  07DA 41F0004E
 VER  0C9C 0006
 VER  0C9E C3C1D5C3C5D34040
 REP  0486 47F0A5100000
 REP  07DA 41F0003C
 REP  0C9C 8006
 REP  0C9E E2E4E2D7C5D5C440
   
 NAME PSNCACFH PSNCACFH
 VER  032A D767D4D4D4D4
 REP  032A 47F0A3B40000  
   
 NAME PSNCACFU PSNCACFU
 VER  02BA D767D1C4D1C4
 REP  02BA 47F0A3440000

TopSecret and Mixed Case Password Support

To properly support mixed case passwords in a TopSecret environment, TopSecret 8.0 with SP03 and APAR BGD7626 should be installed.

In this section: